Avoid speculative indirect calls in kernel

From: Andi Kleen
Date: Wed Jan 03 2018 - 18:12:05 EST

Next message: Steve French: "Re: [RFC PATCH linux-next] CIFS: SMBD: _smbd_get_connection() can be static"
Previous message: Andi Kleen: "[PATCH 08/11] x86/retpoline/irq32: Convert assembler indirect jumps"
Next in thread: Andi Kleen: "[PATCH 05/11] x86/retpoline/hyperv: Convert assembler indirect jumps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a fix for Variant 2 in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Any speculative indirect calls in the kernel can be tricked
to execute any kernel code, which may allow side channel
attacks that can leak arbitrary kernel data.

So we want to avoid speculative indirect calls in the kernel.

There's a special code sequence called a retpoline that can
do indirect calls without speculation. We use a new compiler
option -mindirect-branch=thunk-extern (gcc patch will be released
separately) to recompile the kernel with this new sequence.

We also patch all the assembler code in the kernel to use
the new sequence.

The patches were originally from David Woodhouse and Tim Chen,
but then reworked and enhanced by me.

No performance numbers at this point. 32bit is only boot tested.

Git tree available in
git://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-misc spec/retpoline-415-1

v1: Initial post.

Next message: Steve French: "Re: [RFC PATCH linux-next] CIFS: SMBD: _smbd_get_connection() can be static"
Previous message: Andi Kleen: "[PATCH 08/11] x86/retpoline/irq32: Convert assembler indirect jumps"
Next in thread: Andi Kleen: "[PATCH 05/11] x86/retpoline/hyperv: Convert assembler indirect jumps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]