Linux 4.15-rc8 Bringing BPF Security Improvements For Fending Speculative Attacks

Written by Michael Larabel in Linux Kernel on 14 January 2018 at 07:56 AM EST. 2 Comments
With the Linux 4.15-rc8 kernel that is expected for release today as the final step before Linux 4.15, it's still seeing continued security improvements in the wake of the Spectre CPU vulnerabilities.

Landing in the mainline Git tree at this stage of the Linux 4.15 kernel cycle were some security features around BPF, the Berkeley Packet Filter and the related and popular Extended BPF (eBPF) virtual machine for the Linux kernel.

Landing this week was preventing out-of-bounds speculation with the BPF code. This is the BPF-side fix for dealing with the "Variant One" vulnerability for all architectures.

The other addition is adding BPF_JIT_ALWAYS_ON for preventing BPF from being used in a Variant Two style attack. The BPF_JIT_ALWAYS_ON enables the BPF Just-In-Time (JIT) code and removes the BPF interpreter that could be used for launching a Spectre 2 attack. The BPF JIT is supported on x86/x86_64, ARM/ARM64, SPARC64, and other architectures. BPF starts JIT'ed programs at a randomized location and the code page is marked read-only. There is also other hardening techniques for the BPF JIT to make it better than its interpreter. More details on that with the aforelinked Git commit message.

Linux 4.15 and ahead with Linux 4.16 is quite a busy kernel season. Linus Torvalds should be releasing the final Linux 4.15 release candidate later today.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week