| Message ID | 0ace9ce3f97656d5f62d11093ad7ee81190c3c25.1635535215.git.pawan.kumar.gupta@linux.intel.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | BPF |
| Headers | show |
| Series | [ebpf,v3] bpf: Disallow unprivileged bpf by default | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Single patches do not need cover letters |
| netdev/fixes_present | fail | Series targets non-next tree, but doesn't contain any Fixes tags |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for bpf |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | success | CCed 10 of 10 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Signed-off-by tag matches author and committer |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | No Fixes tag |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 17 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | No static functions without inline keyword in header files |
| bpf/vmtest-bpf | fail | VM_Test |
| bpf/vmtest-bpf-PR | fail | PR summary |
| bpf/vmtest-bpf-next | fail | VM_Test |
| bpf/vmtest-bpf-next-PR | fail | PR summary |
On Fri, Oct 29, 2021 at 12:43:54PM -0700, Pawan Gupta wrote: > Disabling unprivileged BPF would help prevent unprivileged users from > creating the conditions required for potential speculative execution > side-channel attacks on affected hardware. A deep dive on such attacks > and mitigation is available here [1]. > > Sync with what many distros are currently applying, disable unprivileged > BPF by default. An admin can enable this at runtime, if necessary. > > [1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf > > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> FWIW: Acked-by: Mark Rutland <mark.rutland@arm.com> Mark. > --- > v3: > - Drop the conditional default for CONFIG_BPF_UNPRIV_DEFAULT_OFF until > we have an arch generic way to determine arch-common spectre type bugs. > [Mark Rutland, Daniel Borkmann]. > - Also drop the patch to Generalize ARM's CONFIG_CPU_SPECTRE. > - Minor changes to commit message. > > v2: https://lore.kernel.org/lkml/cover.1635383031.git.pawan.kumar.gupta@linux.intel.com/ > - Generalize ARM's CONFIG_CPU_SPECTRE to be available for all architectures. > - Make CONFIG_BPF_UNPRIV_DEFAULT_OFF depend on CONFIG_CPU_SPECTRE. > - Updated commit message to reflect the dependency on CONFIG_CPU_SPECTRE. > - Add reference to BPF spectre presentation in commit message. > > v1: https://lore.kernel.org/all/d37b01e70e65dced2659561ed5bc4b2ed1a50711.1635367330.git.pawan.kumar.gupta@linux.intel.com/ > > kernel/bpf/Kconfig | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig > index a82d6de86522..73d446294455 100644 > --- a/kernel/bpf/Kconfig > +++ b/kernel/bpf/Kconfig > @@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON > > config BPF_UNPRIV_DEFAULT_OFF > bool "Disable unprivileged BPF by default" > + default y > depends on BPF_SYSCALL > help > Disables unprivileged BPF by default by setting the corresponding > @@ -72,6 +73,10 @@ config BPF_UNPRIV_DEFAULT_OFF > disable it by setting it to 1 (from which no other transition to > 0 is possible anymore). > > + Unprivileged BPF can be used to exploit potential speculative > + execution side-channel vulnerabilities on affected hardware. If you > + are concerned about it, answer Y. > + > source "kernel/bpf/preload/Kconfig" > > config BPF_LSM > -- > 2.31.1 >
diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index a82d6de86522..73d446294455 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON config BPF_UNPRIV_DEFAULT_OFF bool "Disable unprivileged BPF by default" + default y depends on BPF_SYSCALL help Disables unprivileged BPF by default by setting the corresponding @@ -72,6 +73,10 @@ config BPF_UNPRIV_DEFAULT_OFF disable it by setting it to 1 (from which no other transition to 0 is possible anymore). + Unprivileged BPF can be used to exploit potential speculative + execution side-channel vulnerabilities on affected hardware. If you + are concerned about it, answer Y. + source "kernel/bpf/preload/Kconfig" config BPF_LSM
Disabling unprivileged BPF would help prevent unprivileged users from creating the conditions required for potential speculative execution side-channel attacks on affected hardware. A deep dive on such attacks and mitigation is available here [1]. Sync with what many distros are currently applying, disable unprivileged BPF by default. An admin can enable this at runtime, if necessary. [1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> --- v3: - Drop the conditional default for CONFIG_BPF_UNPRIV_DEFAULT_OFF until we have an arch generic way to determine arch-common spectre type bugs. [Mark Rutland, Daniel Borkmann]. - Also drop the patch to Generalize ARM's CONFIG_CPU_SPECTRE. - Minor changes to commit message. v2: https://lore.kernel.org/lkml/cover.1635383031.git.pawan.kumar.gupta@linux.intel.com/ - Generalize ARM's CONFIG_CPU_SPECTRE to be available for all architectures. - Make CONFIG_BPF_UNPRIV_DEFAULT_OFF depend on CONFIG_CPU_SPECTRE. - Updated commit message to reflect the dependency on CONFIG_CPU_SPECTRE. - Add reference to BPF spectre presentation in commit message. v1: https://lore.kernel.org/all/d37b01e70e65dced2659561ed5bc4b2ed1a50711.1635367330.git.pawan.kumar.gupta@linux.intel.com/ kernel/bpf/Kconfig | 5 +++++ 1 file changed, 5 insertions(+)