diff mbox series

[bpf-next] bpf: Inherit system settings for CPU security mitigations

Message ID 20231005084123.1338-1-laoar.shao@gmail.com (mailing list archive)
State Accepted
Commit bc5bc309db45a7ab218ce8259ba9bc7659be61ca
Delegated to: BPF
Headers show
Series [bpf-next] bpf: Inherit system settings for CPU security mitigations | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for bpf-next, async
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2826 this patch: 2826
netdev/cc_maintainers success CCed 12 of 12 maintainers
netdev/build_clang success Errors and warnings before: 1515 this patch: 1515
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 2912 this patch: 2912
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 14 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-0 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-1 success Logs for build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-2 success Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-4 success Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-3 success Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-5 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-9 success Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-6 success Logs for test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-7 success Logs for test_maps on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-11 success Logs for test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-12 success Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-14 success Logs for test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-18 success Logs for test_progs_no_alu32_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-16 success Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-19 success Logs for test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-21 success Logs for test_progs_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-20 success Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-22 success Logs for test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for test_progs_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-25 success Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-24 success Logs for test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-27 success Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-26 success Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28 success Logs for veristat

Commit Message

Yafang Shao Oct. 5, 2023, 8:41 a.m. UTC 
Currently, there exists a system-wide setting related to CPU security
mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
deactivates all optional CPU mitigations. Therefore, if we implement a
system-wide 'mitigations=off' setting, it should inherently bypass Spectre
v1 and Spectre v4 in the BPF subsystem.

Please note that there is also a 'nospectre_v1' setting on x86 and ppc
architectures, though it is not currently exported. For the time being,
let's disregard it.

This idea emerged during our discussion about potential Spectre v1 attacks
with Luis[1].

[1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/

Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
Cc: Luis Gerhorst <gerhorst@cs.fau.de>
---
 include/linux/bpf.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Stanislav Fomichev Oct. 5, 2023, 5:24 p.m. UTC | #1 
On 10/05, Yafang Shao wrote:
> Currently, there exists a system-wide setting related to CPU security
> mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> deactivates all optional CPU mitigations. Therefore, if we implement a
> system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> v1 and Spectre v4 in the BPF subsystem.
> 
> Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> architectures, though it is not currently exported. For the time being,
> let's disregard it.
> 
> This idea emerged during our discussion about potential Spectre v1 attacks
> with Luis[1].
> 
> [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/

Based on the discussion from [1]:

Acked-by: Stanislav Fomichev <sdf@google.com>

> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> Cc: Luis Gerhorst <gerhorst@cs.fau.de>
> ---
>  include/linux/bpf.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index a82efd34b741..61bde4520f5c 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
>  
>  static inline bool bpf_bypass_spec_v1(void)
>  {
> -	return perfmon_capable();
> +	return perfmon_capable() || cpu_mitigations_off();
>  }
>  
>  static inline bool bpf_bypass_spec_v4(void)
>  {
> -	return perfmon_capable();
> +	return perfmon_capable() || cpu_mitigations_off();
>  }
>  
>  int bpf_map_new_fd(struct bpf_map *map, int flags);
> -- 
> 2.30.1 (Apple Git-130)
>
Song Liu Oct. 5, 2023, 6:01 p.m. UTC | #2 
On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> Currently, there exists a system-wide setting related to CPU security
> mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> deactivates all optional CPU mitigations. Therefore, if we implement a
> system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> v1 and Spectre v4 in the BPF subsystem.
>
> Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> architectures, though it is not currently exported. For the time being,
> let's disregard it.
>
> This idea emerged during our discussion about potential Spectre v1 attacks
> with Luis[1].
>
> [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
>
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> Cc: Luis Gerhorst <gerhorst@cs.fau.de>

Acked-by: Song Liu <song@kernel.org>
KP Singh Oct. 5, 2023, 11:30 p.m. UTC | #3 
On Thu, Oct 5, 2023 at 8:02 PM Song Liu <song@kernel.org> wrote:
>
> On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
> >
> > Currently, there exists a system-wide setting related to CPU security
> > mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> > deactivates all optional CPU mitigations. Therefore, if we implement a
> > system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> > v1 and Spectre v4 in the BPF subsystem.
> >
> > Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> > architectures, though it is not currently exported. For the time being,
> > let's disregard it.
> >
> > This idea emerged during our discussion about potential Spectre v1 attacks
> > with Luis[1].
> >
> > [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
> >
> > Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> > Cc: Luis Gerhorst <gerhorst@cs.fau.de>
>
> Acked-by: Song Liu <song@kernel.org>
>

Acked-by: KP Singh <kpsingh@kernel.org>
Daniel Borkmann Oct. 6, 2023, 4:55 p.m. UTC | #4 
On 10/6/23 1:30 AM, KP Singh wrote:
> On Thu, Oct 5, 2023 at 8:02 PM Song Liu <song@kernel.org> wrote:
>> On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
>>>
>>> Currently, there exists a system-wide setting related to CPU security
>>> mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
>>> deactivates all optional CPU mitigations. Therefore, if we implement a
>>> system-wide 'mitigations=off' setting, it should inherently bypass Spectre
>>> v1 and Spectre v4 in the BPF subsystem.
>>>
>>> Please note that there is also a 'nospectre_v1' setting on x86 and ppc
>>> architectures, though it is not currently exported. For the time being,
>>> let's disregard it.

 From reading, the cpu_mitigations_off() is a more generic toggle to turn these
generally off, so going via cpu_mitigations_off() is fine in our case and does
not leave some corner cases behind. I presume you mean above that in future the
BPF side could respect some more fine-tuned settings, though it probably might
need some more coordination wrt archs to abstract sth generic out of it.

>>> This idea emerged during our discussion about potential Spectre v1 attacks
>>> with Luis[1].
>>>
>>> [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
>>>
>>> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
>>> Cc: Luis Gerhorst <gerhorst@cs.fau.de>
>>
>> Acked-by: Song Liu <song@kernel.org>
>>
> 
> Acked-by: KP Singh <kpsingh@kernel.org>

Thanks,
Daniel
patchwork-bot+netdevbpf@kernel.org Oct. 6, 2023, 6:20 p.m. UTC | #5 
Hello:

This patch was applied to bpf/bpf-next.git (master)
by Daniel Borkmann <daniel@iogearbox.net>:

On Thu,  5 Oct 2023 08:41:23 +0000 you wrote:
> Currently, there exists a system-wide setting related to CPU security
> mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> deactivates all optional CPU mitigations. Therefore, if we implement a
> system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> v1 and Spectre v4 in the BPF subsystem.
> 
> Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> architectures, though it is not currently exported. For the time being,
> let's disregard it.
> 
> [...]

Here is the summary with links:
  - [bpf-next] bpf: Inherit system settings for CPU security mitigations
    https://git.kernel.org/bpf/bpf-next/c/bc5bc309db45

You are awesome, thank you!
Andrii Nakryiko Oct. 11, 2023, 10:53 p.m. UTC | #6 
On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> Currently, there exists a system-wide setting related to CPU security
> mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> deactivates all optional CPU mitigations. Therefore, if we implement a
> system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> v1 and Spectre v4 in the BPF subsystem.
>
> Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> architectures, though it is not currently exported. For the time being,
> let's disregard it.
>
> This idea emerged during our discussion about potential Spectre v1 attacks
> with Luis[1].
>
> [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
>
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> Cc: Luis Gerhorst <gerhorst@cs.fau.de>
> ---
>  include/linux/bpf.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index a82efd34b741..61bde4520f5c 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
>
>  static inline bool bpf_bypass_spec_v1(void)
>  {
> -       return perfmon_capable();
> +       return perfmon_capable() || cpu_mitigations_off();

Should we check cpu_mitigations_off() first before perfmon_capable()
to avoid unnecessary capability checks, which generate audit messages?

>  }
>
>  static inline bool bpf_bypass_spec_v4(void)
>  {
> -       return perfmon_capable();
> +       return perfmon_capable() || cpu_mitigations_off();
>  }
>
>  int bpf_map_new_fd(struct bpf_map *map, int flags);
> --
> 2.30.1 (Apple Git-130)
>
Yafang Shao Oct. 12, 2023, 2:29 a.m. UTC | #7 
On Thu, Oct 12, 2023 at 6:53 AM Andrii Nakryiko
<andrii.nakryiko@gmail.com> wrote:
>
> On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
> >
> > Currently, there exists a system-wide setting related to CPU security
> > mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> > deactivates all optional CPU mitigations. Therefore, if we implement a
> > system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> > v1 and Spectre v4 in the BPF subsystem.
> >
> > Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> > architectures, though it is not currently exported. For the time being,
> > let's disregard it.
> >
> > This idea emerged during our discussion about potential Spectre v1 attacks
> > with Luis[1].
> >
> > [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
> >
> > Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> > Cc: Luis Gerhorst <gerhorst@cs.fau.de>
> > ---
> >  include/linux/bpf.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index a82efd34b741..61bde4520f5c 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
> >
> >  static inline bool bpf_bypass_spec_v1(void)
> >  {
> > -       return perfmon_capable();
> > +       return perfmon_capable() || cpu_mitigations_off();
>
> Should we check cpu_mitigations_off() first before perfmon_capable()
> to avoid unnecessary capability checks, which generate audit messages?

makes sense.
Should I send an additional patch, or you modify the original patch?
Andrii Nakryiko Oct. 12, 2023, 4:42 a.m. UTC | #8 
On Wed, Oct 11, 2023 at 7:29 PM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> On Thu, Oct 12, 2023 at 6:53 AM Andrii Nakryiko
> <andrii.nakryiko@gmail.com> wrote:
> >
> > On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
> > >
> > > Currently, there exists a system-wide setting related to CPU security
> > > mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> > > deactivates all optional CPU mitigations. Therefore, if we implement a
> > > system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> > > v1 and Spectre v4 in the BPF subsystem.
> > >
> > > Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> > > architectures, though it is not currently exported. For the time being,
> > > let's disregard it.
> > >
> > > This idea emerged during our discussion about potential Spectre v1 attacks
> > > with Luis[1].
> > >
> > > [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
> > >
> > > Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> > > Cc: Luis Gerhorst <gerhorst@cs.fau.de>
> > > ---
> > >  include/linux/bpf.h | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > > index a82efd34b741..61bde4520f5c 100644
> > > --- a/include/linux/bpf.h
> > > +++ b/include/linux/bpf.h
> > > @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
> > >
> > >  static inline bool bpf_bypass_spec_v1(void)
> > >  {
> > > -       return perfmon_capable();
> > > +       return perfmon_capable() || cpu_mitigations_off();
> >
> > Should we check cpu_mitigations_off() first before perfmon_capable()
> > to avoid unnecessary capability checks, which generate audit messages?
>
> makes sense.
> Should I send an additional patch, or you modify the original patch?

please send a patch

>
> --
> Regards
> Yafang
Alexei Starovoitov Oct. 20, 2023, 12:42 a.m. UTC | #9 
On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> Currently, there exists a system-wide setting related to CPU security
> mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> deactivates all optional CPU mitigations. Therefore, if we implement a
> system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> v1 and Spectre v4 in the BPF subsystem.
>
> Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> architectures, though it is not currently exported. For the time being,
> let's disregard it.
>
> This idea emerged during our discussion about potential Spectre v1 attacks
> with Luis[1].
>
> [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
>
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> Cc: Luis Gerhorst <gerhorst@cs.fau.de>
> ---
>  include/linux/bpf.h | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index a82efd34b741..61bde4520f5c 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
>
>  static inline bool bpf_bypass_spec_v1(void)
>  {
> -       return perfmon_capable();
> +       return perfmon_capable() || cpu_mitigations_off();
>  }
>
>  static inline bool bpf_bypass_spec_v4(void)
>  {
> -       return perfmon_capable();
> +       return perfmon_capable() || cpu_mitigations_off();
>  }

Yafang,

this patch breaks several
test_progs -t verifier

tests when system is booted with mitigations=off command line.

Please follow up with a patch to fix this.

As you noticed cpu_mitigations_off() is not quite right here.
The system might have booted without that command line, but
spec_v1 and spec_v4 mitigations are turned off.
Unfortunately there is no good way to check that atm.
Have you seen this patch set ?
https://lore.kernel.org/all/20231019181158.1982205-1-leitao@debian.org/
Please take a look at it and comment if you think it will help.

In the meantime please fix test_progs -t verifier

Thanks
Yafang Shao Oct. 20, 2023, 2:35 a.m. UTC | #10 
On Fri, Oct 20, 2023 at 8:42 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Thu, Oct 5, 2023 at 1:41 AM Yafang Shao <laoar.shao@gmail.com> wrote:
> >
> > Currently, there exists a system-wide setting related to CPU security
> > mitigations, denoted as 'mitigations='. When set to 'mitigations=off', it
> > deactivates all optional CPU mitigations. Therefore, if we implement a
> > system-wide 'mitigations=off' setting, it should inherently bypass Spectre
> > v1 and Spectre v4 in the BPF subsystem.
> >
> > Please note that there is also a 'nospectre_v1' setting on x86 and ppc
> > architectures, though it is not currently exported. For the time being,
> > let's disregard it.
> >
> > This idea emerged during our discussion about potential Spectre v1 attacks
> > with Luis[1].
> >
> > [1]. https://lore.kernel.org/bpf/b4fc15f7-b204-767e-ebb9-fdb4233961fb@iogearbox.net/
> >
> > Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> > Cc: Luis Gerhorst <gerhorst@cs.fau.de>
> > ---
> >  include/linux/bpf.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index a82efd34b741..61bde4520f5c 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -2164,12 +2164,12 @@ static inline bool bpf_allow_uninit_stack(void)
> >
> >  static inline bool bpf_bypass_spec_v1(void)
> >  {
> > -       return perfmon_capable();
> > +       return perfmon_capable() || cpu_mitigations_off();
> >  }
> >
> >  static inline bool bpf_bypass_spec_v4(void)
> >  {
> > -       return perfmon_capable();
> > +       return perfmon_capable() || cpu_mitigations_off();
> >  }
>
> Yafang,
>
> this patch breaks several
> test_progs -t verifier

Sorry, I miss that.

>
> tests when system is booted with mitigations=off command line.
>
> Please follow up with a patch to fix this.

will do it.

>
> As you noticed cpu_mitigations_off() is not quite right here.
> The system might have booted without that command line, but
> spec_v1 and spec_v4 mitigations are turned off.
> Unfortunately there is no good way to check that atm.
> Have you seen this patch set ?
> https://lore.kernel.org/all/20231019181158.1982205-1-leitao@debian.org/
> Please take a look at it and comment if you think it will help.

Thanks for your information. will take a look.

>
> In the meantime please fix test_progs -t verifier

sure
diff mbox series

Patch

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index a82efd34b741..61bde4520f5c 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -2164,12 +2164,12 @@  static inline bool bpf_allow_uninit_stack(void)
 
 static inline bool bpf_bypass_spec_v1(void)
 {
-	return perfmon_capable();
+	return perfmon_capable() || cpu_mitigations_off();
 }
 
 static inline bool bpf_bypass_spec_v4(void)
 {
-	return perfmon_capable();
+	return perfmon_capable() || cpu_mitigations_off();
 }
 
 int bpf_map_new_fd(struct bpf_map *map, int flags);