Spectre V1 Mitigation, IBPB Support Sent In For Linux 4.16
Last week Meltdown/Spectre patch wrangler Thomas Gleixner sent in various code clean-ups for Retpolines and KPTI with Linux 4.16 while today more feature work has been submitted. This includes initial mitigation work for Spectre v1 as well as IBPB support.
First up with this latest round of "melted spectrum" patches as Gleixner is now calling them are Spectre v1 mitigations. Spectre Variant One is the "Bounds Check Bypass" (2017-5753) and the initial mitigation work going mainline is user pointer sanitization.
This pull request also has basic Indirect Branch Prediction Barrier (IBPB) support. IBPB is part of the CPU microcode approach for mitigating Spectre by ensuring earlier code's behavior does not control later indirect branch predictions.
Other work in this pull includes making KVM's indirect calls speculation safe, a new array index speculation blocker, blacklisting broken microcodes with faulty IBPB/IBSR support, exposing the speculation MSRs to KVM guests, regression fixes, better whitelisting of known safe CPUs, and various other code clean-ups.
Among the CPUs now whitelisted from Spectre mitigations since they don't speculate are Intel's Atom Cedarview / Cloverview / Lincroft / Penwell / Pineview processors. The x86 Centaur/VIA and NSC CPUs are also being whitelisted.
In today's PR, Thomas Gleixner that there still is other outstanding work around Spectre/Meltdown mitigation. Still to be done include protection like RBS underflow mitigation for Skylake CPUs and other small improvements.
First up with this latest round of "melted spectrum" patches as Gleixner is now calling them are Spectre v1 mitigations. Spectre Variant One is the "Bounds Check Bypass" (2017-5753) and the initial mitigation work going mainline is user pointer sanitization.
This pull request also has basic Indirect Branch Prediction Barrier (IBPB) support. IBPB is part of the CPU microcode approach for mitigating Spectre by ensuring earlier code's behavior does not control later indirect branch predictions.
Other work in this pull includes making KVM's indirect calls speculation safe, a new array index speculation blocker, blacklisting broken microcodes with faulty IBPB/IBSR support, exposing the speculation MSRs to KVM guests, regression fixes, better whitelisting of known safe CPUs, and various other code clean-ups.
Among the CPUs now whitelisted from Spectre mitigations since they don't speculate are Intel's Atom Cedarview / Cloverview / Lincroft / Penwell / Pineview processors. The x86 Centaur/VIA and NSC CPUs are also being whitelisted.
In today's PR, Thomas Gleixner that there still is other outstanding work around Spectre/Meltdown mitigation. Still to be done include protection like RBS underflow mitigation for Skylake CPUs and other small improvements.
8 Comments