Kumar Kartikeya Dwivedi writes:
(including relevant part from other message)
> On Thu, 1 May 2025 at 04:00, Luis Gerhorst wrote:
>
>> +static bool error_recoverable_with_nospec(int err)
>> +{
>> + /* Should only return true for non-fatal errors that are allowe
Eduard Zingerman writes:
> On Thu, 2025-05-01 at 09:35 +0200, Luis Gerhorst wrote:
>
>> +dst_reg_type = cur_regs(env)[insn->dst_reg].type;
>
> Implicitly relying on `insn == &env->prog->insnsi[env->cur_idx]`
> is weird. Still think that `
Kumar Kartikeya Dwivedi writes:
> Back when all of this surfaced, compiler folks came up with another
> solution, to rely on Intel's guarantee that conditional moves are not
> predicted.
>
> if (condition) {
>mask = !condition ? 0UL : ~0UL; // CMOVcc
>ptr &= mask;
>x = *ptr;
> }
>
> I
This is made to clarify that this flag will cause a nospec to be added
after this insn and can therefore be relied upon to reduce speculative
path analysis.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 2 +-
kernel
/overwrites pointers on the BPF stack,
they are already a problem for fixed-offset stack accesses and should be
subject to Spectre v4 sanitization.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 24
1 file
alternative would be -EFAULT, which is
also returned for some of the other cases where push_stack() fails, but
this is more frequently used for verifier-internal bugs.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
This is based on the gadget from the description of commit 9183671af6db
("bpf: Fix leakage under speculation on mispredicted branches").
Signed-off-by: Luis Gerhorst
---
.../selftests/bpf/progs/verifier_unpriv.c | 57 +++
1 file changed, 57 insertions(+)
diff --g
F")
[2] https://arxiv.org/pdf/2405.00078 ("VeriFence: Lightweight and
Precise Spectre Defenses for Untrusted Linux Kernel Extensions")
[3]
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/runtime-speculative-
unexpected
conflicts between the insns when combined like this. Individual v1/v4
barriers were already emitted elsewhere.
[1]
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=29b74545531f6afbee9fc38c267524326dbfbedf
("MIPS: Add speculation_barrier support")
[2] https://githu
ec_v1() and _v4() according to
commit a6f6a95f2580 ("LoongArch, bpf: Fix jit to skip speculation
barrier opcode"). This is omitted here as I am unable to do any testing
for LoongArch.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
arch/arm64/ne
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file changed, 3 insertions(+), 3
seems
that this change does not interfere with libbpf.
[1]
https://lore.kernel.org/all/785b4531ce3b44a84059a4feb4ba458c68fce719.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
do_print_state = " with "*do_print_state = "
[1]
https://lore.kernel.org/all/293dbe3950a782b8eb3b87b71d7a967e120191fd.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 426 +++
check whether a
speculation barrier was inserted in the correct location.
Signed-off-by: Luis Gerhorst
Fixes: 9c9f73391310 ("selftests/bpf: allow checking xlated programs in
verifier_* tests")
Fixes: 7d743e4c759c ("selftests/bpf: __jited test tag to check disassembly
after jit"
to include v1 barrier
- discuss potential security (archs that do not impl. BPF nospec) and
performance (only PowerPC) regressions
- Link to RFC:
https://lore.kernel.org/bpf/20250224203619.594724-1-luis.gerho...@fau.de/
Luis Gerhorst (11):
selftests/bpf: Fix caps for __xlated/jited_
kernel test robot writes:
> All errors (new ones prefixed by >>):
>
>arch/powerpc/net/bpf_jit_comp64.c: In function 'bpf_jit_build_body':
>>> arch/powerpc/net/bpf_jit_comp64.c:814:4: error: a label can only be part of
>>> a statement and a declaration is not a statement
> 814 |bool
kernel test robot writes:
> All warnings (new ones prefixed by >>):
>
>>> kernel/bpf/core.c:3037:13: warning: no previous prototype for
>>> 'bpf_jit_bypass_spec_v1' [-Wmissing-prototypes]
> 3037 | bool __weak bpf_jit_bypass_spec_v1(void)
> | ^~
>>> ke
alternative would be -EFAULT, which is
also returned for some of the other cases where push_stack() fails, but
this is more frequently used for verifier-internal bugs.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
This is made to clarify that this flag will cause a nospec to be added
after this insn and can therefore be relied upon to reduce speculative
path analysis.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 2 +-
kernel
/overwrites pointers on the BPF stack,
they are already a problem for fixed-offset stack accesses and should be
subject to Spectre v4 sanitization.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 24
1 file
This is based on the gadget from the description of commit 9183671af6db
("bpf: Fix leakage under speculation on mispredicted branches").
Signed-off-by: Luis Gerhorst
---
.../selftests/bpf/progs/verifier_unpriv.c | 57 +++
1 file changed, 57 insertions(+)
diff --g
F")
[2] https://arxiv.org/pdf/2405.00078 ("VeriFence: Lightweight and
Precise Spectre Defenses for Untrusted Linux Kernel Extensions")
[3]
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/runtime-speculative-
unexpected
conflicts between the insns when combined like this. Individual v1/v4
barriers were already emitted elsewhere.
[1]
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=29b74545531f6afbee9fc38c267524326dbfbedf
("MIPS: Add speculation_barrier support")
[2] https://githu
ec_v1() and _v4() according to
commit a6f6a95f2580 ("LoongArch, bpf: Fix jit to skip speculation
barrier opcode"). This is omitted here as I am unable to do any testing
for LoongArch.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
arch/arm64/ne
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file changed, 3 insertions(+), 3
seems
that this change does not interfere with libbpf.
[1]
https://lore.kernel.org/all/785b4531ce3b44a84059a4feb4ba458c68fce719.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Reviewed-by: Eduard Zingerman
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c
l security (archs that do not impl. BPF nospec) and
performance (only PowerPC) regressions
- Linkt to RFC:
https://lore.kernel.org/bpf/20250224203619.594724-1-luis.gerho...@fau.de/
Luis Gerhorst (11):
selftests/bpf: Fix caps for __xlated/jited_unpriv
bpf: Move insn if/else into do_check_insn()
bpf: Ret
do_print_state = " with "*do_print_state = "
[1]
https://lore.kernel.org/all/293dbe3950a782b8eb3b87b71d7a967e120191fd.ca...@gmail.com/
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 425 +++
check whether a
speculation barrier was inserted in the correct location.
Signed-off-by: Luis Gerhorst
Fixes: 9c9f73391310 ("selftests/bpf: allow checking xlated programs in
verifier_* tests")
Fixes: 7d743e4c759c ("selftests/bpf: __jited test tag to check disassembly
after jit"
Alexei Starovoitov writes:
> On Thu, Mar 13, 2025 at 10:57 AM Luis Gerhorst wrote:
>> With increased limits this allows applying mitigations to large BPF
>> progs such as the Parca Continuous Profiler's prog. However, this
>> requires a jump-seq limit of 256k. In an
Eduard Zingerman writes:
> Could you please point me to a location, where exact error code
> returned by updated push_stack() matters?
> I checked push_stack() callgraph (in the attachment), but can't find
> anything.
Only with the final patch 11 ("bpf: Fall back to nospec for spec path
verifica
Eduard Zingerman writes:
> I think it would be good to have some tests checking that nospec
> instructions are inserted in expected locations.
> Could you please take look at use of __xlated tag in e.g.
> tools/testing/selftests/bpf/progs/verifier_sdiv.c ?
That looks very promising, I will look i
Eduard Zingerman writes:
> On Thu, 2025-03-13 at 18:21 +0100, Luis Gerhorst wrote:
>> +err = do_check_insn(env, insn, pop_log, &do_print_state, regs,
>> state,
>> +&prev_insn_idx);
>
> - `regs` remains declared in
")
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 03af82f52a02..49c7e2608ccd 100644
--- a/kernel
back to nospec directly for the remaining sanitization errs even if
we are not on a speculative path.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 85 ++-
.../selftests/bpf/progs
efenses for Untrusted Linux Kernel Extensions")
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 1 +
kernel/bpf/verifier.c | 68 +--
.../selftests/bpf/prog
ec_v1() and _v4() according to
commit a6f6a95f2580 ("LoongArch, bpf: Fix jit to skip speculation
barrier opcode"). This is omitted here as I am unable to do any testing
for LoongArch.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
arch/arm64/ne
This is made to clarify that this flag will cause a nospec to be added
after this insn and can therefore be relied upon to reduce speculative
path analysis.
Signed-off-by: Luis Gerhorst
Cc: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
include/linux/bpf_verifier.h | 2 +-
kernel
Main reason is, that it will later allow us to fall back to a nospec for
certain errors in push_stack().
This changes the sanitization-case to returning -ENOMEM. However, this
is more fitting as -EFAULT would indicate a verifier-internal bug.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette
unexpected
conflicts between the insns when combined like this. Individual v1/v4
barriers were already emitted elsewhere.
[1]
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=29b74545531f6afbee9fc38c267524326dbfbedf
("MIPS: Add speculation_barrier support")
[2] https://github.com/kerne
Insert a nospec before the access to prevent it from ever using an index
that is subject to speculative scalar-confusion.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 24
1 file changed, 12
This prevents us from trying to recover from these on speculative paths
in the future.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf
ate = " with "*do_print_state = "
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 426 ++
1 file changed, 224 insertions(+), 202 deletions(-)
diff --git a/kern
Mark these cases as non-recoverable to later prevent them from being
cought when they occur during speculative path verification.
Signed-off-by: Luis Gerhorst
Acked-by: Henriette Herzog
Cc: Maximilian Ott
Cc: Milan Stephan
---
kernel/bpf/verifier.c | 36
F nospec) and
performance (only PowerPC) regressions
RFC: https://lore.kernel.org/bpf/20250224203619.594724-1-luis.gerho...@fau.de/
Luis Gerhorst (11):
bpf: Move insn if/else into do_check_insn()
bpf: Return -EFAULT on misconfigurations
bpf: Return -EFAULT on internal errors
bpf, arm64, pow
45 matches
Mail list logo
