Linux 5.15 Adds Another Knob To Harden Against Side Channel Attacks

Written by Michael Larabel in Linux Security on 31 August 2021 at 08:30 AM EDT. 71 Comments
With the Linux 5.15 kernel is a new build-time option to further harden the kernel around side channel attacks and information leakage. Enabling this option can have some (small) performance cost and a slightly larger kernel.

The new option added for Linux 5.15 to further harden the kernel is CONFIG_ZERO_CALL_USED_REGS. Enabling this option and using the GCC 11 compiler or newer to build the kernel will enable the -fzero-call-used-regs=used-gpr compiler option.

Making use of this "zero-call-used-regs" compiler option ensures any caller-used register contents are zeroed prior to returning from a function. That focus is on ensuring temporary values are not potentially leaked outside of the function to reduce the chances of the register contents being used for side channel attacks or information exposures. As for the effectiveness of this new compiler option for building the Linux kernel, it reduced the number of ROP gadgets in the kernel image by around 20% and eliminating simple "write-what-where" gadgets.

Having CONFIG_ZERO_CALL_USED_REGS enabled was found to cause the performance to be affected on x86_64 by less than 1% for a parallel kernel build test. Other benchmark numbers were not provided. This can also increase the kernel image size by less than 1% for x86_64. However, on AArch64 it's been observed to grow the image by ~5.5% but no word there on the run-time performance impact.

GCC's "zero-call-used-regs" option is based on earlier work by Intel engineers working on Clear Linux with a previously-proposed "zero-caller-saved-regs" feature. In the case of the former Intel patch it was good enough to be used by Intel's performance-oriented Clear Linux to helping thwart ROP / COP / JOB attacks.

CONFIG_ZERO_CALL_USED_REGS is added with the hardening updates inbound for the Linux 5.15 kernel. Benchmarks looking at the performance impact of it will come soon on Phoronix but hopefully will be some boring benchmarks in terms of no major unexpected performance hits.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week