On Fri, Oct 20, 2023 at 8:42 AM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote: > > > > Currently, there exists a system-wide setting related to CPU security > > mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it > > deactivates all optional CPU mitigations. Therefore, if we implement a > > system-wide 'mitigations=off' setting, it should inherently bypass Spectre > > v1 and Spectre v4 in the BPF subsystem. > > > > Please note that there is also a 'nospectre_v1' setting on x86 and ppc > > architectures, though it is not currently exported. For the time being, > > let's disregard it. > > > > This idea emerged during our discussion about potential Spectre v1 attacks > > with Luis[1]. > > > > [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@xxxxxxxxxxxxx/ > > > > Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx> > > Cc: Luis Gerhorst <gerhorst@xxxxxxxxx> > > --- > > include/linux/bpf.h | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > > index a82efd34b741..61bde4520f5c 100644 > > --- a/include/linux/bpf.h > > +++ b/include/linux/bpf.h > > @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void) > > > > static inline bool bpf_bypass_spec_v1(void) > > { > > - return perfmon_capable(); > > + return perfmon_capable() || cpu_mitigations_off(); > > } > > > > static inline bool bpf_bypass_spec_v4(void) > > { > > - return perfmon_capable(); > > + return perfmon_capable() || cpu_mitigations_off(); > > } > > Yafang, > > this patch breaks several > test_progs -t verifier Sorry, I miss that. > > tests when system is booted with mitigations=off command line. > > Please follow up with a patch to fix this. will do it. > > As you noticed cpu_mitigations_off() is not quite right here. > The system might have booted without that command line, but > spec_v1 and spec_v4 mitigations are turned off. > Unfortunately there is no good way to check that atm. > Have you seen this patch set ? > https://lore.kernel.org/all/20231019181158.1982205-1-leitao@xxxxxxxxxx/ > Please take a look at it and comment if you think it will help. Thanks for your information. will take a look. > > In the meantime please fix test_progs -t verifier sure -- Regards Yafang
