From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <kees@outflux.net>
Received: from mta.outflux.net ([2001:19d0:2:6:c0de:0:736d:7471]
 helo=smtp.outflux.net)	by Galois.linutronix.de with esmtps
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)	(Exim 4.80)	(envelope-from
 <kees@outflux.net>)	id 1fENdt-0006sC-Bx	for speck@linutronix.de; Fri, 04 May
 2018 01:28:06 +0200
Received: from www.outflux.net (serenity.outflux.net [10.2.0.2])
	by vinyl.outflux.net (8.15.2/8.15.2/Debian-3) with ESMTP id w43NRvUn017644
	for <speck@linutronix.de>; Thu, 3 May 2018 16:27:57 -0700
Date: Thu, 3 May 2018 16:27:57 -0700
From: Kees Cook <kees@outflux.net>
Subject: [MODERATED] Re: [PATCH 0/5] SSB extra 0
Message-ID: <20180503232757.GF6017@outflux.net>
References: <cover.1525383411.git.dave.hansen@intel.com>
MIME-Version: 1.0
In-Reply-To: <cover.1525383411.git.dave.hansen@intel.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

On Thu, May 03, 2018 at 03:29:43PM -0700, speck for Dave Hansen wrote:
> BPF is a potential source of gadgets that can be used for memory
> diambiguation-based attacks.  To help mitigate these, we enable
> the bit in SPEC_CTRL which enables the reduced (memory)
> speculation mode on the processor when runing BPF code.

Do you mean eBPF, or even cBPF? For example, can gadgets be built using the
BPF used in seccomp()? Prior speculation flaws weren't exposed there, so
it might be possible (though ironic given my other seccomp series) to not
trigger this for seccomp BPF execution... :P

-Kees

-- 
Kees Cook                                            @outflux.net