* [PATCH ebpf v2 0/2] Unprivileged BPF default
@ 2021-10-28 1:32 Pawan Gupta
2021-10-28 1:35 ` [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE Pawan Gupta
0 siblings, 1 reply; 6+ messages in thread
From: Pawan Gupta @ 2021-10-28 1:32 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann
Cc: Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
John Fastabend, KP Singh, netdev, bpf, linux-kernel,
antonio.gomez.iglesias, tony.luck, dave.hansen
Hi,
This is a two patch series to make the compile time default of
unprivileged BPF depend on CONFIG_CPU_SPECTRE. First patch makes ARM's
CONFIG_CPU_SPECTRE available for all architectures. The second patch
sets CONFIG_BPF_UNPRIV_DEFAULT_OFF=y by default when
CONFIG_CPU_SPECTRE=y.
v2:
- Generalize ARM's CONFIG_CPU_SPECTRE to be available for all architectures.
- Make CONFIG_BPF_UNPRIV_DEFAULT_OFF depend on CONFIG_CPU_SPECTRE.
- Updated commit message to reflect the dependency on CONFIG_CPU_SPECTRE.
- Add reference to BPF spectre presentation in commit message.
v1: https://lore.kernel.org/all/d37b01e70e65dced2659561ed5bc4b2ed1a50711.1635367330.git.pawan.kumar.gupta@linux.intel.com/
Pawan Gupta (2):
arch/Kconfig: Make CONFIG_CPU_SPECTRE available for all architectures
bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE
arch/Kconfig | 3 +++
arch/arm/mm/Kconfig | 3 ---
arch/x86/Kconfig | 1 +
kernel/bpf/Kconfig | 5 +++++
4 files changed, 9 insertions(+), 3 deletions(-)
--
2.31.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE
2021-10-28 1:32 [PATCH ebpf v2 0/2] Unprivileged BPF default Pawan Gupta
@ 2021-10-28 1:35 ` Pawan Gupta
2021-10-28 5:34 ` Greg KH
2021-10-28 13:57 ` Mark Rutland
0 siblings, 2 replies; 6+ messages in thread
From: Pawan Gupta @ 2021-10-28 1:35 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann
Cc: Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song,
John Fastabend, KP Singh, netdev, bpf, linux-kernel,
antonio.gomez.iglesias, tony.luck, dave.hansen, gregkh
Disabling unprivileged BPF would help prevent unprivileged users from
creating the conditions required for potential speculative execution
side-channel attacks on affected hardware. A deep dive on such attacks
and mitigation is available here [1].
If an architecture selects CONFIG_CPU_SPECTRE, disable unprivileged BPF
by default. An admin can enable this at runtime, if necessary.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
[1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
---
kernel/bpf/Kconfig | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index a82d6de86522..510a5a73f9a2 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON
config BPF_UNPRIV_DEFAULT_OFF
bool "Disable unprivileged BPF by default"
+ default y if CPU_SPECTRE
depends on BPF_SYSCALL
help
Disables unprivileged BPF by default by setting the corresponding
@@ -72,6 +73,10 @@ config BPF_UNPRIV_DEFAULT_OFF
disable it by setting it to 1 (from which no other transition to
0 is possible anymore).
+ Unprivileged BPF can be used to exploit potential speculative
+ execution side-channel vulnerabilities on affected hardware. If you
+ are concerned about it, answer Y.
+
source "kernel/bpf/preload/Kconfig"
config BPF_LSM
--
2.31.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE
2021-10-28 1:35 ` [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE Pawan Gupta
@ 2021-10-28 5:34 ` Greg KH
2021-10-28 19:38 ` Pawan Gupta
2021-10-28 13:57 ` Mark Rutland
1 sibling, 1 reply; 6+ messages in thread
From: Greg KH @ 2021-10-28 5:34 UTC (permalink / raw)
To: Pawan Gupta
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, netdev, bpf, linux-kernel, antonio.gomez.iglesias,
tony.luck, dave.hansen
On Wed, Oct 27, 2021 at 06:35:44PM -0700, Pawan Gupta wrote:
> Disabling unprivileged BPF would help prevent unprivileged users from
> creating the conditions required for potential speculative execution
> side-channel attacks on affected hardware. A deep dive on such attacks
> and mitigation is available here [1].
>
> If an architecture selects CONFIG_CPU_SPECTRE, disable unprivileged BPF
> by default. An admin can enable this at runtime, if necessary.
>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
>
> [1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
This should go above the signed-off-by line, in the changelog text, not
below it, otherwise our tools get confused when trying to apply it.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE
2021-10-28 1:35 ` [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE Pawan Gupta
2021-10-28 5:34 ` Greg KH
@ 2021-10-28 13:57 ` Mark Rutland
2021-10-28 16:44 ` Greg KH
1 sibling, 1 reply; 6+ messages in thread
From: Mark Rutland @ 2021-10-28 13:57 UTC (permalink / raw)
To: Pawan Gupta
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, netdev, bpf, linux-kernel, antonio.gomez.iglesias,
tony.luck, dave.hansen, gregkh
On Wed, Oct 27, 2021 at 06:35:44PM -0700, Pawan Gupta wrote:
> Disabling unprivileged BPF would help prevent unprivileged users from
> creating the conditions required for potential speculative execution
> side-channel attacks on affected hardware. A deep dive on such attacks
> and mitigation is available here [1].
>
> If an architecture selects CONFIG_CPU_SPECTRE, disable unprivileged BPF
> by default. An admin can enable this at runtime, if necessary.
>
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
>
> [1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
> ---
> kernel/bpf/Kconfig | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> index a82d6de86522..510a5a73f9a2 100644
> --- a/kernel/bpf/Kconfig
> +++ b/kernel/bpf/Kconfig
> @@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON
>
> config BPF_UNPRIV_DEFAULT_OFF
> bool "Disable unprivileged BPF by default"
> + default y if CPU_SPECTRE
Why can't this just be "default y"?
This series makes that the case on x86, and if SW is going to have to
deal with that we may as well do that everywhere, and say that on all
architectures we leave it to the sysadmin or kernel builder to optin to
permitting unprivileged BPF.
If we can change the default for x86 I see no reason we can't change
this globally, and we avoid tying this to CPU_SPECTRE specifically.
Thanks,
Mark.
> depends on BPF_SYSCALL
> help
> Disables unprivileged BPF by default by setting the corresponding
> @@ -72,6 +73,10 @@ config BPF_UNPRIV_DEFAULT_OFF
> disable it by setting it to 1 (from which no other transition to
> 0 is possible anymore).
>
> + Unprivileged BPF can be used to exploit potential speculative
> + execution side-channel vulnerabilities on affected hardware. If you
> + are concerned about it, answer Y.
> +
> source "kernel/bpf/preload/Kconfig"
>
> config BPF_LSM
> --
> 2.31.1
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE
2021-10-28 13:57 ` Mark Rutland
@ 2021-10-28 16:44 ` Greg KH
0 siblings, 0 replies; 6+ messages in thread
From: Greg KH @ 2021-10-28 16:44 UTC (permalink / raw)
To: Mark Rutland
Cc: Pawan Gupta, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, netdev, bpf, linux-kernel, antonio.gomez.iglesias,
tony.luck, dave.hansen
On Thu, Oct 28, 2021 at 02:57:51PM +0100, Mark Rutland wrote:
> On Wed, Oct 27, 2021 at 06:35:44PM -0700, Pawan Gupta wrote:
> > Disabling unprivileged BPF would help prevent unprivileged users from
> > creating the conditions required for potential speculative execution
> > side-channel attacks on affected hardware. A deep dive on such attacks
> > and mitigation is available here [1].
> >
> > If an architecture selects CONFIG_CPU_SPECTRE, disable unprivileged BPF
> > by default. An admin can enable this at runtime, if necessary.
> >
> > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> >
> > [1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
> > ---
> > kernel/bpf/Kconfig | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
> > index a82d6de86522..510a5a73f9a2 100644
> > --- a/kernel/bpf/Kconfig
> > +++ b/kernel/bpf/Kconfig
> > @@ -64,6 +64,7 @@ config BPF_JIT_DEFAULT_ON
> >
> > config BPF_UNPRIV_DEFAULT_OFF
> > bool "Disable unprivileged BPF by default"
> > + default y if CPU_SPECTRE
>
> Why can't this just be "default y"?
Because not all arches are broken.
> This series makes that the case on x86, and if SW is going to have to
> deal with that we may as well do that everywhere, and say that on all
> architectures we leave it to the sysadmin or kernel builder to optin to
> permitting unprivileged BPF.
>
> If we can change the default for x86 I see no reason we can't change
> this globally, and we avoid tying this to CPU_SPECTRE specifically.
No, this is a spectre-like issue only, if you have hardware that does
not have these types of issues, why wouldn't this be ok to be disabled?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE
2021-10-28 5:34 ` Greg KH
@ 2021-10-28 19:38 ` Pawan Gupta
0 siblings, 0 replies; 6+ messages in thread
From: Pawan Gupta @ 2021-10-28 19:38 UTC (permalink / raw)
To: Greg KH
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
KP Singh, netdev, bpf, linux-kernel, antonio.gomez.iglesias,
tony.luck, dave.hansen
On 28.10.2021 07:34, Greg KH wrote:
>On Wed, Oct 27, 2021 at 06:35:44PM -0700, Pawan Gupta wrote:
>> Disabling unprivileged BPF would help prevent unprivileged users from
>> creating the conditions required for potential speculative execution
>> side-channel attacks on affected hardware. A deep dive on such attacks
>> and mitigation is available here [1].
>>
>> If an architecture selects CONFIG_CPU_SPECTRE, disable unprivileged BPF
>> by default. An admin can enable this at runtime, if necessary.
>>
>> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
>>
>> [1] https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf
>
>This should go above the signed-off-by line, in the changelog text, not
>below it, otherwise our tools get confused when trying to apply it.
Thanks, I will fix it.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-10-28 19:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-28 1:32 [PATCH ebpf v2 0/2] Unprivileged BPF default Pawan Gupta
2021-10-28 1:35 ` [PATCH ebpf v2 2/2] bpf: Make unprivileged bpf depend on CONFIG_CPU_SPECTRE Pawan Gupta
2021-10-28 5:34 ` Greg KH
2021-10-28 19:38 ` Pawan Gupta
2021-10-28 13:57 ` Mark Rutland
2021-10-28 16:44 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).