Intel Working On New Hardware-Based Prevention For Spectre-BHI Attacks
Made public back in March by VUSec was Spectre BHI as an extension of Spectre V2 and also sometimes referred to as Spectre-BHB. Arm CPUs are impacted by this Branch History Injection vulnerability and Intel CPUs are too from 12th Gen Alder Lake back through at least Haswell.
When the Spectre Branch History Injection / Branch History Buffer was disclosed in March, the Linux kernel mitigations landed for Arm and Intel CPUs. Since then there hasn't been much to report on Branch History Injection attacks while this past week while developers were busy with Retbleed, a Linux kernel patch series was sent out for supporting BHI_DIS as a hardware-based BHI prevention for future Intel CPUs.
The Intel BHI_DIS patch series explains:
Branch History Injection (BHI) attacks can be mitigated using the BHI_DIS_S indirect predictor control bit located in MSR_IA32_SPEC_CTRL register. Set BHI_DIS in MSR_IA32_SPC_CTRL to prevent predicted targets of indirect branches executed in CPL0, CPL1, or CPL2 from being selected based on branch history from branches executed in CPL3. Support for this feature is enumerated by CPUID.7.2.EDX[BHI_CTRL] (bit 4).
Users wanting BHI protection can specify spectre_v2=eibrs,bhi_dis to enable hardware BHI protections. On platforms where BHI protections are not available in the hardware revert to eibrs,retpoline mitigations.
The CPUID.7.2.EDX[BHI_CTRL] bit has been part of Intel technical documentation but only this past week saw Linux kernel patches for optionally enabling this BHI_DIS control... Currently-released processors do not support this hardware-based prevention, but presumably is coming in the next generation or so of Intel CPUs, and hence now getting around to preparing the Linux kernel control for enabling this feature.
Notable that even with future CPUs bearing this capability, the current Linux kernel patches aren't set to enable the BHI_DIS protection by default. The user/administrator must opt into it with the spectre_v2=eibrs,bhi_dis option to enjoy eIBRS and BHI_DIS.
Thus in response to that Intel patch series, longtime Linux x86 developer Boris Petkov immediately asked why is this hardware protection not automatically enabled for supported platforms. Peter Zijlstra of Intel as well publicly asked on the kernel mailing list what hardware will have this feature and "[as far as I can tell] this doesn't get auto-selected; how bad is performance for this to not be so?"
The patch series posting and those two follow-ups were posted back on Thursday. Now Monday afternoon and no further public responses/details on the BHI_DIS hardware support or the performance cost or other reasoning for not having this enabled by default. We'll see.