Atomicorp

For the recently disclosed spectre variants 3A and 4, are the current ASL protections in the kernel sufficient or will new mitigations need to be implemented due to the nature of the variants?

Thanks.

3A isnt relevant for servers, for Spectre 4 yes the latest 4.14 kernel contains mitigations against Spectre v4. GRKERNSEC_BPF_HARDEN is enough to avoid Spectre V4 attacks via eBPF, in other cases the mitigations are controlled by both a boot-time option as well as a per-process prctl(). Microcode updates are required to make use of this added functionality.

The boot-time option is "spec_store_bypass_disable" and can be specified with the following arguments:

auto
on (disables speculative store bypass entirely)
off (leaves previous system behavior intact)
prctl (allows disabling via prctl)
seccomp (allows disabling via prctl and seccomp)

"auto" currently defaults to the seccomp mode, which will allow manual disabling of speculative store bypass (i.e. the application must opt-in to the mitigation) and also auto-applies the mitigation to anything running in a seccomp sandbox.

Plans for the future are to implement this via static analysis if possible.

Thanks!