Re: [PATCH v3 bpf-next] selftests/bpf: Fix selftests broken by mitigations=off

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yonghong Song <yonghong.song@linux.dev>
To: Yafang Shao <laoar.shao@gmail.com>, alexei.starovoitov@gmail.com
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	daniel@iogearbox.net, gerhorst@cs.fau.de, haoluo@google.com,
	john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
	martin.lau@linux.dev, sdf@google.com, song@kernel.org
Subject: Re: [PATCH v3 bpf-next] selftests/bpf: Fix selftests broken by mitigations=off
Date: Tue, 24 Oct 2023 21:56:32 -0700	[thread overview]
Message-ID: <e6c950d7-bb81-4265-bbbe-0201694280b3@linux.dev> (raw)
In-Reply-To: <20231025031144.5508-1-laoar.shao@gmail.com>


On 10/24/23 8:11 PM, Yafang Shao wrote:
> When we configure the kernel command line with 'mitigations=off' and set
> the sysctl knob 'kernel.unprivileged_bpf_disabled' to 0, the commit
> bc5bc309db45 ("bpf: Inherit system settings for CPU security mitigations")
> causes issues in the execution of `test_progs -t verifier`. This is because
> 'mitigations=off' bypasses Spectre v1 and Spectre v4 protections.
>
> Currently, when a program requests to run in unprivileged mode
> (kernel.unprivileged_bpf_disabled = 0), the BPF verifier may prevent it
> from running due to the following conditions not being enabled:
>
>    - bypass_spec_v1
>    - bypass_spec_v4
>    - allow_ptr_leaks
>    - allow_uninit_stack
>
> While 'mitigations=off' enables the first two conditions, it does not
> enable the latter two. As a result, some test cases in
> 'test_progs -t verifier' that were expected to fail to run may run
> successfully, while others still fail but with different error messages.
> This makes it challenging to address them comprehensively.
>
> Moreover, in the future, we may introduce more fine-grained control over
> CPU mitigations, such as enabling only bypass_spec_v1 or bypass_spec_v4.
>
> Given the complexity of the situation, rather than fixing each broken test
> case individually, it's preferable to skip them when 'mitigations=off' is
> in effect and introduce specific test cases for the new 'mitigations=off'
> scenario. For instance, we can introduce new BTF declaration tags like
> '__failure__nospec', '__failure_nospecv1' and '__failure_nospecv4'.
>
> In this patch, the approach is to simply skip the broken test cases when
> 'mitigations=off' is enabled. The result of `test_progs -t verifier` as
> follows after this commit,
>
> Before this commit
> ==================
> - without 'mitigations=off'
>    - kernel.unprivileged_bpf_disabled = 2
>      Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>    - kernel.unprivileged_bpf_disabled = 0
>      Summary: 74/1336 PASSED, 0 SKIPPED, 0 FAILED   <<<<
> - with 'mitigations=off'
>    - kernel.unprivileged_bpf_disabled = 2
>      Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>    - kernel.unprivileged_bpf_disabled = 0
>      Summary: 63/1276 PASSED, 0 SKIPPED, 11 FAILED   <<<< 11 FAILED
>
> After this commit
> =================
> - without 'mitigations=off'
>    - kernel.unprivileged_bpf_disabled = 2
>      Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>    - kernel.unprivileged_bpf_disabled = 0
>      Summary: 74/1336 PASSED, 0 SKIPPED, 0 FAILED    <<<<
> - with this patch, with 'mitigations=off'
>    - kernel.unprivileged_bpf_disabled = 2
>      Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED
>    - kernel.unprivileged_bpf_disabled = 0
>      Summary: 74/948 PASSED, 388 SKIPPED, 0 FAILED   <<<< SKIPPED
>
> Fixes: bc5bc309db45 ("bpf: Inherit system settings for CPU security mitigations")
> Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
> Closes: https://lore.kernel.org/bpf/CAADnVQKUBJqg+hHtbLeeC2jhoJAWqnmRAzXW3hmUCNSV9kx4sQ@mail.gmail.com
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>

Ack with a nit below.
Acked-by: Yonghong Song <yonghong.song@linux.dev>

> ---
>   tools/testing/selftests/bpf/unpriv_helpers.c | 35 +++++++++++++++++++-
>   1 file changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/unpriv_helpers.c b/tools/testing/selftests/bpf/unpriv_helpers.c
> index 2a6efbd0401e..7101e72ef4a3 100644
> --- a/tools/testing/selftests/bpf/unpriv_helpers.c
> +++ b/tools/testing/selftests/bpf/unpriv_helpers.c
> @@ -4,9 +4,42 @@
>   #include <stdlib.h>
>   #include <error.h>
>   #include <stdio.h>
> +#include <string.h>
> +#include <unistd.h>
> +#include <fcntl.h>
>   
>   #include "unpriv_helpers.h"
>   
> [...]
>   bool get_unpriv_disabled(void)
>   {
>   	bool disabled;
> @@ -22,5 +55,5 @@ bool get_unpriv_disabled(void)
>   		disabled = true;
>   	}
>   
> -	return disabled;
> +	return disabled ? true : get_mitigations_off();

Above code is correct. But you could slightly simplify it with
	return disabled ? : get_mitigations_off();

I guess maintainer can decide whether simplification is needed
or not.

>   }

next prev parent reply	other threads:[~2023-10-25  4:56 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-05  8:41 [PATCH bpf-next] bpf: Inherit system settings for CPU security mitigations Yafang Shao
2023-10-05 17:24 ` Stanislav Fomichev
2023-10-05 18:01 ` Song Liu
2023-10-05 23:30   ` KP Singh
2023-10-06 16:55     ` Daniel Borkmann
2023-10-06 18:20 ` patchwork-bot+netdevbpf
2023-10-11 22:53 ` Andrii Nakryiko
2023-10-12  2:29   ` Yafang Shao
2023-10-12  4:42     ` Andrii Nakryiko
2023-10-20  0:42 ` Alexei Starovoitov
2023-10-20  2:35   ` Yafang Shao
2023-10-22  9:26   ` [PATCH bpf-next] selftests/bpf: Fix selftests broken by mitigations=off Yafang Shao
2023-10-22  9:49     ` [PATCH v2 " Yafang Shao
2023-10-22 10:05       ` Yafang Shao
2023-10-22 11:27       ` kernel test robot
2023-10-25  3:11   ` [PATCH v3 " Yafang Shao
2023-10-25  4:56     ` Yonghong Song [this message]
2023-10-26 13:46       ` Daniel Borkmann
2023-10-26 16:54         ` Yonghong Song
2023-10-26 13:50     ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e6c950d7-bb81-4265-bbbe-0201694280b3@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=alexei.starovoitov@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=gerhorst@cs.fau.de \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=laoar.shao@gmail.com \
    --cc=martin.lau@linux.dev \
    --cc=sdf@google.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.