On Thu, Jan 4, 2018 at 7:51 PM, Adam Carter <[email protected]> wrote: > On Fri, Jan 5, 2018 at 8:39 AM, Nikos Chantziaras <[email protected]> wrote: >> >> On 04/01/18 18:18, Rich Freeman wrote: >>> >>> For variant 1 the only known vulnerability is BPF which probably >>> next to nobody uses >> >> >> I had to enable various BPF settings in the kernel because systemd >> wouldn't shut up about it. It prints warning messages during boot that the >> system doesn't support BPF. After enabling it, systemd was happy and stopped >> barking at me. >> > > The vulnerability specifically mentions EBPF and JIT so I'd say its > CONFIG_HAVE_EBPF_JIT, but there's also CONFIG_BPF_JIT. > > I notice EBPF_JIT is =y in my .config, grepping the sysctl -a output for bpf > only returns; > kernel.unprivileged_bpf_disabled = 0
The settings relevant to Spectre are: CONFIG_BPF_JIT - this being set to y is enough to make Intel processors vulnerable to variant 1/2. This being set to y is necessary, but not sufficient, for making AMD vulnerable to variant 1. net.core.bpf_jit_enable - this being set to 1 along with the config option being set is sufficient to make AMD vulnerable to variant 1. This setting has no effect on making Intel vulnerable to variant 1 or 2. I suspect this sysctl item won't appear unless it is loaded into the kernel in the first place. I believe CONFIG_HAVE_EBPF_JIT isn't actually modifiable via make config - it is a dependency and I think it is there to indicate whether the feature is supported (maybe it is arch-specific, or there is some complex rule for it being available - I didn't dig through the Makefiles). I don't think either of these need to be set for systemd. The settings referenced in that issue are CONFIG_CGROUP_BPF and CONFIG_BPF_SYSCALL. I wouldn't be surprised if at some point BPF_JIT gets patched to block Spectre, but that hasn't happened yet. -- Rich
