current/SOURCES/arm64-proton-pack-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch

From foo@baz Tue Mar  8 08:47:19 PM CET 2022
From: James Morse <james.morse@arm.com>
Date: Thu, 3 Mar 2022 16:53:56 +0000
Subject: arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting

From: James Morse <james.morse@arm.com>

commit 58c9a5060cb7cd529d49c93954cdafe81c1d642a upstream.

The mitigations for Spectre-BHB are only applied when an exception is
taken from user-space. The mitigation status is reported via the spectre_v2
sysfs vulnerabilities file.

When unprivileged eBPF is enabled the mitigation in the exception vectors
can be avoided by an eBPF program.

When unprivileged eBPF is enabled, print a warning and report vulnerable
via the sysfs vulnerabilities file.

Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/proton-pack.c |   26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

--- a/arch/arm64/kernel/proton-pack.c
+++ b/arch/arm64/kernel/proton-pack.c
@@ -18,6 +18,7 @@
  */
 
 #include <linux/arm-smccc.h>
+#include <linux/bpf.h>
 #include <linux/cpu.h>
 #include <linux/device.h>
 #include <linux/nospec.h>
@@ -111,6 +112,15 @@ static const char *get_bhb_affected_stri
        }
 }
 
+static bool _unprivileged_ebpf_enabled(void)
+{
+#ifdef CONFIG_BPF_SYSCALL
+       return !sysctl_unprivileged_bpf_disabled;
+#else
+       return false;
+#endif
+}
+
 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,
                            char *buf)
 {
@@ -130,6 +140,9 @@ ssize_t cpu_show_spectre_v2(struct devic
                v2_str = "CSV2";
                fallthrough;
        case SPECTRE_MITIGATED:
+               if (bhb_state == SPECTRE_MITIGATED && _unprivileged_ebpf_enabled())
+                       return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
+
                return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str);
        case SPECTRE_VULNERABLE:
                fallthrough;
@@ -1125,3 +1138,16 @@ void __init spectre_bhb_patch_clearbhb(s
        *updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
        *updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
 }
+
+#ifdef CONFIG_BPF_SYSCALL
+#define EBPF_WARN "Unprivileged eBPF is enabled, data leaks possible via Spectre v2 BHB attacks!\n"
+void unpriv_ebpf_notify(int new_state)
+{
+       if (spectre_v2_state == SPECTRE_VULNERABLE ||
+           spectre_bhb_state != SPECTRE_MITIGATED)
+               return;
+
+       if (!new_state)
+               pr_err("WARNING: %s", EBPF_WARN);
+}
+#endif
1	From foo@baz Tue Mar 8 08:47:19 PM CET 2022
2	From: James Morse <james.morse@arm.com>
3	Date: Thu, 3 Mar 2022 16:53:56 +0000
4	Subject: arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting
5
6	From: James Morse <james.morse@arm.com>
7
8	commit 58c9a5060cb7cd529d49c93954cdafe81c1d642a upstream.
9
10	The mitigations for Spectre-BHB are only applied when an exception is
11	taken from user-space. The mitigation status is reported via the spectre_v2
12	sysfs vulnerabilities file.
13
14	When unprivileged eBPF is enabled the mitigation in the exception vectors
15	can be avoided by an eBPF program.
16
17	When unprivileged eBPF is enabled, print a warning and report vulnerable
18	via the sysfs vulnerabilities file.
19
20	Acked-by: Catalin Marinas <catalin.marinas@arm.com>
21	Signed-off-by: James Morse <james.morse@arm.com>
22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
23	---
24	arch/arm64/kernel/proton-pack.c \| 26 ++++++++++++++++++++++++++
25	1 file changed, 26 insertions(+)
26
27	--- a/arch/arm64/kernel/proton-pack.c
28	+++ b/arch/arm64/kernel/proton-pack.c
29	@@ -18,6 +18,7 @@
30	*/
31
32	#include <linux/arm-smccc.h>
33	+#include <linux/bpf.h>
34	#include <linux/cpu.h>
35	#include <linux/device.h>
36	#include <linux/nospec.h>
37	@@ -111,6 +112,15 @@ static const char *get_bhb_affected_stri
38	}
39	}
40
41	+static bool _unprivileged_ebpf_enabled(void)
42	+{
43	+#ifdef CONFIG_BPF_SYSCALL
44	+ return !sysctl_unprivileged_bpf_disabled;
45	+#else
46	+ return false;
47	+#endif
48	+}
49	+
50	ssize_t cpu_show_spectre_v2(struct device dev, struct device_attribute attr,
51	char *buf)
52	{
53	@@ -130,6 +140,9 @@ ssize_t cpu_show_spectre_v2(struct devic
54	v2_str = "CSV2";
55	fallthrough;
56	case SPECTRE_MITIGATED:
57	+ if (bhb_state == SPECTRE_MITIGATED && _unprivileged_ebpf_enabled())
58	+ return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
59	+
60	return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str);
61	case SPECTRE_VULNERABLE:
62	fallthrough;
63	@@ -1125,3 +1138,16 @@ void __init spectre_bhb_patch_clearbhb(s
64	*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
65	*updptr++ = cpu_to_le32(aarch64_insn_gen_nop());
66	}
67	+
68	+#ifdef CONFIG_BPF_SYSCALL
69	+#define EBPF_WARN "Unprivileged eBPF is enabled, data leaks possible via Spectre v2 BHB attacks!\n"
70	+void unpriv_ebpf_notify(int new_state)
71	+{
72	+ if (spectre_v2_state == SPECTRE_VULNERABLE \|\|
73	+ spectre_bhb_state != SPECTRE_MITIGATED)
74	+ return;
75	+
76	+ if (!new_state)
77	+ pr_err("WARNING: %s", EBPF_WARN);
78	+}
79	+#endif