| 1 |
On Sat, Jan 6, 2018 at 8:58 AM, Walter Dnes <waltdnes@××××××××.org> wrote: |
| 2 |
> |
| 3 |
> I'm running openrc. On my 32-bit install, Intel Core2 duo, I get... |
| 4 |
> |
| 5 |
> zgrep BPF /proc/config.gz |
| 6 |
> CONFIG_BPF=y |
| 7 |
> # CONFIG_BPF_SYSCALL is not set |
| 8 |
> # CONFIG_NETFILTER_XT_MATCH_BPF is not set |
| 9 |
> # CONFIG_TEST_BPF is not set |
| 10 |
> |
| 11 |
> On my 64-bit install, Intel Silvermont (Atom), I get... |
| 12 |
> |
| 13 |
> zgrep BPF /proc/config.gz |
| 14 |
> CONFIG_BPF=y |
| 15 |
> # CONFIG_BPF_SYSCALL is not set |
| 16 |
> # CONFIG_NETFILTER_XT_MATCH_BPF is not set |
| 17 |
> # CONFIG_BPF_JIT is not set |
| 18 |
> CONFIG_HAVE_EBPF_JIT=y |
| 19 |
> # CONFIG_TEST_BPF is not set |
| 20 |
> |
| 21 |
> Does this improve security at all versus meltdown/spectre? Any |
| 22 |
> suggestions for changes? |
| 23 |
|
| 24 |
Intel hardware is vulnerable to Spectre variant 1, and Meltdown, |
| 25 |
regardless of any kernel settings, unless the kernel is patched to |
| 26 |
defeat it. I'm less sure about whether you're vulnerable to Spectre |
| 27 |
variant 2 with JIT BPF turned off. PTI is required to defeat Meltdown |
| 28 |
on Intel hardware. I don't think a patch to Spectre is in the stable |
| 29 |
linux kernel yet, though it seems like Redhat may have pushed out some |
| 30 |
kind of patch for it (possibly in conjunction with a microcode update |
| 31 |
to enable it). |
| 32 |
|
| 33 |
Disabling BPF JIT (which is the default state) does defeat the known |
| 34 |
Spectre attacks on AMD hardware, and AMD hardware is immune to |
| 35 |
Meltdown. |
| 36 |
|
| 37 |
Note that this is only talking about the kernel. Userspace code can |
| 38 |
also be vulnerable to cross-process Spectre attacks (particularly |
| 39 |
browsers) and those require specific hardening as well at the software |
| 40 |
level. On Gentoo we would get the benefit that if a gcc-level fix is |
| 41 |
developed we could harden everything at once with a complete rebuild. |
| 42 |
However, at this time gcc hasn't been patched. There is plenty of |
| 43 |
talk of it though. Some of the proposed solutions also need CPU |
| 44 |
microcode updates to enable them. The idea is that gcc would insert |
| 45 |
instructions in sensitive locations to fence in speculative execution, |
| 46 |
and the microcode would get the CPU to respect these boundaries. |
| 47 |
|
| 48 |
Intel has published this regarding their hardware: |
| 49 |
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf |
| 50 |
|
| 51 |
(This is targeted more at developers than users, including OS developers.) |
| 52 |
|
| 53 |
-- |
| 54 |
Rich |
Archives