20e578cdd8
The following warning message is printed out starting with kernel
version 5.10.105 in response to a newer Spectre-type security issue:
Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on, data
leaks possible via Spectre v2 BHB attacks!
This message is printed out when Spectre v2 mitigations are enabled and
unprivileged eBPF is enabled.
This warning message was introduced with commit afc2d635b5e1
("x86/speculation: Include unprivileged eBPF status in spectre v2
mitigation reporting") in the Linux stable team's linux-5.10.y branch.
The first tag that includes this change in that branch is "v5.10.105".
This commit sets the "CONFIG_BPF_UNPRIV_DEFAULT_OFF" Kconfig option to
suppress the aforementioned warning message. Note that unprivileged eBPF
is disabled by default in most distributions. Disabling unprivileged
eBPF is recommended as a (partial) mitigation against attack primitives
known as Spectre-v2-BHB ("Spectre v2 aided by the Branch History
Buffer"), as documented at the following links:
- https://www.vusec.net/projects/bhi-spectre-bhb/
- https://www.intel.com/content/www/us/en/developer/articles/\
technical/software-security-guidance/technical-documentation/\
branch-history-injection.html
Also note that if unprivileged eBPF is re-enabled at runtime via
"sysctl" or by writing to "/proc/sys/kernel/unprivileged_bpf_disabled",
then the warning message in question will appear in the kernel logs.
Verification:
- On a test system, remove the kernel command line argument
'nospectre_v2' from "/boot/efi/EFI/BOOT/boot.env", and save the file.
- Reboot.
- With this commit, the following warning message does not appear in the
kernel's logs, as confirmed with "dmesg | grep eIBRS": "Spectre V2:
WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks
possible via Spectre v2 BHB attacks!". (Without this commit, the
aforementioned warning message would appear in the kernel logs.)
Closes-Bug: 2019268
Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
Change-Id: I03d9ef494384c52cd4d81d02d8c76cd0fef6edb5
26 lines
1.2 KiB
Plaintext
26 lines
1.2 KiB
Plaintext
0001-kernel-std-Remove-the-old-changelog-file.patch
|
|
0002-kernel-std-Add-a-new-changelog-file-for-linux-yocto-.patch
|
|
0003-kernel-std-Add-a-kernel-config-file-for-stx-debian.patch
|
|
0004-kernel-std-Adapt-the-debian-folder-for-new-source.patch
|
|
0005-kernel-modules-sign-kernel-modules.patch
|
|
0006-Debian-align-config-file-with-stx-centos.patch
|
|
0007-Debian-update-5.10-Kernel-to-5.10.99.patch
|
|
0008-config-set-configs-needed-for-secure-boot.patch
|
|
0009-Drop-Android-patches.patch
|
|
0010-Debian-Disable-CONFIG_BNXT.patch
|
|
0011-Debian-Hardcode-net.naming-scheme-in-CONFIG_CMDLINE.patch
|
|
0012-Debian-update-5.10-Kernel-to-5.10.112.patch
|
|
0013-kernel-std-fix-proc-version-content.patch
|
|
0014-kernel-std-clean-patches-from-debian-release.patch
|
|
0015-Debian-Added-apparmor-security-module.patch
|
|
0016-debian-rules.real-Parallelize-xz-compression.patch
|
|
0017-Debian-Enable-WireGuard-config.patch
|
|
0018-Place-module-signing-keys-in-a-separate-packa.patch
|
|
0019-Upgrade-5.10-kernel-to-5.10.152.patch
|
|
0020-kernel-std-unset-LOCK_DOWN_IN_EFI_SECURE_BOOT.patch
|
|
0021-config-don-t-unset-CONFIG_EFIVAR_FS.patch
|
|
0022-Upgrade-5.10-kernel-to-5.10.162.patch
|
|
0023-Fix-badly-formatted-trailer-line.patch
|
|
0024-Upgrade-5.10-kernel-to-5.10.177.patch
|
|
0025-Disable-unprivileged-eBPF-by-default.patch
|