You are not logged in.

#1 2021-02-11 20:35:30

gebki
Member
Registered: 2021-01-22
Posts: 8

[SOLVED]CPU speculativ store bypass prctl/seccomp

Looks like i'm affected with a possible cpu bypass attack. i have some problems setting the correct prctl() values. never had to deal with it.

lscpu

 
Vulnerability Itlb multihit:     KVM: Mitigation: VMX disabled
Vulnerability L1tf:              Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling
Vulnerability Srbds:             Mitigation; Microcode
Vulnerability Tsx async abort:   Mitigation; Clear CPU buffers; SMT vulnerable

according to my research the mitigation needs to be enabled by using prctl().

find / -name prctl.h

/usr/lib/modules/5.10.15-arch1-1/build/arch/x86/include/uapi/asm/prctl.h
/usr/lib/modules/5.10.15-arch1-1/build/include/uapi/linux/prctl.h
/usr/include/linux/prctl.h
/usr/include/sys/prctl.h
/usr/include/asm/prctl.h

/usr/include/linux/prctl.h

210 /* Per task speculation control */
211 #define PR_GET_SPECULATION_CTRL         52
212 #define PR_SET_SPECULATION_CTRL         53
213 /* Speculation control variants */
214 # define PR_SPEC_STORE_BYPASS           0
215 # define PR_SPEC_INDIRECT_BRANCH        1
216 /* Return and control values for PR_SET/GET_SPECULATION_CTRL */
217 # define PR_SPEC_NOT_AFFECTED           0
218 # define PR_SPEC_PRCTL                  (1UL << 0)
219 # define PR_SPEC_ENABLE                 (1UL << 1)
220 # define PR_SPEC_DISABLE                (1UL << 2)
221 # define PR_SPEC_FORCE_DISABLE          (1UL << 3)
222 # define PR_SPEC_DISABLE_NOEXEC         (1UL << 4)

how can i enable the mitigation ?

Last edited by gebki (2021-03-18 22:06:49)

Offline

#2 2021-02-11 21:01:50

Ropid
Member
Registered: 2015-03-09
Posts: 1,003

Re: [SOLVED]CPU speculativ store bypass prctl/seccomp

Doesn't that "Mitigation" word you see in the lscpu output mean that it's mitigated? I'm thinking the text behind the ";" is supposed to be an explanation of how the mitigation is done?

On my system here, I tried comparing the normal lscpu output with the output when adding "mitigations=off" to the kernel command line.

This here is the normal lscpu output:

...
Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled via prctl and seccomp
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full AMD retpoline, IBPB conditional, STIBP disabled, RSB filling
...

And here is the output when using "mitigations=off":

...
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, IBPB: disabled, STIBP: disabled
...

Offline

#3 2021-02-11 21:13:47

loqs
Member
Registered: 2014-03-06
Posts: 13,177

Re: [SOLVED]CPU speculativ store bypass prctl/seccomp

Mitigation; Speculative Store Bypass disabled via prctl and seccomp

Mitigation is enabled by a process calling prctl and specifically enabling the protection (see man 2 prctl) or by any process that calls seccomp,  this is taken to imply the process is security related and needs the protection.  If you want all process to use the mitigation set the kernel parameter spec_store_bypass_disable=on
Which on this system gives:

Vulnerability Spec store bypass: Mitigation; Speculative Store Bypass disabled

Last edited by loqs (2021-02-11 21:22:00)

Offline

#4 2021-02-12 00:07:09

gebki
Member
Registered: 2021-01-22
Posts: 8

Re: [SOLVED]CPU speculativ store bypass prctl/seccomp

Ropid wrote:

Doesn't that "Mitigation" word you see in the lscpu output mean that it's mitigated? I'm thinking the text behind the ";" is supposed to be an explanation of how the mitigation is done?

first i was confused too but i searched for couple hours and found some security-vulnerability-reports (suse&RHLE). ithe "Mitigation" means it is a potental solution and it seams in this case its true.

Speculative Store Bypass explained - RHL

acording to the suse security report
SuSe-Security-Vulnerability-Report

Potential values here are :

Not affected

The processor is not affected by this problem.

Vulnerable

The processor is vulnerable.

Mitigation: Speculative Store Bypass disabled

The processor is vulnerable and the mitigation is enabled by default.

Mitigation: Speculative Store Bypass disabled via prctl

The processor is vulnerable and the mitigation needs to be enabled by using prctl().

Mitigation: Speculative Store Bypass disabled via prctl and seccomp

The processor is vulnerable and the mitigation needs to be enabled by using prctl() or seccomp().



it must be enabled by using prctl()

i found the prctl(2) - Arch manual page but i dont know how. iam a advanced user but this is tooooo advanced smile). the prtl.h file located in /usr/include/linux/ looks like no man's land to me sad.

Offline

#5 2021-02-12 00:12:04

loqs
Member
Registered: 2014-03-06
Posts: 13,177

Re: [SOLVED]CPU speculativ store bypass prctl/seccomp

You do not call prctl or seccomp they are system calls a program can use.  Did you try the kernel parameter I suggested would enable the mitigation for all processes?
Edit just to note:

Vulnerability L1tf:              Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT vulnerable
Vulnerability Tsx async abort:   Mitigation; Clear CPU buffers; SMT vulnerable

SMT is not mitigated.

Vulnerability Spectre v2:        Mitigation; Full generic retpoline, IBPB conditional, IBRS_FW, STIBP conditional, RSB filling

The mitigation is also in part applied selectively.

Last edited by loqs (2021-02-12 02:51:04)

Offline

Board footer

Powered by FluxBB