From: Daniel Borkmann <daniel@iogearbox.net>
To: Yonghong Song <yonghong.song@linux.dev>,
Yafang Shao <laoar.shao@gmail.com>,
alexei.starovoitov@gmail.com
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
gerhorst@cs.fau.de, haoluo@google.com, john.fastabend@gmail.com,
jolsa@kernel.org, kpsingh@kernel.org, martin.lau@linux.dev,
sdf@google.com, song@kernel.org
Subject: Re: [PATCH v3 bpf-next] selftests/bpf: Fix selftests broken by mitigations=off
Date: Thu, 26 Oct 2023 15:46:30 +0200 [thread overview]
Message-ID: <3f47542a-ec0f-c33c-4300-36b54858a79c@iogearbox.net> (raw)
In-Reply-To: <e6c950d7-bb81-4265-bbbe-0201694280b3@linux.dev>
On 10/25/23 6:56 AM, Yonghong Song wrote:
> On 10/24/23 8:11 PM, Yafang Shao wrote:
>> When we configure the kernel command line with 'mitigations=off' and set
>> the sysctl knob 'kernel.unprivileged_bpf_disabled' to 0, the commit
>> bc5bc309db45 ("bpf: Inherit system settings for CPU security mitigations")
>> causes issues in the execution of `test_progs -t verifier`. This is because
>> 'mitigations=off' bypasses Spectre v1 and Spectre v4 protections.
>>
>> Currently, when a program requests to run in unprivileged mode
>> (kernel.unprivileged_bpf_disabled = 0), the BPF verifier may prevent it
>> from running due to the following conditions not being enabled:
>>
>> - bypass_spec_v1
>> - bypass_spec_v4
>> - allow_ptr_leaks
>> - allow_uninit_stack
>>
>> While 'mitigations=off' enables the first two conditions, it does not
>> enable the latter two. As a result, some test cases in
>> 'test_progs -t verifier' that were expected to fail to run may run
>> successfully, while others still fail but with different error messages.
>> This makes it challenging to address them comprehensively.
>>
>> Moreover, in the future, we may introduce more fine-grained control over
>> CPU mitigations, such as enabling only bypass_spec_v1 or bypass_spec_v4.
>>
>> Given the complexity of the situation, rather than fixing each broken test
>> case individually, it's preferable to skip them when 'mitigations=off' is
>> in effect and introduce specific test cases for the new 'mitigations=off'
>> scenario. For instance, we can introduce new BTF declaration tags like
>> '__failure__nospec', '__failure_nospecv1' and '__failure_nospecv4'.
>>
>> In this patch, the approach is to simply skip the broken test cases when
>> 'mitigations=off' is enabled. The result of `test_progs -t verifier` as
>> follows after this commit,
>>
>> Before this commit
>> ==================
>> - without 'mitigations=off'
>> - kernel.unprivileged_bpf_disabled = 2
>> Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>> - kernel.unprivileged_bpf_disabled = 0
>> Summary: 74/1336 PASSED, 0 SKIPPED, 0 FAILED <<<<
>> - with 'mitigations=off'
>> - kernel.unprivileged_bpf_disabled = 2
>> Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>> - kernel.unprivileged_bpf_disabled = 0
>> Summary: 63/1276 PASSED, 0 SKIPPED, 11 FAILED <<<< 11 FAILED
>>
>> After this commit
>> =================
>> - without 'mitigations=off'
>> - kernel.unprivileged_bpf_disabled = 2
>> Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>> - kernel.unprivileged_bpf_disabled = 0
>> Summary: 74/1336 PASSED, 0 SKIPPED, 0 FAILED <<<<
>> - with this patch, with 'mitigations=off'
>> - kernel.unprivileged_bpf_disabled = 2
>> Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>> - kernel.unprivileged_bpf_disabled = 0
>> Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED <<<< SKIPPED
>>
>> Fixes: bc5bc309db45 ("bpf: Inherit system settings for CPU security mitigations")
>> Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
>> Closes: https://lore.kernel.org/bpf/CAADnVQKUBJqg+hHtbLeeC2jhoJAWqnmRAzXW3hmUCNSV9kx4sQ@mail.gmail.com
>> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
>
> Ack with a nit below.
> Acked-by: Yonghong Song <yonghong.song@linux.dev>
>
[...]
>> }
>> - return disabled;
>> + return disabled ? true : get_mitigations_off();
>
> Above code is correct. But you could slightly simplify it with
> return disabled ? : get_mitigations_off();
>
> I guess maintainer can decide whether simplification is needed
> or not.
Turns out if you omit, then compiler will complain with a warning :)
[...]
GEN vmlinux.h
unpriv_helpers.c: In function ‘get_unpriv_disabled’:
unpriv_helpers.c:56:27: error: the omitted middle operand in ‘?:’ will always be ‘true’, suggest explicit middle operand [-Werror=parentheses]
56 | return disabled ? : get_mitigations_off();
| ^
cc1: all warnings being treated as errors
make: *** [Makefile:615: /root/linux/tools/testing/selftests/bpf/unpriv_helpers.o] Error 1
So it's okay as is, applied, thanks!
next prev parent reply other threads:[~2023-10-26 13:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-05 8:41 [PATCH bpf-next] bpf: Inherit system settings for CPU security mitigations Yafang Shao
2023-10-05 17:24 ` Stanislav Fomichev
2023-10-05 18:01 ` Song Liu
2023-10-05 23:30 ` KP Singh
2023-10-06 16:55 ` Daniel Borkmann
2023-10-06 18:20 ` patchwork-bot+netdevbpf
2023-10-11 22:53 ` Andrii Nakryiko
2023-10-12 2:29 ` Yafang Shao
2023-10-12 4:42 ` Andrii Nakryiko
2023-10-20 0:42 ` Alexei Starovoitov
2023-10-20 2:35 ` Yafang Shao
2023-10-22 9:26 ` [PATCH bpf-next] selftests/bpf: Fix selftests broken by mitigations=off Yafang Shao
2023-10-22 9:49 ` [PATCH v2 " Yafang Shao
2023-10-22 10:05 ` Yafang Shao
2023-10-25 3:11 ` [PATCH v3 " Yafang Shao
2023-10-25 4:56 ` Yonghong Song
2023-10-26 13:46 ` Daniel Borkmann [this message]
2023-10-26 16:54 ` Yonghong Song
2023-10-26 13:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3f47542a-ec0f-c33c-4300-36b54858a79c@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=gerhorst@cs.fau.de \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=martin.lau@linux.dev \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).