Linux Kernel Getting New Option So SSBD Isn't Over-Protective - Helping Performance

Written by Michael Larabel in Linux Security on 31 January 2019 at 07:15 AM EST. 1 Comment
LINUX SECURITY
For the Linux kernel's Speculative Store Bypass Disable (SSBD) handling for Spectre Variant 4 protection is support for processes opting into force disabling of speculation via a prctl() interface. Currently when speculation is disabled, that is carried through to new processes started via the execve() system call. But a new bit will allow clearing that state when a new program is started by a process otherwise relying upon PR_SPEC_DISABLE, in what will help the performance in such cases.

Queued for introduction to the mainline Linux kernel is a new PR_SPEC_DISABLE_NOEXEC option for prctl as part of the Speculative Store Bypass Disable options but where the state is cleared on execve() calls. The premise is that programs opting into disabling speculation are doing so, but programs that aren't vulnerable to the speculation-related misfeatures normally aren't checking to see that the PR_SPEC_ENABLE bit is set rather just assuming the status quo. Thus with the current PR_SPEC_DISABLE behavior, programs spawned via execve() may be protected when they really don't need to be and carrying with that the added performance overhead.

Processes using execve() and knowing those programs don't need this speculation protection will be able to set the PR_SPEC_DISABLE_NOEXEC bit for indicating as such and thus ensuring optimal performance for those programs.

Waiman Long of Red Hat who authored the patch now queued in tip.git explains:
With the default SPEC_STORE_BYPASS_SECCOMP/SPEC_STORE_BYPASS_PRCTL mode, the TIF_SSBD bit will be inherited when a new task is fork'ed or cloned. It will also remain when a new program is execve'ed.

Only certain class of applications (like Java) that can run on behalf of multiple users on a single thread will require disabling speculative store bypass for security purposes. Those applications will call prctl(2) at startup time to disable SSB. They won't rely on the fact the SSB might have been disabled. Other applications that don't need SSBD will just move on without checking if SSBD has been turned on or not.

The fact that the TIF_SSBD is inherited across execve(2) boundary will cause performance of applications that don't need SSBD but their predecessors have SSBD on to be unwittingly impacted especially if they write to memory a lot.

Of course, applications desiring the current behavior can continue using that bit or the PR_SPEC_FORCE_DISABLE if wanting to force the SSBD functionality and not allowing it to be potentially undone.
1 Comment
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features