seccomp updates for v5.16-rc1

- set spec_store_bypass_disable & spectre_v2_user to prctl (Andrea Arcangeli)
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAmGAGAkWHGtlZXNjb29r
 QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJqOWD/4mMFp84IMa/VdCmD6PS+BhisyI
 i7+Hyfisg8AWpjgW4+JihU/6hfsDgs/hNNKbiIopcwc/12KV4M0QIQyF7vmceSwB
 uMsAX7pkobNUUisnrQVbw6boK4hrBvrV3STlVdRHvNlLeQLQIu4UN3+9UMj/qsmh
 46ltdxR489oDDLXFgMkKq9auVP2t5t4fbyRmgBPLSKIXaOxIhWck3kUQwt/Rbr44
 M87/Xr4iQ0w4ddiBFJz9GOHQ5Iz08ms4dBfO+e5FSl6I69Nt6q836el35c/6j4y8
 r7C21WU088MSkjk75RCa3v2sq8db2CjLe+wBugq+yYC29qGgxtTiUZaoiNQCN5bL
 DIRfl1iU5Ge1wEKorpr3DR6DksmfJO4MNPdMo4CcVZT3Gkdi7udLHfrEI82xgdDl
 lh1UiJlRx4YNEcDbGBnxCzKGwauqHa2TgPNWulUPdH7OGhUL86FAV49L84uz9lCD
 C/+PKxDqc2XKjbgqMsbuyQ7hzB2KQK/ieEXzduoHxTxIr5vO/viENrbkUiSL8bsO
 6msCVbCIjtFDvW4Ac16IOwGoflJ7vLAIuXIdAYCeN+JXqOVV+FG/MN447Y674FeH
 R84G6JCT82ULEXrKlwuoSSVJEwA5lzP4IwoWm/ujeUbzi1s+7m+7WRpuJe2jZm6c
 zPsCVkNPUrvp82L/wA==
 =NAsc
 -----END PGP SIGNATURE-----

Merge tag 'seccomp-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull seccomp updates from Kees Cook:
 "These are x86-specific, but I carried these since they're also
  seccomp-specific.

  This flips the defaults for spec_store_bypass_disable and
  spectre_v2_user from "seccomp" to "prctl", as enough time has passed
  to allow system owners to have updated the defensive stances of their
  various workloads, and it's long overdue to unpessimize seccomp
  threads.

  Extensive rationale and details are in Andrea's main patch.

  Summary:

   - set spec_store_bypass_disable & spectre_v2_user to prctl (Andrea Arcangeli)"

* tag 'seccomp-v5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  x86: deduplicate the spectre_v2_user documentation
  x86: change default to spec_store_bypass_disable=prctl spectre_v2_user=prctl
This commit is contained in:
Linus Torvalds 2021-11-01 17:25:09 -07:00
commit a5a9e00605
3 changed files with 10 additions and 60 deletions

View File

@ -490,9 +490,8 @@ Spectre variant 2
Restricting indirect branch speculation on a user program will Restricting indirect branch speculation on a user program will
also prevent the program from launching a variant 2 attack also prevent the program from launching a variant 2 attack
on x86. All sand-boxed SECCOMP programs have indirect branch on x86. Administrators can change that behavior via the kernel
speculation restricted by default. Administrators can change command line and sysfs control files.
that behavior via the kernel command line and sysfs control files.
See :ref:`spectre_mitigation_control_command_line`. See :ref:`spectre_mitigation_control_command_line`.
Programs that disable their indirect branch speculation will have Programs that disable their indirect branch speculation will have
@ -594,61 +593,14 @@ kernel command line.
Not specifying this option is equivalent to Not specifying this option is equivalent to
spectre_v2=auto. spectre_v2=auto.
For user space mitigation:
spectre_v2_user=
[X86] Control mitigation of Spectre variant 2
(indirect branch speculation) vulnerability between
user space tasks
on
Unconditionally enable mitigations. Is
enforced by spectre_v2=on
off
Unconditionally disable mitigations. Is
enforced by spectre_v2=off
prctl
Indirect branch speculation is enabled,
but mitigation can be enabled via prctl
per thread. The mitigation control state
is inherited on fork.
prctl,ibpb
Like "prctl" above, but only STIBP is
controlled per thread. IBPB is issued
always when switching between different user
space processes.
seccomp
Same as "prctl" above, but all seccomp
threads will enable the mitigation unless
they explicitly opt out.
seccomp,ibpb
Like "seccomp" above, but only STIBP is
controlled per thread. IBPB is issued
always when switching between different
user space processes.
auto
Kernel selects the mitigation depending on
the available CPU features and vulnerability.
Default mitigation:
If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"
Not specifying this option is equivalent to
spectre_v2_user=auto.
In general the kernel by default selects In general the kernel by default selects
reasonable mitigations for the current CPU. To reasonable mitigations for the current CPU. To
disable Spectre variant 2 mitigations, boot with disable Spectre variant 2 mitigations, boot with
spectre_v2=off. Spectre variant 1 mitigations spectre_v2=off. Spectre variant 1 mitigations
cannot be disabled. cannot be disabled.
For spectre_v2_user see :doc:`/admin-guide/kernel-parameters`.
Mitigation selection guide Mitigation selection guide
-------------------------- --------------------------
@ -674,9 +626,8 @@ Mitigation selection guide
off by disabling their indirect branch speculation when they are run off by disabling their indirect branch speculation when they are run
(See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`). (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
This prevents untrusted programs from polluting the branch target This prevents untrusted programs from polluting the branch target
buffer. All programs running in SECCOMP sandboxes have indirect buffer. This behavior can be changed via the kernel command line
branch speculation restricted by default. This behavior can be and sysfs control files. See
changed via the kernel command line and sysfs control files. See
:ref:`spectre_mitigation_control_command_line`. :ref:`spectre_mitigation_control_command_line`.
3. High security mode 3. High security mode

View File

@ -5303,8 +5303,7 @@
auto - Kernel selects the mitigation depending on auto - Kernel selects the mitigation depending on
the available CPU features and vulnerability. the available CPU features and vulnerability.
Default mitigation: Default mitigation: "prctl"
If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"
Not specifying this option is equivalent to Not specifying this option is equivalent to
spectre_v2_user=auto. spectre_v2_user=auto.
@ -5348,7 +5347,7 @@
will disable SSB unless they explicitly opt out. will disable SSB unless they explicitly opt out.
Default mitigations: Default mitigations:
X86: If CONFIG_SECCOMP=y "seccomp", otherwise "prctl" X86: "prctl"
On powerpc the options are: On powerpc the options are:

View File

@ -758,11 +758,11 @@ spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
case SPECTRE_V2_USER_CMD_FORCE: case SPECTRE_V2_USER_CMD_FORCE:
mode = SPECTRE_V2_USER_STRICT; mode = SPECTRE_V2_USER_STRICT;
break; break;
case SPECTRE_V2_USER_CMD_AUTO:
case SPECTRE_V2_USER_CMD_PRCTL: case SPECTRE_V2_USER_CMD_PRCTL:
case SPECTRE_V2_USER_CMD_PRCTL_IBPB: case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
mode = SPECTRE_V2_USER_PRCTL; mode = SPECTRE_V2_USER_PRCTL;
break; break;
case SPECTRE_V2_USER_CMD_AUTO:
case SPECTRE_V2_USER_CMD_SECCOMP: case SPECTRE_V2_USER_CMD_SECCOMP:
case SPECTRE_V2_USER_CMD_SECCOMP_IBPB: case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
if (IS_ENABLED(CONFIG_SECCOMP)) if (IS_ENABLED(CONFIG_SECCOMP))
@ -1162,7 +1162,6 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
return mode; return mode;
switch (cmd) { switch (cmd) {
case SPEC_STORE_BYPASS_CMD_AUTO:
case SPEC_STORE_BYPASS_CMD_SECCOMP: case SPEC_STORE_BYPASS_CMD_SECCOMP:
/* /*
* Choose prctl+seccomp as the default mode if seccomp is * Choose prctl+seccomp as the default mode if seccomp is
@ -1176,6 +1175,7 @@ static enum ssb_mitigation __init __ssb_select_mitigation(void)
case SPEC_STORE_BYPASS_CMD_ON: case SPEC_STORE_BYPASS_CMD_ON:
mode = SPEC_STORE_BYPASS_DISABLE; mode = SPEC_STORE_BYPASS_DISABLE;
break; break;
case SPEC_STORE_BYPASS_CMD_AUTO:
case SPEC_STORE_BYPASS_CMD_PRCTL: case SPEC_STORE_BYPASS_CMD_PRCTL:
mode = SPEC_STORE_BYPASS_PRCTL; mode = SPEC_STORE_BYPASS_PRCTL;
break; break;