Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel
From: Peter Zijlstra
Date: Tue Oct 25 2022 - 16:32:09 EST
On Tue, Oct 25, 2022 at 12:38:45PM -0700, Pawan Gupta wrote:
> > I think the focus should be on finding the source sites, not protecting
> > the target sites. Where can an attacker control the register content and
> > have an indirect jump/call.
>
> That is an interesting approach. I am wondering what mitigation can
> be applied at source?
Limiting the value ranges for example. Or straight up killing the values
if they go unused -- like how we clear the registers in entry.
> LFENCE before an indirect branch can greatly
> reduce the speculation window, but will not completely eliminate it.
Depends on the part; there's a whole bunch of parts where LFENCE is
sufficient.