More Linux Kernel & GCC Patches Come Out In The Wake Of Spectre+Meltdown

Besides the already-merged Kernel Page Table Isolation (KPTI) patches, other Linux kernel patches are coming out now in light of the recent Spectre and Meltdown vulnerabilities.

Paul Turner of Google has posted some "request for comments" patches on a "Retpoline" implementation for the Linux kernel. The Retpoline patches are intended for fending off Spectre, the attack that breaks isolation between different applications. Unfortunately the Retpoline patching does add an additional cost to the kernel performance with the overall overhead being reported up to a 1.5% range.

Paul Turner has done a nice job summing up the work via this cover letter for the patch on the kernel mailing list so check it out if you're interested in all of the technical details.

There are also GCC compiler patches needed too for dealing with retpoline patches. Currently those patches are not yet mainline but can be found here. The work includes adding new -mindirect-branch=thunk, -mindirect-branch-loop, -mfunction-return and -mno-indirect-branch-register options.

Andi Kleen of Intel meanwhile has posted another series for avoiding speculative indirect calls within the kernel to avoid side-channel attacks leaking arbitrary kernel data. These patches also rely upon the new GCC patches as well. There are no performance numbers there yet on the impact.

Update: LLVM developers have also posted their initial Retpoline work too.