Linux Gets New Patch To Fix AMD Retbleed Mitigation - STIBP Needed With IBPB

Sent out this morning is a Linux kernel "fix" that now enabled STIBP when using the IBPB mode for Retbleed mitigations on AMD processors. In other words, more protections needed for this enhanced mode of Retbleed mitigation.

Last month Retbleed was made public as a new speculative execution attack exploiting return instructions. Retbleed affects Intel CPUs from Core 8th Gen and older as well as AMD Zen 1, Zen 1+, and Zen 2 processors. The Retbleed Linux kernel mitigations added last month induce performance hits for Intel and it's painful for AMD too, especially on the older Zen 1 CPUs.

If opting for the more secure Indirect Branch Prediction Barrier "IBPB" mitigation that can mitigate short speculation windows on basic block boundaries too, rather than just the "unret" default, it now turns out a month later Single Thread Indirect Branch Predictors "STIBP" must also be enabled.

The IBPB-based protection for Retbleed is deemed the most secure but also the highest performance impact and thus isn't the default behavior. With today's new Linux kernel "fix", if going for the IBPB-based protection there is now a "ibpb,nosmt" mode where Simultaneous Multi-Threading (SMT) will be disabled if STIBP support isn't available on the given system.

This flipping of STIBP on in the IBPB Retbleed mitigation mode is just for AMD processors with it apparently now being determined IBPB alone isn't enough for protecting against Retbleed on AMD Zen 1 / 1+ / 2 processors. The "x86 fix" message on the mailing list this Saturday morning by Ingo Molnar simply summed it up as:

Fix the "IBPB mitigated RETBleed" mode of operation on AMD CPUs (not turned on by default), which also need STIBP enabled (if available) to be '100% safe' on even the shortest speculation windows.

The code patch also adds to the documentation:

AMD-based UNRET and IBPB mitigations alone do not stop sibling threads from influencing the predictions of other sibling threads. For that reason, STIBP is used on processors that support it, and mitigate SMT on processors that don't.

Again this retbleed=ibpb mode isn't the default currently on Linux for older AMD Zen CPUs but is the most secure and heavy hitting for performance, now even more heavy with STIBP also being forced for capable CPUs. Looks like I'll be running some fresh Retbleed AMD Linux mitigation benchmarks shortly looking at the performance impact on different mitigation paths.

This security fix should be picked up by mainline this weekend for Linux 6.0-rc1 and then likely begin appearing in the back-ported stable kernel releases over the next week.