Message ID | 20201104235054.5678-1-aarcange@redhat.com (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [1/1] x86: change default to spec_store_bypass_disable=prctl spectre_v2_user=prctl | expand |
On Wed, Nov 04, 2020 at 06:50:54PM -0500, Andrea Arcangeli wrote: > Switch the kernel default of SSBD and STIBP to the ones with > CONFIG_SECCOMP=n (i.e. spec_store_bypass_disable=prctl > spectre_v2_user=prctl) even if CONFIG_SECCOMP=y. Hello x86 maintainers! I'd really like to get this landed, so I'll take this via the seccomp-tree unless someone else speaks up. This keeps falling off the edge of my TODO list. :) -Kees
> On Sep 11, 2021, at 2:13 PM, Kees Cook <keescook@chromium.org> wrote: > > On Wed, Nov 04, 2020 at 06:50:54PM -0500, Andrea Arcangeli wrote: >> Switch the kernel default of SSBD and STIBP to the ones with >> CONFIG_SECCOMP=n (i.e. spec_store_bypass_disable=prctl >> spectre_v2_user=prctl) even if CONFIG_SECCOMP=y. > > Hello x86 maintainers! > > I'd really like to get this landed, so I'll take this via the > seccomp-tree unless someone else speaks up. This keeps falling off > the edge of my TODO list. :) Thanks! You can add my Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
On 9/11/21 5:13 PM, Kees Cook wrote: > On Wed, Nov 04, 2020 at 06:50:54PM -0500, Andrea Arcangeli wrote: >> Switch the kernel default of SSBD and STIBP to the ones with >> CONFIG_SECCOMP=n (i.e. spec_store_bypass_disable=prctl >> spectre_v2_user=prctl) even if CONFIG_SECCOMP=y. > Hello x86 maintainers! > > I'd really like to get this landed, so I'll take this via the > seccomp-tree unless someone else speaks up. This keeps falling off > the edge of my TODO list. :) > > -Kees > You can add my ack too. Thanks! Acked-by: Waiman Long <longman@redhat.com>
On Sat, Sep 11, 2021 at 07:01:40PM -0700, Josh Poimboeuf wrote: > > > > On Sep 11, 2021, at 2:13 PM, Kees Cook <keescook@chromium.org> wrote: > > > > On Wed, Nov 04, 2020 at 06:50:54PM -0500, Andrea Arcangeli wrote: > >> Switch the kernel default of SSBD and STIBP to the ones with > >> CONFIG_SECCOMP=n (i.e. spec_store_bypass_disable=prctl > >> spectre_v2_user=prctl) even if CONFIG_SECCOMP=y. > > > > Hello x86 maintainers! > > > > I'd really like to get this landed, so I'll take this via the > > seccomp-tree unless someone else speaks up. This keeps falling off > > the edge of my TODO list. :) > > Thanks! You can add my > > Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> Hi Kees, Ping - I don't see this patch in linux-next. Are you planning on grabbing this for the next merge window?
On Mon, Oct 04, 2021 at 10:54:31AM -0700, Josh Poimboeuf wrote: > On Sat, Sep 11, 2021 at 07:01:40PM -0700, Josh Poimboeuf wrote: > > > > > > > On Sep 11, 2021, at 2:13 PM, Kees Cook <keescook@chromium.org> wrote: > > > > > > On Wed, Nov 04, 2020 at 06:50:54PM -0500, Andrea Arcangeli wrote: > > >> Switch the kernel default of SSBD and STIBP to the ones with > > >> CONFIG_SECCOMP=n (i.e. spec_store_bypass_disable=prctl > > >> spectre_v2_user=prctl) even if CONFIG_SECCOMP=y. > > > > > > Hello x86 maintainers! > > > > > > I'd really like to get this landed, so I'll take this via the > > > seccomp-tree unless someone else speaks up. This keeps falling off > > > the edge of my TODO list. :) > > > > Thanks! You can add my > > > > Acked-by: Josh Poimboeuf <jpoimboe@redhat.com> > > Hi Kees, > > Ping - I don't see this patch in linux-next. Are you planning on grabbing this > for the next merge window? Thanks for the reminder! I've pushed this to the seccomp next tree.
diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst index e05e581af5cf..19b897cb1d45 100644 --- a/Documentation/admin-guide/hw-vuln/spectre.rst +++ b/Documentation/admin-guide/hw-vuln/spectre.rst @@ -490,9 +490,8 @@ Spectre variant 2 Restricting indirect branch speculation on a user program will also prevent the program from launching a variant 2 attack - on x86. All sand-boxed SECCOMP programs have indirect branch - speculation restricted by default. Administrators can change - that behavior via the kernel command line and sysfs control files. + on x86. Administrators can change that behavior via the kernel + command line and sysfs control files. See :ref:`spectre_mitigation_control_command_line`. Programs that disable their indirect branch speculation will have @@ -674,9 +673,8 @@ Mitigation selection guide off by disabling their indirect branch speculation when they are run (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). This prevents untrusted programs from polluting the branch target - buffer. All programs running in SECCOMP sandboxes have indirect - branch speculation restricted by default. This behavior can be - changed via the kernel command line and sysfs control files. See + buffer. This behavior can be changed via the kernel command line + and sysfs control files. See :ref:`spectre_mitigation_control_command_line`. 3. High security mode diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 526d65d8573a..105401a3582f 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4980,8 +4980,7 @@ auto - Kernel selects the mitigation depending on the available CPU features and vulnerability. - Default mitigation: - If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl" + Default mitigation: "prctl" Not specifying this option is equivalent to spectre_v2_user=auto. @@ -5025,7 +5024,7 @@ will disable SSB unless they explicitly opt out. Default mitigations: - X86: If CONFIG_SECCOMP=y "seccomp", otherwise "prctl" + X86: "prctl" On powerpc the options are: diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index d3f0db463f96..5ec39397fe9c 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -721,11 +721,11 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd) case SPECTRE_V2_USER_CMD_FORCE: mode = SPECTRE_V2_USER_STRICT; break; + case SPECTRE_V2_USER_CMD_AUTO: case SPECTRE_V2_USER_CMD_PRCTL: case SPECTRE_V2_USER_CMD_PRCTL_IBPB: mode = SPECTRE_V2_USER_PRCTL; break; - case SPECTRE_V2_USER_CMD_AUTO: case SPECTRE_V2_USER_CMD_SECCOMP: case SPECTRE_V2_USER_CMD_SECCOMP_IBPB: if (IS_ENABLED(CONFIG_SECCOMP)) @@ -1132,7 +1132,6 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void) return mode; switch (cmd) { - case SPEC_STORE_BYPASS_CMD_AUTO: case SPEC_STORE_BYPASS_CMD_SECCOMP: /* * Choose prctl+seccomp as the default mode if seccomp is @@ -1146,6 +1145,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void) case SPEC_STORE_BYPASS_CMD_ON: mode = SPEC_STORE_BYPASS_DISABLE; break; + case SPEC_STORE_BYPASS_CMD_AUTO: case SPEC_STORE_BYPASS_CMD_PRCTL: mode = SPEC_STORE_BYPASS_PRCTL; break;