Re: [RFC 04/10] x86/mm: Only flush indirect branches when switching into non dumpable process

[H.J. Lu]

On Sun, Jan 21, 2018 at 4:04 AM, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote:
>
>> On Sat, Jan 20, 2018 at 08:22:55PM +0100, KarimAllah Ahmed wrote:
>>> From: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>
>>>
>>> Flush indirect branches when switching into a process that marked
>>> itself non dumpable.  This protects high value processes like gpg
>>> better, without having too high performance overhead.
>>
>> So if I understand it right, this is only needed if the 'other'
>> executable itself is susceptible to spectre. If say someone audited gpg
>> for spectre-v1 and build it with retpoline, it would be safe to not
>> issue the IBPB, right?
>
>
> Spectre V2 not v1. V1 is separate.
> For V2 retpoline is enough... as long as all the libraries have it too.
>
>> So would it make sense to provide an ELF flag / personality thing such
>> that userspace can indicate its spectre-safe?
>
> Yes, Arjan and I were pondering that yesterday; it probably does make
> sense. Also for allowing a return to userspace after vmexit, if the army
> process itself is so marked.

Please take a look at how CET is handled in program property in
x86-64 psABI for CET:

https://github.com/hjl-tools/x86-psABI/wiki/x86-64-psABI-cet.pdf


-- 
H.J.