Linux 4.15-rc8 Bringing BPF Security Improvements For Fending Speculative Attacks

Written by Michael Larabel in Linux Kernel on 14 January 2018 at 07:56 AM EST. 2 Comments
LINUX KERNEL
With the Linux 4.15-rc8 kernel that is expected for release today as the final step before Linux 4.15, it's still seeing continued security improvements in the wake of the Spectre CPU vulnerabilities.

Landing in the mainline Git tree at this stage of the Linux 4.15 kernel cycle were some security features around BPF, the Berkeley Packet Filter and the related and popular Extended BPF (eBPF) virtual machine for the Linux kernel.

Landing this week was preventing out-of-bounds speculation with the BPF code. This is the BPF-side fix for dealing with the "Variant One" vulnerability for all architectures.

The other addition is adding BPF_JIT_ALWAYS_ON for preventing BPF from being used in a Variant Two style attack. The BPF_JIT_ALWAYS_ON enables the BPF Just-In-Time (JIT) code and removes the BPF interpreter that could be used for launching a Spectre 2 attack. The BPF JIT is supported on x86/x86_64, ARM/ARM64, SPARC64, and other architectures. BPF starts JIT'ed programs at a randomized location and the code page is marked read-only. There is also other hardening techniques for the BPF JIT to make it better than its interpreter. More details on that with the aforelinked Git commit message.

Linux 4.15 and ahead with Linux 4.16 is quite a busy kernel season. Linus Torvalds should be releasing the final Linux 4.15 release candidate later today.
2 Comments
Related News
Linux 6.9-rc5 Released: The Diffstat "Looks A Bit Wonky" But Not Bad
Linux 6.9-rc5 Picking Up Fixes For Intel FRED, BHI & GFNI/VAES Checks
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.9-rc4 Brings More Bcachefs Fixes, Native BHI Mitigation
Linux 6.10 To Account For NUMA Node When Allocating Per-CPU Cpumasks
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.10 To Merge NTSYNC Driver For Emulating Windows NT Synchronization Primitives
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
Proposed "LibGodot" Lets You Embed Godot Game Engine Into Other Apps