Re: [PATCH bpf-next] bpf: Inherit system settings for CPU security mitigations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/6/23 1:30 AM, KP Singh wrote:
On Thu, Oct 5, 2023 at 8:02 PM Song Liu <song@xxxxxxxxxx> wrote:
On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote:

Currently, there exists a system-wide setting related to CPU security
mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
deactivates all optional CPU mitigations. Therefore, if we implement a
system-wide 'mitigations=off' setting, it should inherently bypass Spectre
v1 and Spectre v4 in the BPF subsystem.

Please note that there is also a 'nospectre_v1' setting on x86 and ppc
architectures, though it is not currently exported. For the time being,
let's disregard it.

From reading, the cpu_mitigations_off() is a more generic toggle to turn these
generally off, so going via cpu_mitigations_off() is fine in our case and does
not leave some corner cases behind. I presume you mean above that in future the
BPF side could respect some more fine-tuned settings, though it probably might
need some more coordination wrt archs to abstract sth generic out of it.

This idea emerged during our discussion about potential Spectre v1 attacks
with Luis[1].

[1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@xxxxxxxxxxxxx/

Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx>
Cc: Luis Gerhorst <gerhorst@xxxxxxxxx>

Acked-by: Song Liu <song@xxxxxxxxxx>


Acked-by: KP Singh <kpsingh@xxxxxxxxxx>

Thanks,
Daniel




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux