From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mga07.intel.com ([134.134.136.100]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fEPgS-0000FC-BS for speck@linutronix.de; Fri, 04 May 2018 03:39:10 +0200 Subject: [MODERATED] Re: [PATCH 0/5] SSB extra 0 References: <20180503232757.GF6017@outflux.net> From: Dave Hansen Message-ID: <994d4e30-f0f2-69e9-3202-ac1def49ea53@linux.intel.com> Date: Thu, 3 May 2018 18:37:46 -0700 MIME-Version: 1.0 In-Reply-To: <20180503232757.GF6017@outflux.net> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On 05/03/2018 04:27 PM, speck for Kees Cook wrote:> On Thu, May 03, 2018 at 03:29:43PM -0700, speck for Dave Hansen wrote: >> BPF is a potential source of gadgets that can be used for memory >> diambiguation-based attacks. To help mitigate these, we enable the >> bit in SPEC_CTRL which enables the reduced (memory) speculation >> mode on the processor when runing BPF code. > > Do you mean eBPF, or even cBPF? Right or wrong, my assumption is that you can build gadgets with any of the variants. I haven't looked into detail to whether the classic VM and enhanced VM have the building blocks. My expectation is that we would build out a list of exceptions in bpf_enter_prog() for programs that are not subject to mitigation. Things that come from trusted sources, get offloaded to devices, or probably the ones that do not write to memory. My thought was that we'll get to the point where the BFP checker sets a flag in the bpf_prog to tell us what kind of mitigations it needs. We already do that to some degree and some BFP programs "types" have more freedom than others. Either way, I don't think we have the BPF experts on this list, yet. I'm a BPF newbie for sure. > For example, can gadgets be built using the BPF used in seccomp()? > Prior speculation flaws weren't exposed there, so it might be > possible (though ironic given my other seccomp series) to not trigger > this for seccomp BPF execution... :P The irony of seccomp being involved here is not lost on me. :) Were we just not concerned before because seccomp didn't use arrays?