1 |
From foo@baz Tue Mar 8 08:47:19 PM CET 2022 |
2 |
From: James Morse <james.morse@arm.com> |
3 |
Date: Thu, 3 Mar 2022 16:53:56 +0000 |
4 |
Subject: arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting |
5 |
|
6 |
From: James Morse <james.morse@arm.com> |
7 |
|
8 |
commit 58c9a5060cb7cd529d49c93954cdafe81c1d642a upstream. |
9 |
|
10 |
The mitigations for Spectre-BHB are only applied when an exception is |
11 |
taken from user-space. The mitigation status is reported via the spectre_v2 |
12 |
sysfs vulnerabilities file. |
13 |
|
14 |
When unprivileged eBPF is enabled the mitigation in the exception vectors |
15 |
can be avoided by an eBPF program. |
16 |
|
17 |
When unprivileged eBPF is enabled, print a warning and report vulnerable |
18 |
via the sysfs vulnerabilities file. |
19 |
|
20 |
Acked-by: Catalin Marinas <catalin.marinas@arm.com> |
21 |
Signed-off-by: James Morse <james.morse@arm.com> |
22 |
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
23 |
--- |
24 |
arch/arm64/kernel/proton-pack.c | 26 ++++++++++++++++++++++++++ |
25 |
1 file changed, 26 insertions(+) |
26 |
|
27 |
--- a/arch/arm64/kernel/proton-pack.c |
28 |
+++ b/arch/arm64/kernel/proton-pack.c |
29 |
@@ -18,6 +18,7 @@ |
30 |
*/ |
31 |
|
32 |
#include <linux/arm-smccc.h> |
33 |
+#include <linux/bpf.h> |
34 |
#include <linux/cpu.h> |
35 |
#include <linux/device.h> |
36 |
#include <linux/nospec.h> |
37 |
@@ -111,6 +112,15 @@ static const char *get_bhb_affected_stri |
38 |
} |
39 |
} |
40 |
|
41 |
+static bool _unprivileged_ebpf_enabled(void) |
42 |
+{ |
43 |
+#ifdef CONFIG_BPF_SYSCALL |
44 |
+ return !sysctl_unprivileged_bpf_disabled; |
45 |
+#else |
46 |
+ return false; |
47 |
+#endif |
48 |
+} |
49 |
+ |
50 |
ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, |
51 |
char *buf) |
52 |
{ |
53 |
@@ -130,6 +140,9 @@ ssize_t cpu_show_spectre_v2(struct devic |
54 |
v2_str = "CSV2"; |
55 |
fallthrough; |
56 |
case SPECTRE_MITIGATED: |
57 |
+ if (bhb_state == SPECTRE_MITIGATED && _unprivileged_ebpf_enabled()) |
58 |
+ return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); |
59 |
+ |
60 |
return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str); |
61 |
case SPECTRE_VULNERABLE: |
62 |
fallthrough; |
63 |
@@ -1125,3 +1138,16 @@ void __init spectre_bhb_patch_clearbhb(s |
64 |
*updptr++ = cpu_to_le32(aarch64_insn_gen_nop()); |
65 |
*updptr++ = cpu_to_le32(aarch64_insn_gen_nop()); |
66 |
} |
67 |
+ |
68 |
+#ifdef CONFIG_BPF_SYSCALL |
69 |
+#define EBPF_WARN "Unprivileged eBPF is enabled, data leaks possible via Spectre v2 BHB attacks!\n" |
70 |
+void unpriv_ebpf_notify(int new_state) |
71 |
+{ |
72 |
+ if (spectre_v2_state == SPECTRE_VULNERABLE || |
73 |
+ spectre_bhb_state != SPECTRE_MITIGATED) |
74 |
+ return; |
75 |
+ |
76 |
+ if (!new_state) |
77 |
+ pr_err("WARNING: %s", EBPF_WARN); |
78 |
+} |
79 |
+#endif |