Commit bc5bc309 authored by Yafang Shao's avatar Yafang Shao Committed by Daniel Borkmann

bpf: Inherit system settings for CPU security mitigations

Currently, there exists a system-wide setting related to CPU security
mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
deactivates all optional CPU mitigations. Therefore, if we implement a
system-wide 'mitigations=off' setting, it should inherently bypass Spectre
v1 and Spectre v4 in the BPF subsystem.

Please note that there is also a more specific 'nospectre_v1' setting on
x86 and ppc architectures, though it is not currently exported. For the
time being, let's disregard more fine-grained options.

This idea emerged during our discussion about potential Spectre v1 attacks
with Luis [0].

  [0] https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.netSigned-off-by: default avatarYafang Shao <laoar.shao@gmail.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarStanislav Fomichev <sdf@google.com>
Acked-by: default avatarSong Liu <song@kernel.org>
Acked-by: default avatarKP Singh <kpsingh@kernel.org>
Cc: Luis Gerhorst <gerhorst@cs.fau.de>
Link: https://lore.kernel.org/bpf/20231005084123.1338-1-laoar.shao@gmail.com
parent 9c8c3fa3
...@@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void) ...@@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
static inline bool bpf_bypass_spec_v1(void) static inline bool bpf_bypass_spec_v1(void)
{ {
return perfmon_capable(); return perfmon_capable() || cpu_mitigations_off();
} }
static inline bool bpf_bypass_spec_v4(void) static inline bool bpf_bypass_spec_v4(void)
{ {
return perfmon_capable(); return perfmon_capable() || cpu_mitigations_off();
} }
int bpf_map_new_fd(struct bpf_map *map, int flags); int bpf_map_new_fd(struct bpf_map *map, int flags);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment