Speculation Control¶
Quite some CPUs have speculation-related misfeatures which are infact vulnerabilities causing data leaks in various forms even acrossprivilege domains.
The kernel provides mitigation for such vulnerabilities in variousforms. Some of these mitigations are compile-time configurable and somecan be supplied on the kernel command line.
There is also a class of mitigations which are very expensive, but they canbe restricted to a certain set of processes or tasks in controlledenvironments. The mechanism to control these mitigations is viaprctl(2).
There are two prctl options which are related to this:
PR_GET_SPECULATION_CTRL
PR_SET_SPECULATION_CTRL
PR_GET_SPECULATION_CTRL¶
PR_GET_SPECULATION_CTRL returns the state of the speculation misfeaturewhich is selected with arg2 of prctl(2). The return value uses bits 0-3 withthe following meaning (with the caveat that PR_SPEC_L1D_FLUSH has less obvioussemantics, see documentation for that specific control below):
Bit | Define | Description |
|---|---|---|
0 | PR_SPEC_PRCTL | Mitigation can be controlled per task byPR_SET_SPECULATION_CTRL. |
1 | PR_SPEC_ENABLE | The speculation feature is enabled, mitigation isdisabled. |
2 | PR_SPEC_DISABLE | The speculation feature is disabled, mitigation isenabled. |
3 | PR_SPEC_FORCE_DISABLE | Same as PR_SPEC_DISABLE, but cannot be undone. Asubsequent prctl(..., PR_SPEC_ENABLE) will fail. |
4 | PR_SPEC_DISABLE_NOEXEC | Same as PR_SPEC_DISABLE, but the state will becleared onexecve(2). |
If all bits are 0 the CPU is not affected by the speculation misfeature.
If PR_SPEC_PRCTL is set, then the per-task control of the mitigation isavailable. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculationmisfeature will fail.
PR_SET_SPECULATION_CTRL¶
PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, whichis selected by arg2 ofprctl(2) per task. arg3 is used to handin the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE orPR_SPEC_FORCE_DISABLE.
Common error codes¶
Value | Meaning |
|---|---|
EINVAL | The prctl is not implemented by the architecture or unusedprctl(2) arguments are not 0. |
ENODEV | arg2 is selecting a not supported speculation misfeature. |
PR_SET_SPECULATION_CTRL error codes¶
Value | Meaning |
|---|---|
0 | Success |
ERANGE | arg3 is incorrect, i.e. it’s neither PR_SPEC_ENABLE norPR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE. |
ENXIO | Control of the selected speculation misfeature is not possible.See PR_GET_SPECULATION_CTRL. |
EPERM | Speculation was disabled with PR_SPEC_FORCE_DISABLE and callertried to enable it again. |
Speculation misfeature controls¶
PR_SPEC_STORE_BYPASS: Speculative Store Bypass
- Invocations:
prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0);
- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
(Mitigate Spectre V2 style attacks against user processes)
- Invocations:
prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
- PR_SPEC_L1D_FLUSH: Flush L1D Cache on context switch out of the task
(works only when tasks run on non SMT cores)
For this control, PR_SPEC_ENABLE means that themitigation is enabled (L1Dis flushed), PR_SPEC_DISABLE means it is disabled.
- Invocations:
prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, 0, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_DISABLE, 0, 0);