On 13/02/18 03:31, Ian Zimmerman wrote:
On 2018-02-13 03:13, Nikos Chantziaras wrote:
Apparently, and contrary to what people (me included) wrote here in
the past, BPF JIT is the secure option, and the interpreter is the
insecure one.
Do you have a reference for this? It sounds strange indeed.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=290af86629b25ffd1ed6232c4e9107da031705cb
"The BPF interpreter has been used as part of the spectre 2 attack
CVE-2017-5715.
[...]
To make attacker job harder introduce BPF_JIT_ALWAYS_ON config
option that removes interpreter from the kernel in favor of JIT-only mode."
