On Sat, Jan 6, 2018 at 8:58 AM, Walter Dnes <[email protected]> wrote: > > I'm running openrc. On my 32-bit install, Intel Core2 duo, I get... > > zgrep BPF /proc/config.gz > CONFIG_BPF=y > # CONFIG_BPF_SYSCALL is not set > # CONFIG_NETFILTER_XT_MATCH_BPF is not set > # CONFIG_TEST_BPF is not set > > On my 64-bit install, Intel Silvermont (Atom), I get... > > zgrep BPF /proc/config.gz > CONFIG_BPF=y > # CONFIG_BPF_SYSCALL is not set > # CONFIG_NETFILTER_XT_MATCH_BPF is not set > # CONFIG_BPF_JIT is not set > CONFIG_HAVE_EBPF_JIT=y > # CONFIG_TEST_BPF is not set > > Does this improve security at all versus meltdown/spectre? Any > suggestions for changes?
Intel hardware is vulnerable to Spectre variant 1, and Meltdown, regardless of any kernel settings, unless the kernel is patched to defeat it. I'm less sure about whether you're vulnerable to Spectre variant 2 with JIT BPF turned off. PTI is required to defeat Meltdown on Intel hardware. I don't think a patch to Spectre is in the stable linux kernel yet, though it seems like Redhat may have pushed out some kind of patch for it (possibly in conjunction with a microcode update to enable it). Disabling BPF JIT (which is the default state) does defeat the known Spectre attacks on AMD hardware, and AMD hardware is immune to Meltdown. Note that this is only talking about the kernel. Userspace code can also be vulnerable to cross-process Spectre attacks (particularly browsers) and those require specific hardening as well at the software level. On Gentoo we would get the benefit that if a gcc-level fix is developed we could harden everything at once with a complete rebuild. However, at this time gcc hasn't been patched. There is plenty of talk of it though. Some of the proposed solutions also need CPU microcode updates to enable them. The idea is that gcc would insert instructions in sensitive locations to fence in speculative execution, and the microcode would get the CPU to respect these boundaries. Intel has published this regarding their hardware: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdf (This is targeted more at developers than users, including OS developers.) -- Rich
