From: Eduard Zingerman <eddyz87@gmail.com>
To: Luis Gerhorst <luis.gerhorst@fau.de>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>,
Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
Puranjay Mohan <puranjay@kernel.org>,
Xu Kuohai <xukuohai@huaweicloud.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Hari Bathini <hbathini@linux.ibm.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Naveen N Rao <naveen@kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>,
Henriette Herzog <henriette.herzog@rub.de>,
Cupertino Miranda <cupertino.miranda@oracle.com>,
Matan Shachnai <m.shachnai@gmail.com>,
Dimitar Kanaliev <dimitar.kanaliev@siteground.com>,
Shung-Hsi Yu <shung-hsi.yu@suse.com>, Daniel Xu <dxu@dxuuu.xyz>,
bpf@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kselftest@vger.kernel.org,
George Guo <guodongtai@kylinos.cn>, WANG Xuerui <git@xen0n.name>,
Tiezhu Yang <yangtiezhu@loongson.cn>
Subject: Re: [PATCH bpf-next 00/11] bpf: Mitigate Spectre v1 using barriers
Date: Fri, 14 Mar 2025 16:40:08 -0700 [thread overview]
Message-ID: <f6f08d64c777a6022771ab0adf96cefb6b631d75.camel@gmail.com> (raw)
In-Reply-To: <20250313172127.1098195-1-luis.gerhorst@fau.de>
On Thu, 2025-03-13 at 18:21 +0100, Luis Gerhorst wrote:
> This improves the expressiveness of unprivileged BPF by inserting
> speculation barriers instead of rejecting the programs.
>
> The approach was previously presented at LPC'24 [1] and RAID'24 [2].
>
> To mitigate the Spectre v1 (PHT) vulnerability, the kernel rejects
> potentially-dangerous unprivileged BPF programs as of
> commit 9183671af6db ("bpf: Fix leakage under speculation on mispredicted
> branches"). In [2], we have analyzed 364 object files from open source
> projects (Linux Samples and Selftests, BCC, Loxilb, Cilium, libbpf
> Examples, Parca, and Prevail) and found that this affects 31% to 54% of
> programs.
>
> To resolve this in the majority of cases this patchset adds a fall-back
> for mitigating Spectre v1 using speculation barriers. The kernel still
> optimistically attempts to verify all speculative paths but uses
> speculation barriers against v1 when unsafe behavior is detected. This
> allows for more programs to be accepted without disabling the BPF
> Spectre mitigations (e.g., by setting cpu_mitigations_off()).
>
> In [1] we have measured the overhead of this approach relative to having
> mitigations off and including the upstream Spectre v4 mitigations. For
> event tracing and stack-sampling profilers, we found that mitigations
> increase BPF program execution time by 0% to 62%. For the Loxilb network
> load balancer, we have measured a 14% slowdown in SCTP performance but
> no significant slowdown for TCP. This overhead only applies to programs
> that were previously rejected.
>
> I reran the expressiveness-evaluation with v6.14 and made sure the main
> results still match those from [1] and [2] (which used v6.5).
>
> Main design decisions are:
>
> * Do not use separate bytecode insns for v1 and v4 barriers. This
> simplifies the verifier significantly and has the only downside that
> performance on PowerPC is not as high as it could be.
>
> * Allow archs to still disable v1/v4 mitigations separately by setting
> bpf_jit_bypass_spec_v1/v4(). This has the benefit that archs can
> benefit from improved BPF expressiveness / performance if they are not
> vulnerable (e.g., ARM64 for v4 in the kernel).
>
> * Do not remove the empty BPF_NOSPEC implementation for backends for
> which it is unknown whether they are vulnerable to Spectre v1.
[...]
I think it would be good to have some tests checking that nospec
instructions are inserted in expected locations.
Could you please take look at use of __xlated tag in e.g.
tools/testing/selftests/bpf/progs/verifier_sdiv.c ?
[...]
next prev parent reply other threads:[~2025-03-14 23:40 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-13 17:21 [PATCH bpf-next 00/11] bpf: Mitigate Spectre v1 using barriers Luis Gerhorst
2025-03-13 17:21 ` [PATCH bpf-next 01/11] bpf: Move insn if/else into do_check_insn() Luis Gerhorst
2025-03-14 22:47 ` Eduard Zingerman
2025-03-15 14:35 ` Luis Gerhorst
2025-03-13 17:21 ` [PATCH bpf-next 02/11] bpf: Return -EFAULT on misconfigurations Luis Gerhorst
2025-03-15 8:06 ` Eduard Zingerman
2025-03-13 17:29 ` [PATCH bpf-next 03/11] bpf: Return -EFAULT on internal errors Luis Gerhorst
2025-03-15 8:07 ` Eduard Zingerman
2025-03-13 17:33 ` [PATCH bpf-next 04/11] bpf, arm64, powerpc: Add bpf_jit_bypass_spec_v1/v4() Luis Gerhorst
2025-03-13 17:38 ` [PATCH bpf-next 05/11] bpf, arm64, powerpc: Change nospec to include v1 barrier Luis Gerhorst
2025-03-13 17:41 ` [PATCH bpf-next 06/11] bpf: Rename sanitize_stack_spill to nospec_result Luis Gerhorst
2025-03-13 17:41 ` [PATCH bpf-next 07/11] bpf: Fall back to nospec for Spectre v1 Luis Gerhorst
2025-03-13 17:41 ` [PATCH bpf-next 08/11] bpf: Allow nospec-protected var-offset stack access Luis Gerhorst
2025-03-13 17:41 ` [PATCH bpf-next 09/11] bpf: Return PTR_ERR from push_stack() Luis Gerhorst
2025-03-17 9:19 ` Eduard Zingerman
2025-03-18 7:59 ` Luis Gerhorst
2025-03-13 17:53 ` [PATCH bpf-next 10/11] bpf: Fall back to nospec for sanitization-failures Luis Gerhorst
2025-03-13 17:53 ` [PATCH bpf-next 11/11] bpf: Fall back to nospec for spec path verification Luis Gerhorst
2025-03-19 2:40 ` Alexei Starovoitov
2025-03-19 9:06 ` Luis Gerhorst
2025-04-03 20:33 ` Alexei Starovoitov
2025-03-14 23:40 ` Eduard Zingerman [this message]
2025-03-15 15:20 ` [PATCH bpf-next 00/11] bpf: Mitigate Spectre v1 using barriers Luis Gerhorst
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6f08d64c777a6022771ab0adf96cefb6b631d75.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=catalin.marinas@arm.com \
--cc=christophe.leroy@csgroup.eu \
--cc=cupertino.miranda@oracle.com \
--cc=daniel@iogearbox.net \
--cc=dimitar.kanaliev@siteground.com \
--cc=dxu@dxuuu.xyz \
--cc=git@xen0n.name \
--cc=guodongtai@kylinos.cn \
--cc=haoluo@google.com \
--cc=hbathini@linux.ibm.com \
--cc=henriette.herzog@rub.de \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luis.gerhorst@fau.de \
--cc=m.shachnai@gmail.com \
--cc=maddy@linux.ibm.com \
--cc=martin.lau@linux.dev \
--cc=mpe@ellerman.id.au \
--cc=mykolal@fb.com \
--cc=naveen@kernel.org \
--cc=npiggin@gmail.com \
--cc=puranjay@kernel.org \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=shung-hsi.yu@suse.com \
--cc=song@kernel.org \
--cc=will@kernel.org \
--cc=xukuohai@huaweicloud.com \
--cc=yangtiezhu@loongson.cn \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).