Should the BPF JIT compiler be disabled?
JIT compilers can be used to increase performance but they are vulnerable to a bunch of attacks and can even be used to help exploiting Spectre. They aren’t really needed on desktop computers.
It probably doesn’t need to be disabled though as we already harden it and restrict it to root.
2 Likes
In principle yes, however we need to be sure that nftables isn’t using it. Nftables relies on BPF kernel infrastructure. We need to see if there is a difference between BPF and the JIT compiler.
2 Likes
BPF isn’t just a JIT compiler. Far more things uses BPF than just the JIT compiler. Disabling the JIT compiler shouldn’t disable all BPF-related things.
nftables probably just uses the BPF JIT compiler as a performance optimization.
1 Like
Good, but please provide source
Just a guess. The JIT compiler was only created for performance gains. I doubt nftables would rely on it for anything other than that.