1b617cfc8SThomas Gleixner=================== 2b617cfc8SThomas GleixnerSpeculation Control 3b617cfc8SThomas Gleixner=================== 4b617cfc8SThomas Gleixner 5b617cfc8SThomas GleixnerQuite some CPUs have speculation related misfeatures which are in fact 6b617cfc8SThomas Gleixnervulnerabilites causing data leaks in various forms even accross privilege 7b617cfc8SThomas Gleixnerdomains. 8b617cfc8SThomas Gleixner 9b617cfc8SThomas GleixnerThe kernel provides mitigation for such vulnerabilities in various 10b617cfc8SThomas Gleixnerforms. Some of these mitigations are compile time configurable and some on 11b617cfc8SThomas Gleixnerthe kernel command line. 12b617cfc8SThomas Gleixner 13b617cfc8SThomas GleixnerThere is also a class of mitigations which are very expensive, but they can 14b617cfc8SThomas Gleixnerbe restricted to a certain set of processes or tasks in controlled 15b617cfc8SThomas Gleixnerenvironments. The mechanism to control these mitigations is via 16b617cfc8SThomas Gleixner:manpage:`prctl(2)`. 17b617cfc8SThomas Gleixner 18b617cfc8SThomas GleixnerThere are two prctl options which are related to this: 19b617cfc8SThomas Gleixner 20b617cfc8SThomas Gleixner * PR_GET_SPECULATION_CTRL 21b617cfc8SThomas Gleixner 22b617cfc8SThomas Gleixner * PR_SET_SPECULATION_CTRL 23b617cfc8SThomas Gleixner 24b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL 25b617cfc8SThomas Gleixner----------------------- 26b617cfc8SThomas Gleixner 27b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL returns the state of the speculation misfeature 28*356e4bffSThomas Gleixnerwhich is selected with arg2 of prctl(2). The return value uses bits 0-3 with 29b617cfc8SThomas Gleixnerthe following meaning: 30b617cfc8SThomas Gleixner 31*356e4bffSThomas Gleixner==== ===================== =================================================== 32b617cfc8SThomas GleixnerBit Define Description 33*356e4bffSThomas Gleixner==== ===================== =================================================== 34b617cfc8SThomas Gleixner0 PR_SPEC_PRCTL Mitigation can be controlled per task by 35b617cfc8SThomas Gleixner PR_SET_SPECULATION_CTRL 36b617cfc8SThomas Gleixner1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is 37b617cfc8SThomas Gleixner disabled 38b617cfc8SThomas Gleixner2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is 39b617cfc8SThomas Gleixner enabled 40*356e4bffSThomas Gleixner3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A 41*356e4bffSThomas Gleixner subsequent prctl(..., PR_SPEC_ENABLE) will fail. 42*356e4bffSThomas Gleixner==== ===================== =================================================== 43b617cfc8SThomas Gleixner 44b617cfc8SThomas GleixnerIf all bits are 0 the CPU is not affected by the speculation misfeature. 45b617cfc8SThomas Gleixner 46b617cfc8SThomas GleixnerIf PR_SPEC_PRCTL is set, then the per task control of the mitigation is 47b617cfc8SThomas Gleixneravailable. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation 48b617cfc8SThomas Gleixnermisfeature will fail. 49b617cfc8SThomas Gleixner 50b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL 51b617cfc8SThomas Gleixner----------------------- 52*356e4bffSThomas Gleixner 53b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which 54b617cfc8SThomas Gleixneris selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand 55*356e4bffSThomas Gleixnerin the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or 56*356e4bffSThomas GleixnerPR_SPEC_FORCE_DISABLE. 57b617cfc8SThomas Gleixner 58b617cfc8SThomas GleixnerCommon error codes 59b617cfc8SThomas Gleixner------------------ 60b617cfc8SThomas Gleixner======= ================================================================= 61b617cfc8SThomas GleixnerValue Meaning 62b617cfc8SThomas Gleixner======= ================================================================= 63b617cfc8SThomas GleixnerEINVAL The prctl is not implemented by the architecture or unused 64b617cfc8SThomas Gleixner prctl(2) arguments are not 0 65b617cfc8SThomas Gleixner 66b617cfc8SThomas GleixnerENODEV arg2 is selecting a not supported speculation misfeature 67b617cfc8SThomas Gleixner======= ================================================================= 68b617cfc8SThomas Gleixner 69b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL error codes 70b617cfc8SThomas Gleixner----------------------------------- 71b617cfc8SThomas Gleixner======= ================================================================= 72b617cfc8SThomas GleixnerValue Meaning 73b617cfc8SThomas Gleixner======= ================================================================= 74b617cfc8SThomas Gleixner0 Success 75b617cfc8SThomas Gleixner 76b617cfc8SThomas GleixnerERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor 77*356e4bffSThomas Gleixner PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE 78b617cfc8SThomas Gleixner 79b617cfc8SThomas GleixnerENXIO Control of the selected speculation misfeature is not possible. 80b617cfc8SThomas Gleixner See PR_GET_SPECULATION_CTRL. 81*356e4bffSThomas Gleixner 82*356e4bffSThomas GleixnerEPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller 83*356e4bffSThomas Gleixner tried to enable it again. 84b617cfc8SThomas Gleixner======= ================================================================= 85b617cfc8SThomas Gleixner 86b617cfc8SThomas GleixnerSpeculation misfeature controls 87b617cfc8SThomas Gleixner------------------------------- 88b617cfc8SThomas Gleixner- PR_SPEC_STORE_BYPASS: Speculative Store Bypass 89b617cfc8SThomas Gleixner 90b617cfc8SThomas Gleixner Invocations: 91b617cfc8SThomas Gleixner * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); 92b617cfc8SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); 93b617cfc8SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); 94*356e4bffSThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); 95