Kernel reports eBPF, eIBRS and Spectre v2-related security warning during boot-up
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| StarlingX |
Fix Released
|
Medium
|
hqbai | ||
Bug Description
Brief Description
-----------------
The following error messages printed out by the kernel near the end of the boot-up sequence:
Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
This does not appear by default, only if the customer runs with spectre v2 mitigations active with below
way:
Remove the kernel parameter 'nospectre_v2' and reboot
Severity
--------
Major
Steps to Reproduce
------------------
a. Remove the kernel parameter 'nospectre_v2' and reboot
b. dmesg | grep eIBRS
Expected Behavior
------------------
There is not below warning message reported by kernel:
Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
Actual Behavior
----------------
There is below warning messages:
Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!
Reproducibility
---------------
Reproducible
System Configuration
-------
NA
Branch/Pull Time/Commit
-------
NA
Last Pass
---------
NA
Timestamp/Logs
--------------
NA
Test Activity
-------------
NA
Workaround
----------
NA
| description: | updated |
| Changed in starlingx: | |
| status: | New → In Progress |
| OpenStack Infra (hudson-openstack) wrote Fix merged to kernel (master) | #1 |
| Changed in starlingx: | |
| status: | In Progress → Fix Released |
| Changed in starlingx: | |
| importance: | Undecided → Medium |
| tags: | added: stx.9.0 stx.distro.other |
| Changed in starlingx: | |
| assignee: | nobody → hqbai (hbai) |
Reviewed: https:/
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 20e578cdd84c0be
Author: Haiqing Bai <email address hidden>
Date: Mon May 15 15:47:18 2023 +0800
kernel: Disable unprivileged eBPF by default
The following warning message is printed out starting with kernel
version 5.10.105 in response to a newer Spectre-type security issue:
Spectre V2: WARNING: Unprivileged eBPF is enabled with eIBRS on, data
leaks possible via Spectre v2 BHB attacks!
This message is printed out when Spectre v2 mitigations are enabled and
unprivileged eBPF is enabled.
This warning message was introduced with commit afc2d635b5e1
("x86/
mitigation reporting") in the Linux stable team's linux-5.10.y branch.
The first tag that includes this change in that branch is "v5.10.105".
This commit sets the "CONFIG_
suppress the aforementioned warning message. Note that unprivileged eBPF
is disabled by default in most distributions. Disabling unprivileged
eBPF is recommended as a (partial) mitigation against attack primitives
known as Spectre-v2-BHB ("Spectre v2 aided by the Branch History
Buffer"), as documented at the following links:
- https:/
- https:/
technical
branch-
Also note that if unprivileged eBPF is re-enabled at runtime via
"sysctl" or by writing to "/proc/
then the warning message in question will appear in the kernel logs.
Verification:
- On a test system, remove the kernel command line argument
'
- Reboot.
- With this commit, the following warning message does not appear in the
kernel's logs, as confirmed with "dmesg | grep eIBRS": "Spectre V2:
WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks
possible via Spectre v2 BHB attacks!". (Without this commit, the
aforement
Closes-Bug: 2019268
Signed-off-by: Haiqing Bai <email address hidden>
Change-Id: I03d9ef494384c5