Page 1 of 1

Spectre v2 warning - eBPF enabled

Posted: Sat Nov 09, 2024 12:18 pm
by ozsouth

RE- eBPF spectre v2 warning on Celeron N4500,

With the latest ucode.cpio, I ran spectre-meltdown-checker.sh, & got a vulnerability message:

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: NO (Vulnerable: eIBRS with unprivileged eBPF)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: UNKNOWN (in offline mode, we need the kernel image to be able to tell)
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

When checking dmesg, the following warning ensued:

[ 0.050624] Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!

In my standard DOTconfig, I have:

CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y

#
# BPF subsystem
#
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
# CONFIG_BPF_JIT_ALWAYS_ON is not set
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# end of BPF subsystem

I'm thinking I should compile kernels with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
Blacklisting BPF will cause other issues, but is there another way to mitigate this?


Re: Spectre v2 warning - eBPF enabled

Posted: Sat Nov 09, 2024 12:36 pm
by dimkr

Depends on what distro you're using, you can put this in a file under /etc/sysctl.d or in /etc/sysctl.conf:

Code: Select all

kernel.unprivileged_bpf_disabled=1

Re: Spectre v2 warning - eBPF enabled

Posted: Sat Nov 09, 2024 10:06 pm
by ozsouth

Thanks dimkr. In s15pup64 , I put kernel.unprivileged_bpf_disabled=1 in file sysctl.conf under /etc/sysctl.d , & on reboot vulnerability is mitigated. Same works with fossapup64 derivatives.
I now see I could run sysctl kernel.unprivileged_bpf_disabled=1 from a terminal, but I can't use grub/syslinux command line.

I have now made 6.6 (for newer systems) & 6.1 (for older systems) kernels with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y . I don't think it is catastrophic, but needs to be mitigated now.


Re: Spectre v2 warning - eBPF enabled

Posted: Mon Nov 11, 2024 7:04 am
by dimkr
ozsouth wrote: Sat Nov 09, 2024 10:06 pm

I don't think it is catastrophic, but needs to be mitigated now.

If you use a Puppy from 2021 you have so many publicly documented high severity vulnerabilities with ready-made exploits, so I wouldn't worry about hardware vulnerabilities that are not trivial to exploit remotely. (Plus Puppy is not configured correctly to use eBPF)