Retpoline v5 Published For Fending Off Spectre Branch Target Injection

Written by Michael Larabel in Linux Security on 6 January 2018 at 08:25 AM EST. 23 Comments
LINUX SECURITY
David Woodhouse of Amazon has sent out the latest quickly-revising patches for introducing the "Retpoline" functionality to the Linux kernel for mitigating the Spectre "variant 2" attack.

Retpoline v5 is the latest as of Saturday morning as the ongoing effort for avoiding speculative indirect calls within the Linux kernel for preventing a branch target injection style attack. These 200+ lines of kernel code paired with the GCC Retpoline patches are able to address vulnerable indirect branches in the Linux kernel.

The Retpoline approach is said to only have up to a ~1.5% performance hit when patched... I hope this weekend to get around to trying these kernel and GCC patches on some of my systems for looking at the performance impact in our commonly benchmarked workloads. The Retpoline work is separate from the KPTI page table isolation work for addressing the Intel CPU Meltdown issue.

With the fifth version of these patches, some warnings have been taken care of, the X86_FEATURE_RETPOLINE logic improved, and the AMD support for Retpoline has been merged into the main patches rather than having its own patch. Of Variant Two, AMD's security notice did say that their architecture has "near zero risk of exploitation" but looks like it will be protected nevertheless by the Retpoline patches with nominal performance overhead.


These latest patches for now can be found on the kernel mailing list while should be merged to the mainline tree for Linux 4.16. There is also the GCC patch tree and the patches can be obtained as well via linux-retpoline.git. Stay tuned for benchmarks.
23 Comments
Related News
Linux 6.11 Hardening Makes FineIBT Default Configurable At Build Time
spectre_bhi=vmexit Mitigation Merged For Linux 6.11 Cloud Use
Linux 6.11 To Allow Tightening Of /proc/[pid]/mem Access For Better Security
Linus Torvalds Unconvinced By getrandom() In The vDSO
getrandom() In The vDSO Aims For Linux 6.11 To Provide Faster Yet Secure User-Space RNG
"Indirector" Attack Disclosed For Intel Alder Lake & Raptor Lake CPUs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
EXT4 Has A Very Nice Performance Optimization For Linux 6.11
systemd Talks Up Automatic Boot Assessment In Light Of The Crowdstrike-Microsoft Outage
XZ Patches For The Linux Kernel Updated, Drops "Jia Tan" As A Maintainer
New Linux Patches Enable The Snapdragon X1 Elite Powered Lenovo ThinkPad T14s Gen 6
KDE Developers Tackle The Five Most Common Plasma Crashes
USB & Thunderbolt Improvements Land In Linux 6.11
VirtualBox 7.1 Beta Released With Modernized GUI, Wayland Support For Clipboard Sharing
NVIDIA 560 Linux Driver Beta Released - Defaults To Open GPU Kernel Modules