1b617cfc8SThomas Gleixner=================== 2b617cfc8SThomas GleixnerSpeculation Control 3b617cfc8SThomas Gleixner=================== 4b617cfc8SThomas Gleixner 5*dd079269SBorislav PetkovQuite some CPUs have speculation-related misfeatures which are in 6*dd079269SBorislav Petkovfact vulnerabilities causing data leaks in various forms even across 7*dd079269SBorislav Petkovprivilege domains. 8b617cfc8SThomas Gleixner 9b617cfc8SThomas GleixnerThe kernel provides mitigation for such vulnerabilities in various 10*dd079269SBorislav Petkovforms. Some of these mitigations are compile-time configurable and some 11*dd079269SBorislav Petkovcan be supplied on the kernel command line. 12b617cfc8SThomas Gleixner 13b617cfc8SThomas GleixnerThere is also a class of mitigations which are very expensive, but they can 14b617cfc8SThomas Gleixnerbe restricted to a certain set of processes or tasks in controlled 15b617cfc8SThomas Gleixnerenvironments. The mechanism to control these mitigations is via 16b617cfc8SThomas Gleixner:manpage:`prctl(2)`. 17b617cfc8SThomas Gleixner 18b617cfc8SThomas GleixnerThere are two prctl options which are related to this: 19b617cfc8SThomas Gleixner 20b617cfc8SThomas Gleixner * PR_GET_SPECULATION_CTRL 21b617cfc8SThomas Gleixner 22b617cfc8SThomas Gleixner * PR_SET_SPECULATION_CTRL 23b617cfc8SThomas Gleixner 24b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL 25b617cfc8SThomas Gleixner----------------------- 26b617cfc8SThomas Gleixner 27b617cfc8SThomas GleixnerPR_GET_SPECULATION_CTRL returns the state of the speculation misfeature 28356e4bffSThomas Gleixnerwhich is selected with arg2 of prctl(2). The return value uses bits 0-3 with 29b617cfc8SThomas Gleixnerthe following meaning: 30b617cfc8SThomas Gleixner 31356e4bffSThomas Gleixner==== ===================== =================================================== 32b617cfc8SThomas GleixnerBit Define Description 33356e4bffSThomas Gleixner==== ===================== =================================================== 34b617cfc8SThomas Gleixner0 PR_SPEC_PRCTL Mitigation can be controlled per task by 35*dd079269SBorislav Petkov PR_SET_SPECULATION_CTRL. 36b617cfc8SThomas Gleixner1 PR_SPEC_ENABLE The speculation feature is enabled, mitigation is 37*dd079269SBorislav Petkov disabled. 38b617cfc8SThomas Gleixner2 PR_SPEC_DISABLE The speculation feature is disabled, mitigation is 39*dd079269SBorislav Petkov enabled. 40356e4bffSThomas Gleixner3 PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A 41356e4bffSThomas Gleixner subsequent prctl(..., PR_SPEC_ENABLE) will fail. 42356e4bffSThomas Gleixner==== ===================== =================================================== 43b617cfc8SThomas Gleixner 44b617cfc8SThomas GleixnerIf all bits are 0 the CPU is not affected by the speculation misfeature. 45b617cfc8SThomas Gleixner 46*dd079269SBorislav PetkovIf PR_SPEC_PRCTL is set, then the per-task control of the mitigation is 47b617cfc8SThomas Gleixneravailable. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation 48b617cfc8SThomas Gleixnermisfeature will fail. 49b617cfc8SThomas Gleixner 50b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL 51b617cfc8SThomas Gleixner----------------------- 52356e4bffSThomas Gleixner 53b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which 54b617cfc8SThomas Gleixneris selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand 55356e4bffSThomas Gleixnerin the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or 56356e4bffSThomas GleixnerPR_SPEC_FORCE_DISABLE. 57b617cfc8SThomas Gleixner 58b617cfc8SThomas GleixnerCommon error codes 59b617cfc8SThomas Gleixner------------------ 60b617cfc8SThomas Gleixner======= ================================================================= 61b617cfc8SThomas GleixnerValue Meaning 62b617cfc8SThomas Gleixner======= ================================================================= 63b617cfc8SThomas GleixnerEINVAL The prctl is not implemented by the architecture or unused 64*dd079269SBorislav Petkov prctl(2) arguments are not 0. 65b617cfc8SThomas Gleixner 66*dd079269SBorislav PetkovENODEV arg2 is selecting a not supported speculation misfeature. 67b617cfc8SThomas Gleixner======= ================================================================= 68b617cfc8SThomas Gleixner 69b617cfc8SThomas GleixnerPR_SET_SPECULATION_CTRL error codes 70b617cfc8SThomas Gleixner----------------------------------- 71b617cfc8SThomas Gleixner======= ================================================================= 72b617cfc8SThomas GleixnerValue Meaning 73b617cfc8SThomas Gleixner======= ================================================================= 74b617cfc8SThomas Gleixner0 Success 75b617cfc8SThomas Gleixner 76b617cfc8SThomas GleixnerERANGE arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor 77*dd079269SBorislav Petkov PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE. 78b617cfc8SThomas Gleixner 79b617cfc8SThomas GleixnerENXIO Control of the selected speculation misfeature is not possible. 80b617cfc8SThomas Gleixner See PR_GET_SPECULATION_CTRL. 81356e4bffSThomas Gleixner 82356e4bffSThomas GleixnerEPERM Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller 83356e4bffSThomas Gleixner tried to enable it again. 84b617cfc8SThomas Gleixner======= ================================================================= 85b617cfc8SThomas Gleixner 86b617cfc8SThomas GleixnerSpeculation misfeature controls 87b617cfc8SThomas Gleixner------------------------------- 88b617cfc8SThomas Gleixner- PR_SPEC_STORE_BYPASS: Speculative Store Bypass 89b617cfc8SThomas Gleixner 90b617cfc8SThomas Gleixner Invocations: 91b617cfc8SThomas Gleixner * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0); 92b617cfc8SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0); 93b617cfc8SThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); 94356e4bffSThomas Gleixner * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0); 95