1===================
2Speculation Control
3===================
4
5Quite some CPUs have speculation-related misfeatures which are in
6fact vulnerabilities causing data leaks in various forms even across
7privilege domains.
8
9The kernel provides mitigation for such vulnerabilities in various
10forms. Some of these mitigations are compile-time configurable and some
11can be supplied on the kernel command line.
12
13There is also a class of mitigations which are very expensive, but they can
14be restricted to a certain set of processes or tasks in controlled
15environments. The mechanism to control these mitigations is via
16:manpage:`prctl(2)`.
17
18There are two prctl options which are related to this:
19
20 * PR_GET_SPECULATION_CTRL
21
22 * PR_SET_SPECULATION_CTRL
23
24PR_GET_SPECULATION_CTRL
25-----------------------
26
27PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
28which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
29the following meaning:
30
31==== ====================== ==================================================
32Bit  Define                 Description
33==== ====================== ==================================================
340    PR_SPEC_PRCTL          Mitigation can be controlled per task by
35                            PR_SET_SPECULATION_CTRL.
361    PR_SPEC_ENABLE         The speculation feature is enabled, mitigation is
37                            disabled.
382    PR_SPEC_DISABLE        The speculation feature is disabled, mitigation is
39                            enabled.
403    PR_SPEC_FORCE_DISABLE  Same as PR_SPEC_DISABLE, but cannot be undone. A
41                            subsequent prctl(..., PR_SPEC_ENABLE) will fail.
424    PR_SPEC_DISABLE_NOEXEC Same as PR_SPEC_DISABLE, but the state will be
43                            cleared on :manpage:`execve(2)`.
44==== ====================== ==================================================
45
46If all bits are 0 the CPU is not affected by the speculation misfeature.
47
48If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
49available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
50misfeature will fail.
51
52.. _set_spec_ctrl:
53
54PR_SET_SPECULATION_CTRL
55-----------------------
56
57PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
58is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
59in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
60PR_SPEC_FORCE_DISABLE.
61
62Common error codes
63------------------
64======= =================================================================
65Value   Meaning
66======= =================================================================
67EINVAL  The prctl is not implemented by the architecture or unused
68        prctl(2) arguments are not 0.
69
70ENODEV  arg2 is selecting a not supported speculation misfeature.
71======= =================================================================
72
73PR_SET_SPECULATION_CTRL error codes
74-----------------------------------
75======= =================================================================
76Value   Meaning
77======= =================================================================
780       Success
79
80ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
81        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
82
83ENXIO   Control of the selected speculation misfeature is not possible.
84        See PR_GET_SPECULATION_CTRL.
85
86EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
87        tried to enable it again.
88======= =================================================================
89
90Speculation misfeature controls
91-------------------------------
92- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
93
94  Invocations:
95   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
96   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
97   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
98   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
99   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE_NOEXEC, 0, 0);
100
101- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
102                        (Mitigate Spectre V2 style attacks against user processes)
103
104  Invocations:
105   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
106   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
107   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
108   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
109