1 |
On Sat, Jan 6, 2018 at 8:58 AM, Walter Dnes <waltdnes@××××××××.org> wrote: |
2 |
> |
3 |
> I'm running openrc. On my 32-bit install, Intel Core2 duo, I get... |
4 |
> |
5 |
> zgrep BPF /proc/config.gz |
6 |
> CONFIG_BPF=y |
7 |
> # CONFIG_BPF_SYSCALL is not set |
8 |
> # CONFIG_NETFILTER_XT_MATCH_BPF is not set |
9 |
> # CONFIG_TEST_BPF is not set |
10 |
> |
11 |
> On my 64-bit install, Intel Silvermont (Atom), I get... |
12 |
> |
13 |
> zgrep BPF /proc/config.gz |
14 |
> CONFIG_BPF=y |
15 |
> # CONFIG_BPF_SYSCALL is not set |
16 |
> # CONFIG_NETFILTER_XT_MATCH_BPF is not set |
17 |
> # CONFIG_BPF_JIT is not set |
18 |
> CONFIG_HAVE_EBPF_JIT=y |
19 |
> # CONFIG_TEST_BPF is not set |
20 |
> |
21 |
> Does this improve security at all versus meltdown/spectre? Any |
22 |
> suggestions for changes? |
23 |
|
24 |
Intel hardware is vulnerable to Spectre variant 1, and Meltdown, |
25 |
regardless of any kernel settings, unless the kernel is patched to |
26 |
defeat it. I'm less sure about whether you're vulnerable to Spectre |
27 |
variant 2 with JIT BPF turned off. PTI is required to defeat Meltdown |
28 |
on Intel hardware. I don't think a patch to Spectre is in the stable |
29 |
linux kernel yet, though it seems like Redhat may have pushed out some |
30 |
kind of patch for it (possibly in conjunction with a microcode update |
31 |
to enable it). |
32 |
|
33 |
Disabling BPF JIT (which is the default state) does defeat the known |
34 |
Spectre attacks on AMD hardware, and AMD hardware is immune to |
35 |
Meltdown. |
36 |
|
37 |
Note that this is only talking about the kernel. Userspace code can |
38 |
also be vulnerable to cross-process Spectre attacks (particularly |
39 |
browsers) and those require specific hardening as well at the software |
40 |
level. On Gentoo we would get the benefit that if a gcc-level fix is |
41 |
developed we could harden everything at once with a complete rebuild. |
42 |
However, at this time gcc hasn't been patched. There is plenty of |
43 |
talk of it though. Some of the proposed solutions also need CPU |
44 |
microcode updates to enable them. The idea is that gcc would insert |
45 |
instructions in sensitive locations to fence in speculative execution, |
46 |
and the microcode would get the CPU to respect these boundaries. |
47 |
|
48 |
Intel has published this regarding their hardware: |
49 |
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf |
50 |
|
51 |
(This is targeted more at developers than users, including OS developers.) |
52 |
|
53 |
-- |
54 |
Rich |