kernel: Disable unprivileged eBPF by default

The following warning message is printed out starting with kernel version 5.10.105 in response to a newer Spectre-type security issue: Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks! This message is printed out when Spectre v2 mitigations are enabled and unprivileged eBPF is enabled. This warning message was introduced with commit afc2d635b5e1 ("x86/speculation: Include unprivileged eBPF status in spectre v2 mitigation reporting") in the Linux stable team's linux-5.10.y branch. The first tag that includes this change in that branch is "v5.10.105". This commit sets the "CONFIG_BPF_UNPRIV_DEFAULT_OFF" Kconfig option to suppress the aforementioned warning message. Note that unprivileged eBPF is disabled by default in most distributions. Disabling unprivileged eBPF is recommended as a (partial) mitigation against attack primitives known as Spectre-v2-BHB ("Spectre v2 aided by the Branch History Buffer"), as documented at the following links: - https://www.vusec.net/projects/bhi-spectre-bhb/ - https://www.intel.com/content/www/us/en/developer/articles/\ technical/software-security-guidance/technical-documentation/\ branch-history-injection.html Also note that if unprivileged eBPF is re-enabled at runtime via "sysctl" or by writing to "/proc/sys/kernel/unprivileged_bpf_disabled", then the warning message in question will appear in the kernel logs. Verification: - On a test system, remove the kernel command line argument 'nospectre_v2' from "/boot/efi/EFI/BOOT/boot.env", and save the file. - Reboot. - With this commit, the following warning message does not appear in the kernel's logs, as confirmed with "dmesg | grep eIBRS": "Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!". (Without this commit, the aforementioned warning message would appear in the kernel logs.) Closes-Bug: 2019268 Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com> Change-Id: I03d9ef494384c52cd4d81d02d8c76cd0fef6edb5
2023-05-15 15:47:18 +08:00
parent bc9fce3401
commit 20e578cdd8
4 changed files with 66 additions and 0 deletions
--- a/kernel-rt/debian/deb_patches/0026-Disable-unprivileged-eBPF-by-default.patch
+++ b/kernel-rt/debian/deb_patches/0026-Disable-unprivileged-eBPF-by-default.patch
@@ -0,0 +1,32 @@
+From 3d5808d2c65f71d4b8845cf8e807f6be46283b13 Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <haiqing.bai@windriver.com>
+Date: Tue, 9 May 2023 07:06:41 +0000
+Subject: [PATCH] Disable unprivileged eBPF by default
+
+Unprivileged eBPF is disabled by default on most distro
+Disabling unprivileged eBPF effectively mitigates the
+known attack vectors for exploiting intra-mode branch
+injections attacks.
+This commit also removed the below kernel warning:
+"Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on,
+ data leaks possible via Spectre v2 BHB attacks!"
+
+Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
+---
+ debian/config/amd64/none/config | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/debian/config/amd64/none/config b/debian/config/amd64/none/config
+index ca69257dc..f5561d25a 100644
+--- a/debian/config/amd64/none/config
+++ b/debian/config/amd64/none/config
+@@ -6397,5 +6397,5 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+ #
+ # Upgrade to 5.10.99
+ #
+-# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+ # CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
+-- 
+2.30.2
+
--- a/kernel-rt/debian/deb_patches/series
+++ b/kernel-rt/debian/deb_patches/series
@@ -23,3 +23,4 @@
 0023-Upgrade-5.10-kernel-to-5.10.162.patch
 0024-Fix-badly-formatted-trailer-line.patch
 0025-Upgrade-5.10-kernel-to-5.10.177.patch
+0026-Disable-unprivileged-eBPF-by-default.patch
--- a/kernel-std/debian/deb_patches/0025-Disable-unprivileged-eBPF-by-default.patch
+++ b/kernel-std/debian/deb_patches/0025-Disable-unprivileged-eBPF-by-default.patch
@@ -0,0 +1,32 @@
+From 2674da4d76d74e51ef5e17dbdafd88228efed704 Mon Sep 17 00:00:00 2001
+From: Haiqing Bai <haiqing.bai@windriver.com>
+Date: Tue, 9 May 2023 06:38:27 +0000
+Subject: [PATCH] Disable unprivileged eBPF by default
+
+Unprivileged eBPF is disabled by default on most distro
+Disabling unprivileged eBPF effectively mitigates the
+known attack vectors for exploiting intra-mode branch
+injections attacks.
+This commit also removed the below kernel warning:
+"Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on,
+ data leaks possible via Spectre v2 BHB attacks!"
+
+Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
+---
+ debian/config/amd64/none/config | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/debian/config/amd64/none/config b/debian/config/amd64/none/config
+index 75625e089..70ff1b80c 100644
+--- a/debian/config/amd64/none/config
+++ b/debian/config/amd64/none/config
+@@ -6409,5 +6409,5 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+ #
+ # Upgrade to 5.10.99
+ #
+-# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
+CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
+ # CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set
+-- 
+2.30.2
+
--- a/kernel-std/debian/deb_patches/series
+++ b/kernel-std/debian/deb_patches/series
@@ -22,3 +22,4 @@
 0022-Upgrade-5.10-kernel-to-5.10.162.patch
 0023-Fix-badly-formatted-trailer-line.patch
 0024-Upgrade-5.10-kernel-to-5.10.177.patch
+0025-Disable-unprivileged-eBPF-by-default.patch