1b617cfc8SThomas Gleixner=================== 2b617cfc8SThomas GleixnerSpeculation Control 3b617cfc8SThomas Gleixner=================== 4b617cfc8SThomas Gleixner 5dd079269SBorislav PetkovQuite some CPUs have speculation-related misfeatures which are in 6dd079269SBorislav Petkovfact vulnerabilities causing data leaks in various forms even across 7dd079269SBorislav Petkovprivilege domains. 8b617cfc8SThomas Gleixner 9b617cfc8SThomas GleixnerThe kernel provides mitigation for such vulnerabilities in various 10dd079269SBorislav Petkovforms. Some of these mitigations are compile-time configurable and some 11dd079269SBorislav Petkovcan be supplied on the kernel command line. 12b617cfc8SThomas Gleixner 13b617cfc8SThomas GleixnerThere is also a class of mitigations which are very expensive, but they can 14b617cfc8SThomas Gleixnerbe restricted to a certain set of processes or tasks in controlled 15b617cfc8SThomas Gleixnerenvironments. The mechanism to control these mitigations is via 16b617cfc8SThomas Gleixner:manpage:`prctl(2)`. 17b617cfc8SThomas Gleixner 18b617cfc8SThomas GleixnerThere are two prctl options which are related to this: 19b617cfc8SThomas Gleixner 20b617cfc8SThomas Gleixner * PR_GET_SPECULATION_CTRL 21b617cfc8SThomas Gleixner 22b617cfc8SThomas Gleixner * PR_SET_SPECULATION_CTRL 23b617cfc8SThomas Gleixner 24b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL 25b617cfc8SThomas Gleixner----------------------- 26b617cfc8SThomas Gleixner 27b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL returns the state of the speculation misfeature 28356e4bffSThomas Gleixnerwhich is selected with arg2 of prctl(2). The return value uses bits 0-3 with 29b617cfc8SThomas Gleixnerthe following meaning: 30b617cfc8SThomas Gleixner 31356e4bffSThomas Gleixner==== ====================== ================================================== 32b617cfc8SThomas GleixnerBit Define Description 33356e4bffSThomas Gleixner==== ====================== ================================================== 34b617cfc8SThomas Gleixner0 PR_SPEC_PRCTL Mitigation can be controlled per task by 35dd079269SBorislav Petkov PR_SET_SPECULATION_CTRL. 36b617cfc8SThomas Gleixner1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is 37dd079269SBorislav Petkov disabled. 38b617cfc8SThomas Gleixner2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is 39dd079269SBorislav Petkov enabled. 40356e4bffSThomas Gleixner3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A 41356e4bffSThomas Gleixner subsequent prctl(..., PR_SPEC_ENABLE) will fail. 42*71368af9SWaiman Long4 PR_SPEC_DISABLE_NOEXEC Same as PR_SPEC_DISABLE, but the state will be 43*71368af9SWaiman Long cleared on :manpage:`execve(2)`. 44356e4bffSThomas Gleixner==== ====================== ================================================== 45b617cfc8SThomas Gleixner 46b617cfc8SThomas GleixnerIf all bits are 0 the CPU is not affected by the speculation misfeature. 47b617cfc8SThomas Gleixner 48dd079269SBorislav PetkovIf PR_SPEC_PRCTL is set, then the per-task control of the mitigation is 49b617cfc8SThomas Gleixneravailable. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation 50b617cfc8SThomas Gleixnermisfeature will fail. 51b617cfc8SThomas Gleixner 52b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL 53b617cfc8SThomas Gleixner----------------------- 54356e4bffSThomas Gleixner 55b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which 56b617cfc8SThomas Gleixneris selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand 57356e4bffSThomas Gleixnerin the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or 58356e4bffSThomas GleixnerPR_SPEC_FORCE_DISABLE. 59b617cfc8SThomas Gleixner 60b617cfc8SThomas GleixnerCommon error codes 61b617cfc8SThomas Gleixner------------------ 62b617cfc8SThomas Gleixner======= ================================================================= 63b617cfc8SThomas GleixnerValue Meaning 64b617cfc8SThomas Gleixner======= ================================================================= 65b617cfc8SThomas GleixnerEINVAL The prctl is not implemented by the architecture or unused 66dd079269SBorislav Petkov prctl(2) arguments are not 0. 67b617cfc8SThomas Gleixner 68dd079269SBorislav PetkovENODEV arg2 is selecting a not supported speculation misfeature. 69b617cfc8SThomas Gleixner======= ================================================================= 70b617cfc8SThomas Gleixner 71b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL error codes 72b617cfc8SThomas Gleixner----------------------------------- 73b617cfc8SThomas Gleixner======= ================================================================= 74b617cfc8SThomas GleixnerValue Meaning 75b617cfc8SThomas Gleixner======= ================================================================= 76b617cfc8SThomas Gleixner0 Success 77b617cfc8SThomas Gleixner 78b617cfc8SThomas GleixnerERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor 79dd079269SBorislav Petkov PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE. 80b617cfc8SThomas Gleixner 81b617cfc8SThomas GleixnerENXIO Control of the selected speculation misfeature is not possible. 82b617cfc8SThomas Gleixner See PR_GET_SPECULATION_CTRL. 83356e4bffSThomas Gleixner 84356e4bffSThomas GleixnerEPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller 85356e4bffSThomas Gleixner tried to enable it again. 86b617cfc8SThomas Gleixner======= ================================================================= 87b617cfc8SThomas Gleixner 88b617cfc8SThomas GleixnerSpeculation misfeature controls 89b617cfc8SThomas Gleixner------------------------------- 90b617cfc8SThomas Gleixner- PR_SPEC_STORE_BYPASS: Speculative Store Bypass 91b617cfc8SThomas Gleixner 92b617cfc8SThomas Gleixner Invocations: 93b617cfc8SThomas Gleixner * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); 94b617cfc8SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); 95b617cfc8SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); 96356e4bffSThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); 97*71368af9SWaiman Long * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0); 989137bb27SThomas Gleixner 999137bb27SThomas Gleixner- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes 1009137bb27SThomas Gleixner (Mitigate Spectre V2 style attacks against user processes) 1019137bb27SThomas Gleixner 1029137bb27SThomas Gleixner Invocations: 1039137bb27SThomas Gleixner * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0); 1049137bb27SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0); 1059137bb27SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0); 1069137bb27SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0); 107