* [PATCH ebpf v3] bpf: Disallow unprivileged bpf by default
@ 2021-10-29 19:43 Pawan Gupta
2021-11-01 11:57 ` Mark Rutland
0 siblings, 1 reply; 2+ messages in thread
From: Pawan Gupta @ 2021-10-29 19:43 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann
Cc: Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
John Fastabend, KP Singh, netdev, bpf, linux-kernel,
antonio.gomez.iglesias, tony.luck, dave.hansen, gregkh,
mark.rutland, linux
Disabling unprivileged BPF would help prevent unprivileged users from
creating the conditions required for potential speculative execution
side-channel attacks on affected hardware. A deep dive on such attacks
and mitigation is available here [1].
Sync with what many distros are currently applying, disable unprivileged
BPF by default. An admin can enable this at runtime, if necessary.
[1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
v3:
- Drop the conditional default for CONFIG_BPF_UNPRIV_DEFAULT_OFF until
we have an arch generic way to determine arch-common spectre type bugs.
[Mark Rutland, Daniel Borkmann].
- Also drop the patch to Generalize ARM's CONFIG_CPU_SPECTRE.
- Minor changes to commit message.
v2: https://lore.kernel.org/lkml/cover.1635383031.git.pawan.kumar.gupta@linux.intel.com/
- Generalize ARM's CONFIG_CPU_SPECTRE to be available for all architectures.
- Make CONFIG_BPF_UNPRIV_DEFAULT_OFF depend on CONFIG_CPU_SPECTRE.
- Updated commit message to reflect the dependency on CONFIG_CPU_SPECTRE.
- Add reference to BPF spectre presentation in commit message.
v1: https://lore.kernel.org/all/d37b01e70e65dced2659561ed5bc4b2ed1a50711.1635367330.git.pawan.kumar.gupta@linux.intel.com/
kernel/bpf/Kconfig | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index a82d6de86522..73d446294455 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON
config BPF_UNPRIV_DEFAULT_OFF
bool "Disable unprivileged BPF by default"
+ default y
depends on BPF_SYSCALL
help
Disables unprivileged BPF by default by setting the corresponding
@@ -72,6 +73,10 @@ config BPF_UNPRIV_DEFAULT_OFF
disable it by setting it to 1 (from which no other transition to
0 is possible anymore).
+ Unprivileged BPF can be used to exploit potential speculative
+ execution side-channel vulnerabilities on affected hardware. If you
+ are concerned about it, answer Y.
+
source "kernel/bpf/preload/Kconfig"
config BPF_LSM
--
2.31.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH ebpf v3] bpf: Disallow unprivileged bpf by default
2021-10-29 19:43 [PATCH ebpf v3] bpf: Disallow unprivileged bpf by default Pawan Gupta
@ 2021-11-01 11:57 ` Mark Rutland
0 siblings, 0 replies; 2+ messages in thread
From: Mark Rutland @ 2021-11-01 11:57 UTC (permalink / raw)
To: Pawan Gupta
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, netdev, bpf, linux-kernel, antonio.gomez.iglesias,
tony.luck, dave.hansen, gregkh, linux
On Fri, Oct 29, 2021 at 12:43:54PM -0700, Pawan Gupta wrote:
> Disabling unprivileged BPF would help prevent unprivileged users from
> creating the conditions required for potential speculative execution
> side-channel attacks on affected hardware. A deep dive on such attacks
> and mitigation is available here [1].
>
> Sync with what many distros are currently applying, disable unprivileged
> BPF by default. An admin can enable this at runtime, if necessary.
>
> [1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
FWIW:
Acked-by: Mark Rutland <mark.rutland@arm.com>
Mark.
> ---
> v3:
> - Drop the conditional default for CONFIG_BPF_UNPRIV_DEFAULT_OFF until
> we have an arch generic way to determine arch-common spectre type bugs.
> [Mark Rutland, Daniel Borkmann].
> - Also drop the patch to Generalize ARM's CONFIG_CPU_SPECTRE.
> - Minor changes to commit message.
>
> v2: https://lore.kernel.org/lkml/cover.1635383031.git.pawan.kumar.gupta@linux.intel.com/
> - Generalize ARM's CONFIG_CPU_SPECTRE to be available for all architectures.
> - Make CONFIG_BPF_UNPRIV_DEFAULT_OFF depend on CONFIG_CPU_SPECTRE.
> - Updated commit message to reflect the dependency on CONFIG_CPU_SPECTRE.
> - Add reference to BPF spectre presentation in commit message.
>
> v1: https://lore.kernel.org/all/d37b01e70e65dced2659561ed5bc4b2ed1a50711.1635367330.git.pawan.kumar.gupta@linux.intel.com/
>
> kernel/bpf/Kconfig | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> index a82d6de86522..73d446294455 100644
> --- a/kernel/bpf/Kconfig
> +++ b/kernel/bpf/Kconfig
> @@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON
>
> config BPF_UNPRIV_DEFAULT_OFF
> bool "Disable unprivileged BPF by default"
> + default y
> depends on BPF_SYSCALL
> help
> Disables unprivileged BPF by default by setting the corresponding
> @@ -72,6 +73,10 @@ config BPF_UNPRIV_DEFAULT_OFF
> disable it by setting it to 1 (from which no other transition to
> 0 is possible anymore).
>
> + Unprivileged BPF can be used to exploit potential speculative
> + execution side-channel vulnerabilities on affected hardware. If you
> + are concerned about it, answer Y.
> +
> source "kernel/bpf/preload/Kconfig"
>
> config BPF_LSM
> --
> 2.31.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-01 11:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-29 19:43 [PATCH ebpf v3] bpf: Disallow unprivileged bpf by default Pawan Gupta
2021-11-01 11:57 ` Mark Rutland
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).