selftests/bpf: more precise cpu_mitigations state detection #9123
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: f66b4aa |
|
Upstream branch: f66b4aa |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/970550=>bpf-next
branch
from
fe4ce43 to
7abcff1
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=972079 expired. Closing PR. |
|
Upstream branch: f66b4aa |
kernel-patches-daemon-bpf
bot
added
new
V3
and removed
changes-requested
V2
V2-ci-pass
labels
kernel-patches-daemon-bpf
bot
force-pushed
the
series/970550=>bpf-next
branch
from
7abcff1 to
0cad325
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
13e07b5 to
ca6e071
Compare
|
Upstream branch: a633dab |
test_progs and test_verifier binaries execute unpriv tests under the
following conditions:
- unpriv BPF is enabled;
- CPU mitigations are enabled (see [1] for details).
The detection of the "mitigations enabled" state is performed by
unpriv_helpers.c:get_mitigations_off() via inspecting kernel boot
command line, looking for a parameter "mitigations=off".
Such detection scheme won't work for certain configurations,
e.g. when CONFIG_CPU_MITIGATIONS is disabled and boot parameter is
not supplied.
Miss-detection leads to test_progs executing tests meant to be run
only with mitigations enabled, e.g.
verifier_and.c:known_subreg_with_unknown_reg(), and reporting false
failures.
Internally, verifier sets bpf_verifier_env->bypass_spec_{v1,v4}
basing on the value returned by kernel/cpu.c:cpu_mitigations_off().
This function is backed by a variable kernel/cpu.c:cpu_mitigations.
This state is not fully introspect-able via sysfs. The closest proxy
is /sys/devices/system/cpu/vulnerabilities/spectre_v1, but it reports
"vulnerable" state only if mitigations are disabled *and* current cpu
is vulnerable, while verifier does not check cpu state.
There are only two ways the kernel/cpu.c:cpu_mitigations can be set:
- via boot parameter;
- via CONFIG_CPU_MITIGATIONS option.
This commit updates unpriv_helpers.c:get_mitigations_off() to scan
/boot/config-$(uname -r) and /proc/config.gz for
CONFIG_CPU_MITIGATIONS value in addition to boot command line check.
Tested using the following configurations:
- mitigations enabled (unpriv tests are enabled)
- mitigations disabled via boot cmdline (unpriv tests skipped)
- mitigations disabled via CONFIG_CPU_MITIGATIONS
(unpriv tests skipped)
[1] https://lore.kernel.org/bpf/[email protected]/
Reported-by: Mykyta Yatsenko <[email protected]>
Signed-off-by: Eduard Zingerman <[email protected]>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/970550=>bpf-next
branch
from
0cad325 to
c265867
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ca6e071 to
2f8bb38
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=972739 irrelevant now. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: selftests/bpf: more precise cpu_mitigations state detection
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=972079