Re: Improve retpoline for Skylake

From: David Woodhouse
Date: Fri Jan 12 2018 - 14:13:07 EST


On Fri, 2018-01-12 at 10:45 -0800, Andi Kleen wrote:
> [This is an alternative to David's earlier patch to only
> handle context switch. It handles more cases.]
>
> Skylake needs some additional protections over plain RETPOLINE
> for Spectre_v2.
>
> The CPU can fall back to the potentially poisioned indirect branch
> predictor when the return buffer underflows.
>
> This patch kit extends RETPOLINE to guard against many (but not
> all) of such cases by filling the return buffer.
>
> - Context switch when switching from shallow to deeper call chain
> - Idle which clears the return buffer
> - Interrupts which cause deep call chains
>
> This is done with a new SPECTRE_V2 defense mode and feature flag.
>
> The mitigations are only enabled on Skylake, patched out
> on other CPUs.

Thanks for exploring what it would take to do this.

I admit I'm still not convinced. I think Skylake should probably just
default to IBRS (since the performance doesn't suck *quite* as much
there as it does on earlier CPUs) or give the user a command-line
option to use retpoline with the RSB-stuffing that is already
implemented.

Skylake still loses if it takes an SMI, right? Or encounters a call
stack of more than 16 in depth?

Attachment: smime.p7s
Description: S/MIME cryptographic signature