Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp176552imu; Tue, 8 Jan 2019 17:15:51 -0800 (PST) X-Google-Smtp-Source: ALg8bN6Bk3Vt+fZA1vI97m1VN5QMPCBcHkTPj64TjDv6pawMvLcKEteY0Xo8cAMTwHCFplgLU8DK X-Received: by 2002:a62:c101:: with SMTP id i1mr3984140pfg.80.1546996551599; Tue, 08 Jan 2019 17:15:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546996551; cv=none; d=google.com; s=arc-20160816; b=k6pvTcqRMxWB4Z77QyF0ISNxLQN/1zn2Wbb+0VECRAQDZMYNHO144SeAkBtScoVbiK l4Q2Lxid/AUQrb59w0ymaN8d05gH4I0o4wtMF59DYHZroudndWH1gYTl4TTgU/pB3C0D rVDOtp8BLrNNM5iCZQ3e/Lm9AOozu5vSw1/WCZrGh3KhP+E8b5bUb/KlDsI4ePnk959Y vp3HAb+e0GVAQ4GyBryclooc+qy5N4cCHdZJccomLtDL/vjBLDG3TXysFa+kxrxY49PQ 1V1xEHsm12fBgMbbOJOKfkXmRSN7PUjEHRPbF7Cep0l4D5w+IZseOQbULpmDSxGhfKFs 1nAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=4Yw7LxcbEhRGObVUu3WnzKblWii9vQwCnCaLzeNRym0=; b=nMrgHdlBt1axajrLEC5KS27J/5MSAi/G5NEK6gVoZ8HQQebOIAf/5SLLRk/0U/GUjB r0H2JLTF9dq2yXo+p3TZoUI7GTw73uxMGY1hD5I5Oc4fnZlyrgUeHHRo3Ff7jWZSulGX T+hmi7dJmyOrY8zMSG4alMRPA+q1K4G/Qbx9u0LB5x78q+Z4UTrdkWIyMgNQVPNpTsHf GEWbpDS3Jvk07DgiDXhRaodTYaCMz1QLsT9395QK+BrgadfYkiFbJHRzzSlQRiMgoD1e PimkJf16fh8wr88yW+joFrjXUEB0BvR0eL1An+GAScs8RHnniRzsiF3p2+6AMsNQv9bI CBKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cUo9Va03; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f21si63076199pgv.111.2019.01.08.17.15.36; Tue, 08 Jan 2019 17:15:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=cUo9Va03; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729102AbfAIBLh (ORCPT + 99 others); Tue, 8 Jan 2019 20:11:37 -0500 Received: from mail-pl1-f193.google.com ([209.85.214.193]:37960 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728348AbfAIBLg (ORCPT ); Tue, 8 Jan 2019 20:11:36 -0500 Received: by mail-pl1-f193.google.com with SMTP id e5so2738226plb.5; Tue, 08 Jan 2019 17:11:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=4Yw7LxcbEhRGObVUu3WnzKblWii9vQwCnCaLzeNRym0=; b=cUo9Va03yYo9gO/j+AzWlh2hfYMC5oqRXuqcJl9pwC9JskKtwpCxiccsGmyDI9FiWS rdI8Fgxj0uf026RUpVVt7jxr+tn8Bk1Gvz1i97iyeQ++6HTsV8xZ9dyYpxV/39E0ZjH5 UImjJB3HBdB2hjOnKB7uPdtosqmLgPT7KEHJ9mP4tV0/AmlE5ePaHS8VPcJbSBcUc5OV o23d2zNWiFLCr1sYdQ8AtjHE9YzVXUbFKl57aufWRK1BFrtxjK1EUkWIasILwKGEIUGk ICw/insHQPkkJxaVse2fBxBEXiB/3R+MwHSKU5lV6ZWYLCpslYUMluVBd7n1QS+pR1ZX fiAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=4Yw7LxcbEhRGObVUu3WnzKblWii9vQwCnCaLzeNRym0=; b=mewf4Rq9G7s0w86auYAZtI3IbPlt01mt9hmGMlQxRIy2sRNF8PY8wQ6t1rybHHLVT/ 87l8pMZxBYYzxLAxbSPIqSA1phY58X+QsB02+30hcdec4BvWlTNd+OO3Bk/Qq7X4WQpz LI9h+6NqjBVnb8DUdtErSXrGi3Y2y5ZikOCOSn9S9DlXuTCbdiqmf4S4DrLTM1W91AvC xu7TDg0wV17i+gw/Lzxi+PK0SXpnJqakSSdHC1fzOEDQy1HG3Uv5iA7dAVqg1uabEfXD pNzcum4h1ThUuMOhGKrXjIzGMAAbbeMmDYjFgfJYom1nGbM/QtpIl63FeEb+cKJu877p fJwQ== X-Gm-Message-State: AJcUukcmz2aoxZEInOdj4xc4VYYGvROlfStWzy0qSFBlPHIBAcEftA7w PlL+J/7EU71gGO22lYZDeDgaiEIX X-Received: by 2002:a17:902:e18c:: with SMTP id cd12mr3777883plb.279.1546996295621; Tue, 08 Jan 2019 17:11:35 -0800 (PST) Received: from ast-mbp ([2620:10d:c090:200::7:958e]) by smtp.gmail.com with ESMTPSA id s130sm136120735pgc.60.2019.01.08.17.11.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Jan 2019 17:11:34 -0800 (PST) Date: Tue, 8 Jan 2019 17:11:32 -0800 From: Alexei Starovoitov To: Tim Chen Cc: Thomas Gleixner , Jiri Kosina , Linus Torvalds , Tom Lendacky , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , David Woodhouse , Andi Kleen , Dave Hansen , Asit Mallick , Arjan van de Ven , Jon Masters , Waiman Long , Greg KH , Borislav Petkov , linux-kernel@vger.kernel.org, x86@kernel.org, stable@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net Subject: Re: [PATCH] x86/speculation: Add document to describe Spectre and its mitigations Message-ID: <20190109011130.wrsrcaly2mgnou3k@ast-mbp> References: <64efec3fda40c0758601bf9b1480a35d76d3c487.1545413988.git.tim.c.chen@linux.intel.com> <20181223231149.5yuenb53pavlvr3m@ast-mbp.dhcp.thefacebook.com> <2278b1c7-5d20-3c89-eab1-ea34145dc73d@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2278b1c7-5d20-3c89-eab1-ea34145dc73d@linux.intel.com> User-Agent: NeoMutt/20180223 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 08, 2019 at 01:12:45PM -0800, Tim Chen wrote: > On 12/23/18 3:11 PM, Alexei Starovoitov wrote: > > On Fri, Dec 21, 2018 at 09:44:44AM -0800, Tim Chen wrote: > >> + > >> +4. Kernel sandbox attacking kernel > >> +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >> + > >> +The kernel has support for running user-supplied programs within the > >> +kernel. Specific rules (such as bounds checking) are enforced on these > >> +programs by the kernel to ensure that they do not violate access controls. > >> + > >> +eBPF is a kernel sub-system that uses user-supplied program > >> +to execute JITed untrusted byte code inside the kernel. eBPF is used > >> +for manipulating and examining network packets, examining system call > >> +parameters for sand boxes and other uses. > >> + > >> +A malicious local process could upload and trigger an malicious > >> +eBPF script to the kernel, with the script attacking the kernel > >> +using variant 1 or 2 and reading memory. > > > > Above is not correct. > > The exploit for var2 does not load bpf progs into kernel. > > Instead the bpf interpreter is speculatively executing bpf prog > > that was never loaded. > > Hence CONFIG_BPF_JIT_ALWAYS_ON=y is necessary to make var2 harder > > to exploit. > > Same goes for other in kernel interpreters and state machines. > > > >> + > >> +Necessary Prerequisites: > >> +1. Malicious local process > >> +2. eBPF JIT enabled for unprivileged users, attacking kernel with secrets > >> +on the same machine. > > > > This is not quite correct either. > > Var 1 could have been exploited with and without JIT. > > Also above sounds like that var1 is still exploitable through bpf > > which is not the case. > > > > Alexi, > > Do you have any suggestions on how to rewrite this two paragraphs? You > are probably the best person to update content for this section. how about moving bpf bits out of this doc and placing them under Documentation/bpf/ ? We can create bpf_security.rst there with specdown mitigations, best practices, useful sysctl and config knobs, etc.