Linux 5.1 Landing Feature For Reducing Scope Of Spectre V4 Speculation Protection

The x86/pti updates for Linux 5.1 is bringing a new PR_SPEC_DISABLE_NOEXEC option where speculation protection for SSBD doesn't end up being passed to new processes started by exec in such use-cases where it's safe to do so. Utilizing this option will thus eliminate the overhead associated with this Spectre Variant 4 "Speculative Store Bypass" behavior.

Back in January when the work around PR_SPEC_DISABLE_NOEXEC was initially queued up in the x86/pti working tree, I wrote about it in more detail. See Linux Kernel Getting New Option So SSBD Isn't Over-Protective - Helping Performance. Now that the Linux 5.1 merge window is open, this pull request has been submitted for landing in the mainline kernel.

The motivation for adding this option is use-cases like Java where speculation protections are enabled for JVMs but new processes launched from there don't need this protection themselves and thus lowering performance due to the unnecessary overhead outside of the core virtual machine itself. Now that's possible to avoid as user-space software can begin opting to use PR_SPEC_DISABLE_NOEXEC where safe to do so.

This new flag is the only addition for the x86/pti Spectre/Meltdown area with the Linux 5.1 merge window.