| 1 |
On Thu, Jan 4, 2018 at 7:51 PM, Adam Carter <adamcarter3@×××××.com> wrote: |
| 2 |
> On Fri, Jan 5, 2018 at 8:39 AM, Nikos Chantziaras <realnc@×××××.com> wrote: |
| 3 |
>> |
| 4 |
>> On 04/01/18 18:18, Rich Freeman wrote: |
| 5 |
>>> |
| 6 |
>>> For variant 1 the only known vulnerability is BPF which probably |
| 7 |
>>> next to nobody uses |
| 8 |
>> |
| 9 |
>> |
| 10 |
>> I had to enable various BPF settings in the kernel because systemd |
| 11 |
>> wouldn't shut up about it. It prints warning messages during boot that the |
| 12 |
>> system doesn't support BPF. After enabling it, systemd was happy and stopped |
| 13 |
>> barking at me. |
| 14 |
>> |
| 15 |
> |
| 16 |
> The vulnerability specifically mentions EBPF and JIT so I'd say its |
| 17 |
> CONFIG_HAVE_EBPF_JIT, but there's also CONFIG_BPF_JIT. |
| 18 |
> |
| 19 |
> I notice EBPF_JIT is =y in my .config, grepping the sysctl -a output for bpf |
| 20 |
> only returns; |
| 21 |
> kernel.unprivileged_bpf_disabled = 0 |
| 22 |
|
| 23 |
The settings relevant to Spectre are: |
| 24 |
CONFIG_BPF_JIT - this being set to y is enough to make Intel |
| 25 |
processors vulnerable to variant 1/2. This being set to y is |
| 26 |
necessary, but not sufficient, for making AMD vulnerable to variant 1. |
| 27 |
net.core.bpf_jit_enable - this being set to 1 along with the config |
| 28 |
option being set is sufficient to make AMD vulnerable to variant 1. |
| 29 |
This setting has no effect on making Intel vulnerable to variant 1 or |
| 30 |
2. I suspect this sysctl item won't appear unless it is loaded into |
| 31 |
the kernel in the first place. |
| 32 |
|
| 33 |
I believe CONFIG_HAVE_EBPF_JIT isn't actually modifiable via make |
| 34 |
config - it is a dependency and I think it is there to indicate |
| 35 |
whether the feature is supported (maybe it is arch-specific, or there |
| 36 |
is some complex rule for it being available - I didn't dig through the |
| 37 |
Makefiles). |
| 38 |
|
| 39 |
I don't think either of these need to be set for systemd. The |
| 40 |
settings referenced in that issue are CONFIG_CGROUP_BPF and |
| 41 |
CONFIG_BPF_SYSCALL. I wouldn't be surprised if at some point BPF_JIT |
| 42 |
gets patched to block Spectre, but that hasn't happened yet. |
| 43 |
|
| 44 |
-- |
| 45 |
Rich |
Archives