Call Depth Tracking Coming To Linux 6.2 To Help Recover Performance On Skylake-Era CPUs
The Call Depth Tracking mitigation for Retbleed is intended to be a less costly fix for Retbleed on Skylake-based CPUs than having to enable Indirect Branch Restricted Speculation (IBRS).
Intel CPUs based on Skylake and its derivatives will be able to recover some of the performance lost to IBRS if opting to use the new Call Depth Tracking mitigation instead on Linux 6.2+.
Call Depth Tracking is a pure software-based mitigation that is lighter-weight and is less costly than enabling IBRS on Skylake-based CPU cores where the performance impact can be very significant. The Call Depth Tracking approach is described as:
What it basically does is, it aligns all kernel functions to 16 bytes boundary and adds a 16-byte padding before the function, objtool collects all functions' locations and when the mitigation gets applied, it patches a call accounting thunk which is used to track the call depth of the stack at any time.
When that call depth reaches a magical, microarchitecture-specific value for the Return Stack Buffer, the code stuffs that RSB and avoids its underflow which could otherwise lead to the Intel variant of Retbleed.
This software-only solution brings a lot of the lost performance back...
This change for Linux 6.2 should significantly help Skylake systems and other Intel CPUs derived from Skylake. Having to use IBRS since Retbleed went public has been described by kernel developers as a "performance horror show", the existing performance impact was panned by a VMware engineer, and has been a source of frustration the past number of months for those still relying on older Intel CPUs. Retbleed was made public back in July as arbitrary speculative execution via return instructions.
But now thankfully with Linux 6.2 the mitigation impact will be lessened for those running Skylake-based systems until being able to upgrade.
Call Depth Tracking was submitted this morning as part of the x86/core updates. Also with this pull request is merging of FineIBT as a control flow integrity scheme using software-based kernel CFI and hardware Indirect Branch Tracking (IBT) support.
Call Depth Tracking mitigation comparison benchmarks coming soon on Phoronix for those still using several year old Intel desktops/servers.
For the moment at least Call Depth Tracking isn't enabled by default on Skylake processors but requires using the retbleed=stuff kernel option. I'll be running some Linux 6.2 kernel benchmarks of IBRS vs. CDT on Skylake derived processors soon on Phoronix.