RELPOLINES: A New Spectre V2 Approach To Lower Overhead Of Retpolines

Nadav Amit of VMware has announced their (currently experimental) work on "dynamic indirect call promotion" or what they have dubbed "RELPOLINES" -- not to be confused with the traditional Retpolines for "return trampolines" as one of the Spectre Variant Two software-based mitigation approaches. Relpolines is designed to have lower overhead than Retpolines.

While Retpolines work well for fending off branch target injection attacks, trying to offset the performance costs incurred by these software-based approaches for Spectre mitigation has been a common task by kernel developers this year. VMware's latest work in this space is branded as Relpolines for pairing relative calls and trampolines with a goal of reducing Retpoline overheads to improve overall system performance.

The Relpoline approach is for every indirect call to inject code with both fast and slow-path calls. The fast path will in turn be called should the target match the expected hot target while the slow path relies upon a traditional Retpoline. With Relpolines there still is an initial "training" period where the slow path is used and then patching is done on-the-fly for allowing the fast path when deemed appropriate.

VMware's Relpoline work yields around a 10% performance boost for Nginx, a 4% boost for Redis, and about a 2% speed-up for the Dbench I/O test. Still obviously not as fast as without any mitigation, but any performance improvement while still fending off possible branch target injection attacks is welcome.

This Relpolines work is currently out under an "RFC" flag and there still are some open issues to be addressed, but those curious about this new code can find it on the kernel mailing list. Of course, should this approach reach mainline, we'll certainly be firing off more benchmarks.