git: b20883e8210e - main - mitigations.7: Describe LASS

Reply: Ed Maste : "Re: git: b20883e8210e - main - mitigations.7: Describe LASS"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Wed, 18 Feb 2026 15:22:29 UTC

The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=b20883e8210eb30c8ffba467c4bc9fce89bde6c4

commit b20883e8210eb30c8ffba467c4bc9fce89bde6c4
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-02-13 20:31:51 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-02-18 15:22:14 +0000

    mitigations.7: Describe LASS
    
    Reviewed by:    kib, markj
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D55281
---
 share/man/man7/mitigations.7 | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/share/man/man7/mitigations.7 b/share/man/man7/mitigations.7
index c3c6ab55c480..37a81986e372 100644
--- a/share/man/man7/mitigations.7
+++ b/share/man/man7/mitigations.7
@@ -335,8 +335,17 @@ Another feature prevents unintended reads from or writes to user space memory
 from the kernel.
 This also provides effective protection against NULL pointer dereferences from
 kernel.
+An additional mechanism,
+Linear Address Space Separation (LASS), is available on some amd64 machines.
+LASS prevents user-mode applications from accessing kernel-mode memory,
+and the kernel from unsanctioned access to userspace memory.
+Unlike page table-based permission controls, LASS is based only on address
+values.
+As a consequence of enforcing this separation in hardware, LASS also provides
+mitigation against certain speculative-execution side-channel attacks.
 .Bl -column -offset indent "Architecture" "Feature" "Access Type Prevented"
 .It Sy Architecture Ta Sy Feature Ta Sy Access Type Prevented
+.It amd64       Ta LASS  Ta All
 .It amd64       Ta SMAP  Ta Read / Write
 .It amd64       Ta SMEP  Ta Execute
 .It arm64       Ta PAN   Ta Read / Write
@@ -345,8 +354,12 @@ kernel.
 .It riscv       Ta -     Ta Execute
 .El
 .Pp
-These features are automatically used by the kernel.
-There is no user-facing configuration.
+Most of these features are automatically used by the kernel,
+with no user-facing configuration.
+LASS is controlled by the
+.Va hw.lass
+loader tunable.
+It is enabled by default, when available.
 .\"
 .Ss Capsicum
 Capsicum is a lightweight OS capability and sandbox framework.