我又看了一下Google Project Zero的文

Spectre 1攻擊方法是利用CPU沒有確認記憶體存取邊界,
導致有心人可以存取核心記憶體資料,所以並不是eBPF JIT開啟就代表允許
用戶程式可以合法訪問核心記憶體

uint64_t bitmask = <runtime-configurable>;
uint64_t bitshift_selector = <runtime-configurable>;
uint64_t prog_array_base_offset = <runtime-configurable>;
uint64_t secret_data_offset = <runtime-configurable>;
// index will be bounds-checked by the runtime,
// but the bounds check will be bypassed speculatively
uint64_t secret_data = bpf_map_read(array=victim_array, index=secret_data_offset);
// select a single bit, move it to a specific position, and add the base offset
uint64_t progmap_index = (((secret_data & bitmask) >> bitshift_selector) << 7) + prog_array_base_offset;
bpf_tail_call(prog_map, progmap_index);

然後為什麼eBPF JIT開啟時可以攻擊成功,是因為eBPF JIT開啟時產生的執行碼
剛好能配合AMD CPU的漏洞,當然也可以配合intel CPU的漏洞

eBPF JIT關閉時產生的執行碼會被AMD CPU擋掉,但可適用於intel CPU
所以intel的漏洞比較大是可以確認的