Spectre v2 warning - eBPF enabled

Moderator: Forum moderators

Post Reply
ozsouth
Posts: 1571
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 242 times
Been thanked: 706 times

Spectre v2 warning - eBPF enabled

Post by ozsouth »

RE- eBPF spectre v2 warning on Celeron N4500,

With the latest ucode.cpio, I ran spectre-meltdown-checker.sh, & got a vulnerability message:

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: NO (Vulnerable: eIBRS with unprivileged eBPF)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: UNKNOWN (in offline mode, we need the kernel image to be able to tell)
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

When checking dmesg, the following warning ensued:

[ 0.050624] Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!

In my standard DOTconfig, I have:

CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y

#
# BPF subsystem
#
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
# CONFIG_BPF_JIT_ALWAYS_ON is not set
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# end of BPF subsystem

I'm thinking I should compile kernels with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
Blacklisting BPF will cause other issues, but is there another way to mitigate this?

dimkr
Posts: 2429
Joined: Wed Dec 30, 2020 6:14 pm
Has thanked: 53 times
Been thanked: 1203 times

Re: Spectre v2 warning - eBPF enabled

Post by dimkr »

Depends on what distro you're using, you can put this in a file under /etc/sysctl.d or in /etc/sysctl.conf:

Code: Select all

kernel.unprivileged_bpf_disabled=1
ozsouth
Posts: 1571
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 242 times
Been thanked: 706 times

Re: Spectre v2 warning - eBPF enabled

Post by ozsouth »

Thanks dimkr. In s15pup64 , I put kernel.unprivileged_bpf_disabled=1 in file sysctl.conf under /etc/sysctl.d , & on reboot vulnerability is mitigated. Same works with fossapup64 derivatives.
I now see I could run sysctl kernel.unprivileged_bpf_disabled=1 from a terminal, but I can't use grub/syslinux command line.

I have now made 6.6 (for newer systems) & 6.1 (for older systems) kernels with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y . I don't think it is catastrophic, but needs to be mitigated now.

dimkr
Posts: 2429
Joined: Wed Dec 30, 2020 6:14 pm
Has thanked: 53 times
Been thanked: 1203 times

Re: Spectre v2 warning - eBPF enabled

Post by dimkr »

ozsouth wrote: Sat Nov 09, 2024 10:06 pm

I don't think it is catastrophic, but needs to be mitigated now.

If you use a Puppy from 2021 you have so many publicly documented high severity vulnerabilities with ready-made exploits, so I wouldn't worry about hardware vulnerabilities that are not trivial to exploit remotely. (Plus Puppy is not configured correctly to use eBPF)

Post Reply

Return to “Kernels”