Linux 4.15-rc8 Bringing BPF Security Improvements For Fending Speculative Attacks
Landing in the mainline Git tree at this stage of the Linux 4.15 kernel cycle were some security features around BPF, the Berkeley Packet Filter and the related and popular Extended BPF (eBPF) virtual machine for the Linux kernel.
Landing this week was preventing out-of-bounds speculation with the BPF code. This is the BPF-side fix for dealing with the "Variant One" vulnerability for all architectures.
The other addition is adding BPF_JIT_ALWAYS_ON for preventing BPF from being used in a Variant Two style attack. The BPF_JIT_ALWAYS_ON enables the BPF Just-In-Time (JIT) code and removes the BPF interpreter that could be used for launching a Spectre 2 attack. The BPF JIT is supported on x86/x86_64, ARM/ARM64, SPARC64, and other architectures. BPF starts JIT'ed programs at a randomized location and the code page is marked read-only. There is also other hardening techniques for the BPF JIT to make it better than its interpreter. More details on that with the aforelinked Git commit message.
Linux 4.15 and ahead with Linux 4.16 is quite a busy kernel season. Linus Torvalds should be releasing the final Linux 4.15 release candidate later today.