Linux Prepares New Spectre BHI Mitigation Option For Cloud Environments

Written by Michael Larabel in Linux Security on 29 June 2024 at 08:24 AM EDT. 37 Comments
LINUX SECURITY
For the Branch History Injection variant of Spectre (Spectre BHI) there is a patch pending to add a new mitigation option for that two year old CPU security vulnerability.

Spectre BHI/BHB can lead to leaking arbitrary kernel memory on modern Intel CPUs and was disclosed back in 2022 by VUSec. The Linux kernel has supported enabling the hardware mitigations and otherwise software fallback mitigations for Spectre BHI to protect both system calls and virtual machines. Via the "spectre_bhi=" boot argument, administrators can enable/disable the Spectre BHI mitigation state.

What's coming now to the Linux kernel is supporting the "spectre_bhi=vmexit" option. The new VMEXIT option will only protect the VM exit process on systems needing software-based mitigations. To avoid the performance costs of software mitigating the system calls, this new option is intended for cloud environments on older processors to just fend off VM-originated Spectre BHI attacks. System calls are left vulnerable but at least in cloud/virtualized environments is protecting against attacks from inside the virtual machines.

spectre_bhi options


Thus spectre_bhi=vmexit is a lower-cost mitigation for such cloud environments with untrusted VMs while not going full bore with spectre_bhi=on.

This new Spectre BHI mitigation option can be found in TIP.git's x86/bugs branch ahead of the upcoming Linux 6.11 merge window.
37 Comments
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features