[PATCH 4.4 075/107] x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass
4.4-stable review patch. If anyone has any objections, please let me know.
--
From: Kees Cook
commit f21b53b20c754021935ea43364dbf53778eeba32 upstream
Unless explicitly opted out of, anything running under seccomp will have
SSB mitigations enabled. Choosing the "prctl" mode will disable this.
[ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ]
Signed-off-by: Kees Cook
Signed-off-by: Thomas Gleixner
Signed-off-by: David Woodhouse
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Srivatsa S. Bhat
Reviewed-by: Matt Helsley (VMware)
Reviewed-by: Alexey Makhalov
Reviewed-by: Bo Gan
Signed-off-by: Greg Kroah-Hartman
---
Documentation/kernel-parameters.txt | 26 +-
arch/x86/include/asm/nospec-branch.h |1 +
arch/x86/kernel/cpu/bugs.c | 32 +++-
3 files changed, 41 insertions(+), 18 deletions(-)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -3647,19 +3647,27 @@ bytes respectively. Such letter suffixes
This parameter controls whether the Speculative Store
Bypass optimization is used.
- on - Unconditionally disable Speculative Store
Bypass
- off- Unconditionally enable Speculative Store Bypass
- auto - Kernel detects whether the CPU model contains
an
-implementation of Speculative Store Bypass and
-picks the most appropriate mitigation.
- prctl - Control Speculative Store Bypass per thread
-via prctl. Speculative Store Bypass is enabled
-for a process by default. The state of the
control
-is inherited on fork.
+ on - Unconditionally disable Speculative Store
Bypass
+ off - Unconditionally enable Speculative Store
Bypass
+ auto- Kernel detects whether the CPU model contains
an
+ implementation of Speculative Store Bypass and
+ picks the most appropriate mitigation. If the
+ CPU is not vulnerable, "off" is selected. If
the
+ CPU is vulnerable the default mitigation is
+ architecture and Kconfig dependent. See below.
+ prctl - Control Speculative Store Bypass per thread
+ via prctl. Speculative Store Bypass is enabled
+ for a process by default. The state of the
control
+ is inherited on fork.
+ seccomp - Same as "prctl" above, but all seccomp threads
+ will disable SSB unless they explicitly opt
out.
Not specifying this option is equivalent to
spec_store_bypass_disable=auto.
+ Default mitigations:
+ X86:If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"
+
spia_io_base= [HW,MTD]
spia_fio_base=
spia_pedr=
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -188,6 +188,7 @@ enum ssb_mitigation {
SPEC_STORE_BYPASS_NONE,
SPEC_STORE_BYPASS_DISABLE,
SPEC_STORE_BYPASS_PRCTL,
+ SPEC_STORE_BYPASS_SECCOMP,
};
extern char __indirect_thunk_start[];
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -414,22 +414,25 @@ enum ssb_mitigation_cmd {
SPEC_STORE_BYPASS_CMD_AUTO,
SPEC_STORE_BYPASS_CMD_ON,
SPEC_STORE_BYPASS_CMD_PRCTL,
+ SPEC_STORE_BYPASS_CMD_SECCOMP,
};
static const char *ssb_strings[] = {
[SPEC_STORE_BYPASS_NONE]= "Vulnerable",
[SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass
disabled",
- [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass
disabled via prctl"
+ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass
disabled via prctl",
+ [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass
disabled via prctl and seccomp",
};
static const struct {
const char *option;
enum ssb_mitigation_cmd cmd;
} ssb_mitigation_options[] = {
- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
- { "on", SPEC_STORE_BYPASS_CMD_ON },/* Disable Speculative
Store Bypass */
- { "off",SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch
Speculative Store Bypass */
- { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative
Store Bypass via prctl */
+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO },/*
[PATCH 4.4 075/107] x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass
4.4-stable review patch. If anyone has any objections, please let me know.
--
From: Kees Cook
commit f21b53b20c754021935ea43364dbf53778eeba32 upstream
Unless explicitly opted out of, anything running under seccomp will have
SSB mitigations enabled. Choosing the "prctl" mode will disable this.
[ tglx: Adjusted it to the new arch_seccomp_spec_mitigate() mechanism ]
Signed-off-by: Kees Cook
Signed-off-by: Thomas Gleixner
Signed-off-by: David Woodhouse
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Srivatsa S. Bhat
Reviewed-by: Matt Helsley (VMware)
Reviewed-by: Alexey Makhalov
Reviewed-by: Bo Gan
Signed-off-by: Greg Kroah-Hartman
---
Documentation/kernel-parameters.txt | 26 +-
arch/x86/include/asm/nospec-branch.h |1 +
arch/x86/kernel/cpu/bugs.c | 32 +++-
3 files changed, 41 insertions(+), 18 deletions(-)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -3647,19 +3647,27 @@ bytes respectively. Such letter suffixes
This parameter controls whether the Speculative Store
Bypass optimization is used.
- on - Unconditionally disable Speculative Store
Bypass
- off- Unconditionally enable Speculative Store Bypass
- auto - Kernel detects whether the CPU model contains
an
-implementation of Speculative Store Bypass and
-picks the most appropriate mitigation.
- prctl - Control Speculative Store Bypass per thread
-via prctl. Speculative Store Bypass is enabled
-for a process by default. The state of the
control
-is inherited on fork.
+ on - Unconditionally disable Speculative Store
Bypass
+ off - Unconditionally enable Speculative Store
Bypass
+ auto- Kernel detects whether the CPU model contains
an
+ implementation of Speculative Store Bypass and
+ picks the most appropriate mitigation. If the
+ CPU is not vulnerable, "off" is selected. If
the
+ CPU is vulnerable the default mitigation is
+ architecture and Kconfig dependent. See below.
+ prctl - Control Speculative Store Bypass per thread
+ via prctl. Speculative Store Bypass is enabled
+ for a process by default. The state of the
control
+ is inherited on fork.
+ seccomp - Same as "prctl" above, but all seccomp threads
+ will disable SSB unless they explicitly opt
out.
Not specifying this option is equivalent to
spec_store_bypass_disable=auto.
+ Default mitigations:
+ X86:If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"
+
spia_io_base= [HW,MTD]
spia_fio_base=
spia_pedr=
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -188,6 +188,7 @@ enum ssb_mitigation {
SPEC_STORE_BYPASS_NONE,
SPEC_STORE_BYPASS_DISABLE,
SPEC_STORE_BYPASS_PRCTL,
+ SPEC_STORE_BYPASS_SECCOMP,
};
extern char __indirect_thunk_start[];
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -414,22 +414,25 @@ enum ssb_mitigation_cmd {
SPEC_STORE_BYPASS_CMD_AUTO,
SPEC_STORE_BYPASS_CMD_ON,
SPEC_STORE_BYPASS_CMD_PRCTL,
+ SPEC_STORE_BYPASS_CMD_SECCOMP,
};
static const char *ssb_strings[] = {
[SPEC_STORE_BYPASS_NONE]= "Vulnerable",
[SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass
disabled",
- [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass
disabled via prctl"
+ [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass
disabled via prctl",
+ [SPEC_STORE_BYPASS_SECCOMP] = "Mitigation: Speculative Store Bypass
disabled via prctl and seccomp",
};
static const struct {
const char *option;
enum ssb_mitigation_cmd cmd;
} ssb_mitigation_options[] = {
- { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
- { "on", SPEC_STORE_BYPASS_CMD_ON },/* Disable Speculative
Store Bypass */
- { "off",SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch
Speculative Store Bypass */
- { "prctl", SPEC_STORE_BYPASS_CMD_PRCTL }, /* Disable Speculative
Store Bypass via prctl */
+ { "auto", SPEC_STORE_BYPASS_CMD_AUTO },/*
