From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Jiri Kosina <jikos@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Asit Mallick <asit.k.mallick@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Jon Masters <jcm@redhat.com>, Waiman Long <longman9394@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Borislav Petkov <bp@alien8.de>,
linux-kernel@vger.kernel.org, x86@kernel.org,
stable@vger.kernel.org, daniel@iogearbox.net,
davem@davemloft.net
Subject: Re: [PATCH] x86/speculation: Add document to describe Spectre and its mitigations
Date: Tue, 8 Jan 2019 17:11:32 -0800 [thread overview]
Message-ID: <20190109011130.wrsrcaly2mgnou3k@ast-mbp> (raw)
In-Reply-To: <2278b1c7-5d20-3c89-eab1-ea34145dc73d@linux.intel.com>
On Tue, Jan 08, 2019 at 01:12:45PM -0800, Tim Chen wrote:
> On 12/23/18 3:11 PM, Alexei Starovoitov wrote:
> > On Fri, Dec 21, 2018 at 09:44:44AM -0800, Tim Chen wrote:
> >> +
> >> +4. Kernel sandbox attacking kernel
> >> +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >> +
> >> +The kernel has support for running user-supplied programs within the
> >> +kernel. Specific rules (such as bounds checking) are enforced on these
> >> +programs by the kernel to ensure that they do not violate access controls.
> >> +
> >> +eBPF is a kernel sub-system that uses user-supplied program
> >> +to execute JITed untrusted byte code inside the kernel. eBPF is used
> >> +for manipulating and examining network packets, examining system call
> >> +parameters for sand boxes and other uses.
> >> +
> >> +A malicious local process could upload and trigger an malicious
> >> +eBPF script to the kernel, with the script attacking the kernel
> >> +using variant 1 or 2 and reading memory.
> >
> > Above is not correct.
> > The exploit for var2 does not load bpf progs into kernel.
> > Instead the bpf interpreter is speculatively executing bpf prog
> > that was never loaded.
> > Hence CONFIG_BPF_JIT_ALWAYS_ON=y is necessary to make var2 harder
> > to exploit.
> > Same goes for other in kernel interpreters and state machines.
> >
> >> +
> >> +Necessary Prerequisites:
> >> +1. Malicious local process
> >> +2. eBPF JIT enabled for unprivileged users, attacking kernel with secrets
> >> +on the same machine.
> >
> > This is not quite correct either.
> > Var 1 could have been exploited with and without JIT.
> > Also above sounds like that var1 is still exploitable through bpf
> > which is not the case.
> >
>
> Alexi,
>
> Do you have any suggestions on how to rewrite this two paragraphs? You
> are probably the best person to update content for this section.
how about moving bpf bits out of this doc and placing them under Documentation/bpf/ ?
We can create bpf_security.rst there with specdown mitigations, best practices,
useful sysctl and config knobs, etc.
next prev parent reply other threads:[~2019-01-09 1:11 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-21 17:44 [PATCH] x86/speculation: Add document to describe Spectre and its mitigations Tim Chen
2018-12-21 21:59 ` Ben Greear
2018-12-22 1:17 ` Tim Chen
2018-12-31 16:22 ` Ben Greear
2018-12-31 17:10 ` Arjan van de Ven
2019-01-07 17:57 ` Tim Chen
2019-01-09 0:58 ` Ben Greear
2019-01-09 1:35 ` Tim Chen
2018-12-23 23:11 ` Alexei Starovoitov
2019-01-08 21:12 ` Tim Chen
2019-01-09 1:11 ` Alexei Starovoitov [this message]
2019-01-09 1:41 ` Tim Chen
2019-01-09 2:42 ` Alexei Starovoitov
2018-12-28 17:34 ` Jonathan Corbet
2019-01-08 21:18 ` Tim Chen
2019-01-13 23:10 ` Pavel Machek
2019-01-13 23:12 ` Jiri Kosina
2019-01-14 12:01 ` Pavel Machek
2019-01-14 12:06 ` Jiri Kosina
2019-01-14 13:01 ` Pavel Machek
2019-01-14 13:06 ` Jiri Kosina
2019-01-14 14:39 ` Arjan van de Ven
2019-01-30 0:12 ` Thomas Gleixner
2019-02-12 12:00 ` Thomas Gleixner
2019-02-12 17:36 ` Tim Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190109011130.wrsrcaly2mgnou3k@ast-mbp \
--to=alexei.starovoitov@gmail.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=bp@alien8.de \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@intel.com \
--cc=davem@davemloft.net \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jcm@redhat.com \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman9394@gmail.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).