Re: [PATCH] x86/speculation: Allow overriding seccomp speculation disable

From: Kees Cook
Date: Sat Mar 28 2020 - 23:41:07 EST


On Thu, Mar 26, 2020 at 07:10:47AM -0700, Andi Kleen wrote:
> SECCOMP_FILTER_FLAG_SPEC_ALLOW doesn't completely solve the problem because
> it enables everything, including cross process defenses, like Spectre.

Fair point. It is a much bigger hammer that I was considering.

> I'm not aware of anything else that is not a browser that would rely on the
> seccomp heuristic. Are you?

My memory was that a bunch of container folks were glad to have it for
their workloads. But I'd agree, between browsers and containers, the
lifetime is a bit shorter. (Though what about browsers in cars, hmpf.)

> Anyways back to the opt-in:
>
> Anyways one way to keep your design goals would be to split the SECCOMP
> flags into flags for SSBD and SPECTRE. Then at least the web browser
> could reenable it

How about relaxing the SSBD side of the "AUTO" setting? I've run out of
time today to go look and see if that's even possible, or if it's bolted
together like SECCOMP_FILTER_FLAG_SPEC_ALLOW is...

--
Kees Cook