From: James Morse <james.morse@xxxxxxx>
commit 58c9a5060cb7cd529d49c93954cdafe81c1d642a upstream.
The mitigations for Spectre-BHB are only applied when an exception is
taken from user-space. The mitigation status is reported via the spectre_v2
sysfs vulnerabilities file.
When unprivileged eBPF is enabled the mitigation in the exception vectors
can be avoided by an eBPF program.
When unprivileged eBPF is enabled, print a warning and report vulnerable
via the sysfs vulnerabilities file.
Acked-by: Catalin Marinas <catalin.marinas@xxxxxxx>
Signed-off-by: James Morse <james.morse@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/arm64/kernel/proton-pack.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -18,6 +18,7 @@
*/
#include <linux/arm-smccc.h>
+#include <linux/bpf.h>
#include <linux/cpu.h>
#include <linux/device.h>
#include <linux/nospec.h>
@@ -111,6 +112,15 @@ static const char *get_bhb_affected_stri
}
}
+static bool _unprivileged_ebpf_enabled(void)
+{
+#ifdef CONFIG_BPF_SYSCALL
+ return !sysctl_unprivileged_bpf_disabled;
+#else
+ return false;
+#endif
+}
+
ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,
char *buf)
{
@@ -130,6 +140,9 @@ ssize_t cpu_show_spectre_v2(struct devic
v2_str = "CSV2";
fallthrough;
case SPECTRE_MITIGATED:
+ if (bhb_state == SPECTRE_MITIGATED && _unprivileged_ebpf_enabled())
+ return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
+
return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str);
case SPECTRE_VULNERABLE:
fallthrough;
@@ -1125,3 +1138,16 @@ void __init spectre_bhb_patch_clearbhb(s
*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
}
+
+#ifdef CONFIG_BPF_SYSCALL
+#define EBPF_WARN "Unprivileged eBPF is enabled, data leaks possible via Spectre v2 BHB attacks!\n"
+void unpriv_ebpf_notify(int new_state)
+{
+ if (spectre_v2_state == SPECTRE_VULNERABLE ||
+ spectre_bhb_state != SPECTRE_MITIGATED)
+ return;
+
+ if (!new_state)
+ pr_err("WARNING: %s", EBPF_WARN);
+}
+#endif
Patches currently in stable-queue which might be from james.morse@xxxxxxx are
queue-5.16/arm64-entry-add-macro-for-reading-symbol-addresses-from-the-trampoline.patch
queue-5.16/arm64-use-the-clearbhb-instruction-in-mitigations.patch
queue-5.16/arm64-add-percpu-vectors-for-el1.patch
queue-5.16/arm64-entry-free-up-another-register-on-kpti-s-tramp_exit-path.patch
queue-5.16/arm64-entry-don-t-assume-tramp_vectors-is-the-start-of-the-vectors.patch
queue-5.16/arm64-entry-make-the-trampoline-cleanup-optional.patch
queue-5.16/arm64-proton-pack-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch
queue-5.16/arm64-entry-add-non-kpti-__bp_harden_el1_vectors-for-mitigations.patch
queue-5.16/arm64-add-id_aa64isar2_el1-sys-register.patch
queue-5.16/kvm-arm64-allow-smccc_arch_workaround_3-to-be-discovered-and-migrated.patch
queue-5.16/arm64-spectre-rename-spectre_v4_patch_fw_mitigation_conduit.patch
queue-5.16/arm64-entry-move-trampoline-macros-out-of-ifdef-d-section.patch
queue-5.16/arm64-entry-allow-tramp_alias-to-access-symbols-after-the-4k-boundary.patch
queue-5.16/arm64-entry-move-the-trampoline-data-page-before-the-text-page.patch
queue-5.16/arm64-entry.s-add-ventry-overflow-sanity-checks.patch
queue-5.16/arm64-entry-add-vectors-that-have-the-bhb-mitigation-sequences.patch
queue-5.16/arm64-mitigate-spectre-style-branch-history-side-channels.patch
queue-5.16/arm64-entry-allow-the-trampoline-text-to-occupy-multiple-pages.patch
queue-5.16/arm64-proton-pack-report-spectre-bhb-vulnerabilities-as-part-of-spectre-v2.patch
queue-5.16/kvm-arm64-allow-indirect-vectors-to-be-used-without-spectre_v3a.patch
queue-5.16/arm64-entry-make-the-kpti-trampoline-s-kpti-sequence-optional.patch
