This improves the expressiveness of unprivileged BPF by inserting speculation barriers instead of rejcting the programs. The approach was presented at LPC'24: https://lpc.events/event/18/contributions/1954/ ("Mitigating Spectre-PHT using Speculation Barriers in Linux eBPF") and RAID'24: https://arxiv.org/pdf/2405.00078 ("VeriFence: Lightweight and Precise Spectre Defenses for Untrusted Linux Kernel Extensions") Goal of this RFC is to get feedback on the approach and the structuring into commits. TODOs to be fixed for final version: * actually emit arm64 barrier * fix unexpected_load_success from test_progs for "bpf: Fall back to nospec for sanitization-failures" * use bpf-next as base commit Luis Gerhorst (9): bpf/arm64: Unset bypass_spec_v4() instead of ignoring BPF_NOSPEC bpf: Refactor do_check() if/else into do_check_insn() bpf: Return EFAULT on misconfigurations bpf: Return EFAULT on internal errors bpf: Fall back to nospec if v1 verification fails bpf: Allow nospec-protected var-offset stack access bpf: Refactor push_stack to return error code bpf: Fall back to nospec for sanitization-failures bpf: Cut speculative path verification short arch/arm64/net/bpf_jit_comp.c | 10 +- include/linux/bpf.h | 14 +- include/linux/bpf_verifier.h | 3 +- kernel/bpf/core.c | 17 +- kernel/bpf/verifier.c | 832 ++++++++++-------- .../selftests/bpf/progs/verifier_and.c | 3 +- .../selftests/bpf/progs/verifier_bounds.c | 30 +- .../selftests/bpf/progs/verifier_movsx.c | 6 +- .../selftests/bpf/progs/verifier_unpriv.c | 3 +- .../bpf/progs/verifier_value_ptr_arith.c | 11 +- 10 files changed, 520 insertions(+), 409 deletions(-) base-commit: d082ecbc71e9e0bf49883ee4afd435a77a5101b6 -- 2.48.1
