1 |
On Thu, Jan 4, 2018 at 7:51 PM, Adam Carter <adamcarter3@×××××.com> wrote: |
2 |
> On Fri, Jan 5, 2018 at 8:39 AM, Nikos Chantziaras <realnc@×××××.com> wrote: |
3 |
>> |
4 |
>> On 04/01/18 18:18, Rich Freeman wrote: |
5 |
>>> |
6 |
>>> For variant 1 the only known vulnerability is BPF which probably |
7 |
>>> next to nobody uses |
8 |
>> |
9 |
>> |
10 |
>> I had to enable various BPF settings in the kernel because systemd |
11 |
>> wouldn't shut up about it. It prints warning messages during boot that the |
12 |
>> system doesn't support BPF. After enabling it, systemd was happy and stopped |
13 |
>> barking at me. |
14 |
>> |
15 |
> |
16 |
> The vulnerability specifically mentions EBPF and JIT so I'd say its |
17 |
> CONFIG_HAVE_EBPF_JIT, but there's also CONFIG_BPF_JIT. |
18 |
> |
19 |
> I notice EBPF_JIT is =y in my .config, grepping the sysctl -a output for bpf |
20 |
> only returns; |
21 |
> kernel.unprivileged_bpf_disabled = 0 |
22 |
|
23 |
The settings relevant to Spectre are: |
24 |
CONFIG_BPF_JIT - this being set to y is enough to make Intel |
25 |
processors vulnerable to variant 1/2. This being set to y is |
26 |
necessary, but not sufficient, for making AMD vulnerable to variant 1. |
27 |
net.core.bpf_jit_enable - this being set to 1 along with the config |
28 |
option being set is sufficient to make AMD vulnerable to variant 1. |
29 |
This setting has no effect on making Intel vulnerable to variant 1 or |
30 |
2. I suspect this sysctl item won't appear unless it is loaded into |
31 |
the kernel in the first place. |
32 |
|
33 |
I believe CONFIG_HAVE_EBPF_JIT isn't actually modifiable via make |
34 |
config - it is a dependency and I think it is there to indicate |
35 |
whether the feature is supported (maybe it is arch-specific, or there |
36 |
is some complex rule for it being available - I didn't dig through the |
37 |
Makefiles). |
38 |
|
39 |
I don't think either of these need to be set for systemd. The |
40 |
settings referenced in that issue are CONFIG_CGROUP_BPF and |
41 |
CONFIG_BPF_SYSCALL. I wouldn't be surprised if at some point BPF_JIT |
42 |
gets patched to block Spectre, but that hasn't happened yet. |
43 |
|
44 |
-- |
45 |
Rich |