Linux Preparing To Slightly Loosen Its Spectre Defaults

Written by Michael Larabel in Linux Security on 12 September 2021 at 12:00 AM EDT. 5 Comments
LINUX SECURITY
A change first proposed last year to the Linux kernel's Spectre mitigation defaults looks like it will soon be sent in for the mainline kernel.

The change is in regards to the default mitigation value for Spectre V2 for user-space tasks and Spectre V4 / Speculative Store Bypass. For the kernel options of "spec_store_bypass_disable" and "spectre_v2_user", the current default is the "seccomp" mode. With that default behavior the mitigations are only applied when opted into per-thread via the PRCTL interface (or otherwise a process inherits the mitigation when forked) or is enabled by default for all SECCOMP threads.

With Linux's SECCOMP being about secure computing and used for process isolation and sandboxing by a wide variety of software, it does make sense to have these Spectre mitigations by default there... Or to upstream developers at least did. The pending change now is to drop that spectre_v2_user/spec_store_bypass_disable by default for SECCOMP threads and just leave it to the "prctl" behavior as the default.

The argument to change the default has been that the SECCOMP default hasn't been entirely effective with various other security vulnerabilities out there or their default behavior and various other shortcomings or other exposure to attack by notable SECCOMP users. Plus by now a few years after Spectre first came to light, most Linux system administrators have already figured out their desired tuning configuration to use on production systems with the various speculative execution security tunables.

By reducing the default/out-of-the-box behavior for those Spectre settings from "seccomp" to "prctl", it would help with the out-of-the-box performance of SECCOMP tasks by avoiding that overhead.

The change was first proposed last Novemner. The patch by Andrea Arcangeli summed up the situation as "Ultimately setting SSBD and STIBP by default for all seccomp jails is a bad sweet spot and bad default with more cons than pros that end up reducing security in the public cloud (by giving an huge incentive to not expose SPEC_CTRL which would be needed to get full security with IBPB after setting nosmt in the guest) and by excessively hurting performance to more secure apps using seccomp that end up having to opt out with SECCOMP_FILTER_FLAG_SPEC_ALLOW."

The news this weekend is that Google's Kees Cook is planning to move ahead and pick up that patch making the default change unless there are any new objections on the matter.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week