Intel Developer's Patch To Let SECCOMP Processes Like Web Browsers Opt Out Of Spectre V4

Written by Michael Larabel in Intel on 13 March 2020 at 08:08 AM EDT. 11 Comments
INTEL
Currently the Linux kernel SECCOMP secure computing mode force-enables Spectre protections, which comes with obvious performance implications. When force-enabled, however, processes can't opt-out of the protection if they are not at risk to the likes of Spectre V4 "Speculative Store Bypass" issues. But a simple change being proposed would let such processes opt out if desired.

Longtime Intel Linux developer Andi Kleen has proposed the change to allow overriding SECCOMP's speculation disable behavior. Rather than force disabling the speculation control, it still would happen by default but not "forced" -- which in turn would let processes opt-out of the behavior due to that semantic change. The PR_SET_SPECULATION prctl can then be used for toggling SSBD and IB behavior.

Kleen's motivation appears to be largely influenced by offsetting the SSBD performance hit to web browsers. "The seccomp user has a superior mitigation and doesn't need the CPU level disables. For example for a Web Browser this is using site isolation, which separates different sites in different processes, so side channel leaks inside a process are not of a concern...In some cases we're seeing significant performance penalties of enabling the SSBD mitigation on web workloads."

Kleen went on to add with the patch, "Longer term we probably need to discuss if the seccomp heuristic is still warranted and should be perhaps changed. It seemed like a good idea when these vulnerabilities were new, and no web browsers supported site isolation. But with site isolation widely deployed -- Chrome has it on by default, and as I understand it, Firefox is going to enable it by default soon. And other seccomp users (like sshd or systemd) probably don't really need it. Given that it's not clear the default heuristic is still a good idea."

Besides web browsers using SECCOMP for sandboxing some processes, it is also used by the likes of Docker, VSFTPD, Flatpak, LXD, and many other Linux processes. To reiterate though no out-of-the-box change in mitigation behavior besides allowing SECCOMP processes to opt-out if they choose to do so.

Kleen's patch was volleyed yesterday but so far hasn't received any feedback. We'll keep monitoring to see if this change gets accepted for the forthcoming Linux 5.7 cycle.
11 Comments
Related News
Intel Releases OpenVINO 2024.1 With More Gen AI & LLM Features
Intel ANV Vulkan Driver Enables VK_KHR_shader_float_controls2
Intel Has Many Improvements For The Xe Graphics Driver In Linux 6.10
Intel Enabling Linux Driver Display Support For Upcoming "Battlemage" GPUs
Intel Media Driver 2024Q1 Brings Arrow Lake H Support
Intel Compute Runtime 24.13.29138.7 Brings Improved OpenCL/OpenGL Sharing
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Fedora Linux 40 Available For Download As A Wonderful Upgrade
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"