Documentation/userspace-api/spec_ctrl.rst

0001 ===================
0002 Speculation Control
0003 ===================
0004
0005 Quite some CPUs have speculation-related misfeatures which are in
0006 fact vulnerabilities causing data leaks in various forms even across
0007 privilege domains.
0008
0009 The kernel provides mitigation for such vulnerabilities in various
0010 forms. Some of these mitigations are compile-time configurable and some
0011 can be supplied on the kernel command line.
0012
0013 There is also a class of mitigations which are very expensive, but they can
0014 be restricted to a certain set of processes or tasks in controlled
0015 environments. The mechanism to control these mitigations is via
0016 :manpage:`prctl(2)`.
0017
0018 There are two prctl options which are related to this:
0019
0020  * PR_GET_SPECULATION_CTRL
0021
0022  * PR_SET_SPECULATION_CTRL
0023
0024 PR_GET_SPECULATION_CTRL
0025 -----------------------
0026
0027 PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
0028 which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
0029 the following meaning:
0030
0031 ==== ====================== ==================================================
0032 Bit  Define                 Description
0033 ==== ====================== ==================================================
0034 0    PR_SPEC_PRCTL          Mitigation can be controlled per task by
0035                             PR_SET_SPECULATION_CTRL.
0036 1    PR_SPEC_ENABLE         The speculation feature is enabled, mitigation is
0037                             disabled.
0038 2    PR_SPEC_DISABLE        The speculation feature is disabled, mitigation is
0039                             enabled.
0040 3    PR_SPEC_FORCE_DISABLE  Same as PR_SPEC_DISABLE, but cannot be undone. A
0041                             subsequent prctl(..., PR_SPEC_ENABLE) will fail.
0042 4    PR_SPEC_DISABLE_NOEXEC Same as PR_SPEC_DISABLE, but the state will be
0043                             cleared on :manpage:`execve(2)`.
0044 ==== ====================== ==================================================
0045
0046 If all bits are 0 the CPU is not affected by the speculation misfeature.
0047
0048 If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
0049 available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
0050 misfeature will fail.
0051
0052 .. _set_spec_ctrl:
0053
0054 PR_SET_SPECULATION_CTRL
0055 -----------------------
0056
0057 PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
0058 is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
0059 in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
0060 PR_SPEC_FORCE_DISABLE.
0061
0062 Common error codes
0063 ------------------
0064 ======= =================================================================
0065 Value   Meaning
0066 ======= =================================================================
0067 EINVAL  The prctl is not implemented by the architecture or unused
0068         prctl(2) arguments are not 0.
0069
0070 ENODEV  arg2 is selecting a not supported speculation misfeature.
0071 ======= =================================================================
0072
0073 PR_SET_SPECULATION_CTRL error codes
0074 -----------------------------------
0075 ======= =================================================================
0076 Value   Meaning
0077 ======= =================================================================
0078 0       Success
0079
0080 ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
0081         PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
0082
0083 ENXIO   Control of the selected speculation misfeature is not possible.
0084         See PR_GET_SPECULATION_CTRL.
0085
0086 EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
0087         tried to enable it again.
0088 ======= =================================================================
0089
0090 Speculation misfeature controls
0091 -------------------------------
0092 - PR_SPEC_STORE_BYPASS: Speculative Store Bypass
0093
0094   Invocations:
0095    * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
0096    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
0097    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
0098    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
0099    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0);
0100
0101 - PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
0102                         (Mitigate Spectre V2 style attacks against user processes)
0103
0104   Invocations:
0105    * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
0106    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
0107    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
0108    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
0109
0110 - PR_SPEC_L1D_FLUSH: Flush L1D Cache on context switch out of the task
0111                         (works only when tasks run on non SMT cores)
0112
0113   Invocations:
0114    * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, 0, 0, 0);
0115    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_ENABLE, 0, 0);
0116    * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_L1D_FLUSH, PR_SPEC_DISABLE, 0, 0);