Re: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel

[Pawan Gupta]

On Tue, Oct 25, 2022 at 09:56:21PM +0200, Johannes Berg wrote:
> On Tue, 2022-10-25 at 12:38 -0700, Pawan Gupta wrote:
> > > And how is sprinking random LFENCEs around better than running with
> > > spectre_v2=eibrs,retpoline which is the current recommended mitigation
> > > against all this IIRC (or even eibrs,lfence for lesser values of
> > > paranoia).
> >
> > Its a trade-off between performance and spot fixing (hopefully handful
> > of) gadgets. Even the gadget in question here is not demonstrated to be
> > exploitable. If this scenario changes, polluting the kernel all over is
> > definitely not the right approach.
> Btw, now I'm wondering - you were detecting these with the compiler
> based something, could there be a compiler pass to insert appropriate
> things, perhaps as a gcc plugin or something?

I hear it could be a lot of work for gcc. I am not sure if its worth
especially when we can't establish the exploitability of these gadgets.
There are some other challenges like, hot-path sites would prefer to
mask the indexes instead of using a speculation barrier for performance
reasons. I assume adding this intelligence to compilers would be
extremely hard. Also hardware controls and features in newer processors
will make the software mitigations redundant.