Linux Kernel Getting New Option So SSBD Isn't Over-Protective - Helping Performance

Written by Michael Larabel in Linux Security on 31 January 2019 at 07:15 AM EST. 1 Comment
LINUX SECURITY
For the Linux kernel's Speculative Store Bypass Disable (SSBD) handling for Spectre Variant 4 protection is support for processes opting into force disabling of speculation via a prctl() interface. Currently when speculation is disabled, that is carried through to new processes started via the execve() system call. But a new bit will allow clearing that state when a new program is started by a process otherwise relying upon PR_SPEC_DISABLE, in what will help the performance in such cases.

Queued for introduction to the mainline Linux kernel is a new PR_SPEC_DISABLE_NOEXEC option for prctl as part of the Speculative Store Bypass Disable options but where the state is cleared on execve() calls. The premise is that programs opting into disabling speculation are doing so, but programs that aren't vulnerable to the speculation-related misfeatures normally aren't checking to see that the PR_SPEC_ENABLE bit is set rather just assuming the status quo. Thus with the current PR_SPEC_DISABLE behavior, programs spawned via execve() may be protected when they really don't need to be and carrying with that the added performance overhead.

Processes using execve() and knowing those programs don't need this speculation protection will be able to set the PR_SPEC_DISABLE_NOEXEC bit for indicating as such and thus ensuring optimal performance for those programs.

Waiman Long of Red Hat who authored the patch now queued in tip.git explains:
With the default SPEC_STORE_BYPASS_SECCOMP/SPEC_STORE_BYPASS_PRCTL mode, the TIF_SSBD bit will be inherited when a new task is fork'ed or cloned. It will also remain when a new program is execve'ed.

Only certain class of applications (like Java) that can run on behalf of multiple users on a single thread will require disabling speculative store bypass for security purposes. Those applications will call prctl(2) at startup time to disable SSB. They won't rely on the fact the SSB might have been disabled. Other applications that don't need SSBD will just move on without checking if SSBD has been turned on or not.

The fact that the TIF_SSBD is inherited across execve(2) boundary will cause performance of applications that don't need SSBD but their predecessors have SSBD on to be unwittingly impacted especially if they write to memory a lot.

Of course, applications desiring the current behavior can continue using that bit or the PR_SPEC_FORCE_DISABLE if wanting to force the SSBD functionality and not allowing it to be potentially undone.
1 Comment
Related News
Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Fedora Linux 40 Available For Download As A Wonderful Upgrade
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"