Announcement

**dungeon** · 15 January 2018, 02:35 PM

Originally posted by davidbepo View Post

remember. if using AMD add noretpoline to boot options, the issue isn't exploitable on default settings

Better don't remember that

, as option noretpoline does not exists seems now that is nospectre_v2

**numacross** · 15 January 2018, 04:07 PM

Originally posted by dungeon View Post

Better don't remember that

, as option noretpoline does not exists seems now that is nospectre_v2

Shouldn't it be "yesspectre_v2" instead? It's supposed to disable the anti-spectre v2 measures after all

**dungeon** · 15 January 2018, 04:39 PM

Originally posted by numacross View Post

Shouldn't it be "yesspectre_v2" instead? It's supposed to disable the anti-spectre v2 measures after all

Well, that is not a word nor linguistically correct - as no there means no>this or turn off this whatever that is

**Guest** · 15 January 2018, 05:12 PM

Originally posted by -MacNuke- View Post

Since Retpoline seems to be ineffective on Skylake an up (found this via Google: https://lwn.net/Articles/743019/ ), what is the connection between Google Retpoline and Intels IBRS Microcode enhancements + patches? What is merged and what not? Should someone use IBRS or Retpoline? Does the Kernel pick the right way or do I have to do something?

According to intel it works, but IBRS should be a way forward (on the other hand it needs microcode update). IBRS isn't merged yet, patches are still being discussed.
Eventually IBRS should be default on skylake+, with user having option to go back to retpoline.

**arjan_intel** · 18 January 2018, 11:28 AM

Originally posted by tpruzina View Post

According to intel it works, but IBRS should be a way forward (on the other hand it needs microcode update). IBRS isn't merged yet, patches are still being discussed.
Eventually IBRS should be default on skylake+, with user having option to go back to retpoline.

Working for Intel... Retpoline is by far the preferred method.
It's a bit more complex to deploy (you need to also change your compiler) so not everyone can easily do it, but if you can do that, it's by far the preferred method.

**Guest** · 19 January 2018, 12:43 PM

Originally posted by arjan_intel View Post

Working for Intel... Retpoline is by far the preferred method.
It's a bit more complex to deploy (you need to also change your compiler) so not everyone can easily do it, but if you can do that, it's by far the preferred method.

Interesting, care to summarize why?
Edit: https://newsroom.intel.com/wp-conten...e-Channels.pdf

LKML: "Woodhouse, David": Re: Avoid speculative indirect calls in kernel

https://lkml.org/lkml/2018/1/4/432

Was largely working with the comment

Originally posted by David Woodhouse @ LKML

Later CPUs are intended to have an 'IBRS all the time' feature which is set-and-forget, and will perform much better, I believe. If we find we're running on a CPU with that, we'll turn off the retpoline with alternatives.

although I might have misunderstood the context of what "later CPUs" means (I assumed skylake+).

**AkiraFactor** · 20 January 2018, 09:32 PM

Originally posted by davidbepo View Post

remember. if using AMD add noretpoline to boot options, the issue isn't exploitable on default settings

Currently the manually specified AMD processor boot options would be: nopti spectre_v2
=retpoline,amd for for kernel 4.15.

Announcement

Retpoline Backported To Linux 4.9, Linux 4.14 Kernels

Comment

Comment

Comment

Comment

Comment

Comment

Comment