Spectre variants 3A and 4

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Spectre variants 3A and 4

Unread post by Imaging »

For the recently disclosed spectre variants 3A and 4, are the current ASL protections in the kernel sufficient or will new mitigations need to be implemented due to the nature of the variants?

Thanks.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4120
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Spectre variants 3A and 4

Unread post by mikeshinn »

3A isnt relevant for servers, for Spectre 4 yes the latest 4.14 kernel contains mitigations against Spectre v4. GRKERNSEC_BPF_HARDEN is enough to avoid Spectre V4 attacks via eBPF, in other cases the mitigations are controlled by both a boot-time option as well as a per-process prctl(). Microcode updates are required to make use of this added functionality.

The boot-time option is "spec_store_bypass_disable" and can be specified with the following arguments:

auto
on (disables speculative store bypass entirely)
off (leaves previous system behavior intact)
prctl (allows disabling via prctl)
seccomp (allows disabling via prctl and seccomp)

"auto" currently defaults to the seccomp mode, which will allow manual disabling of speculative store bypass (i.e. the application must opt-in to the mitigation) and also auto-applies the mitigation to anything running in a seccomp sandbox.

Plans for the future are to implement this via static analysis if possible.
Imaging
Forum Regular
Forum Regular
Posts: 333
Joined: Sat Sep 25, 2010 2:46 pm

Re: Spectre variants 3A and 4

Unread post by Imaging »

Thanks!
Post Reply