Re: [PATCH bpf-next] bpf: Inherit system settings for CPU security mitigations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/05, Yafang Shao wrote:
> Currently, there exists a system-wide setting related to CPU security
> mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> deactivates all optional CPU mitigations. Therefore, if we implement a
> system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> v1 and Spectre v4 in the BPF subsystem.
> 
> Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> architectures, though it is not currently exported. For the time being,
> let's disregard it.
> 
> This idea emerged during our discussion about potential Spectre v1 attacks
> with Luis[1].
> 
> [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@xxxxxxxxxxxxx/

Based on the discussion from [1]:

Acked-by: Stanislav Fomichev <sdf@xxxxxxxxxx>

> Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx>
> Cc: Luis Gerhorst <gerhorst@xxxxxxxxx>
> ---
>  include/linux/bpf.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index a82efd34b741..61bde4520f5c 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
>  
>  static inline bool bpf_bypass_spec_v1(void)
>  {
> -	return perfmon_capable();
> +	return perfmon_capable() || cpu_mitigations_off();
>  }
>  
>  static inline bool bpf_bypass_spec_v4(void)
>  {
> -	return perfmon_capable();
> +	return perfmon_capable() || cpu_mitigations_off();
>  }
>  
>  int bpf_map_new_fd(struct bpf_map *map, int flags);
> -- 
> 2.30.1 (Apple Git-130)
> 




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux