mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	bpf: Inherit system settings for CPU security mitigations
Currently, there exists a system-wide setting related to CPU security mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it deactivates all optional CPU mitigations. Therefore, if we implement a system-wide 'mitigations=off' setting, it should inherently bypass Spectre v1 and Spectre v4 in the BPF subsystem. Please note that there is also a more specific 'nospectre_v1' setting on x86 and ppc architectures, though it is not currently exported. For the time being, let's disregard more fine-grained options. This idea emerged during our discussion about potential Spectre v1 attacks with Luis [0]. [0] https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Stanislav Fomichev <sdf@google.com> Acked-by: Song Liu <song@kernel.org> Acked-by: KP Singh <kpsingh@kernel.org> Cc: Luis Gerhorst <gerhorst@cs.fau.de> Link: https://lore.kernel.org/bpf/20231005084123.1338-1-laoar.shao@gmail.com
This commit is contained in:
		
							parent
							
								
									9c8c3fa3a5
								
							
						
					
					
						commit
						bc5bc309db
					
				| @ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void) | |||||||
| 
 | 
 | ||||||
| static inline bool bpf_bypass_spec_v1(void) | static inline bool bpf_bypass_spec_v1(void) | ||||||
| { | { | ||||||
| 	return perfmon_capable(); | 	return perfmon_capable() || cpu_mitigations_off(); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| static inline bool bpf_bypass_spec_v4(void) | static inline bool bpf_bypass_spec_v4(void) | ||||||
| { | { | ||||||
| 	return perfmon_capable(); | 	return perfmon_capable() || cpu_mitigations_off(); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| int bpf_map_new_fd(struct bpf_map *map, int flags); | int bpf_map_new_fd(struct bpf_map *map, int flags); | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Yafang Shao
						Yafang Shao