Spectre v2 warning - eBPF enabled
RE- eBPF spectre v2 warning on Celeron N4500,
With the latest ucode.cpio, I ran spectre-meltdown-checker.sh, & got a vulnerability message:
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: NO (Vulnerable: eIBRS with unprivileged eBPF)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: UNKNOWN
* Kernel is compiled with IBPB support: UNKNOWN (in offline mode, we need the kernel image to be able to tell)
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)
When checking dmesg, the following warning ensued:
[ 0.050624] Spectre V2 : WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
In my standard DOTconfig, I have:
CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
#
# BPF subsystem
#
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
# CONFIG_BPF_JIT_ALWAYS_ON is not set
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
# end of BPF subsystem
I'm thinking I should compile kernels with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
Blacklisting BPF will cause other issues, but is there another way to mitigate this?