Ubuntu Preparing Kernel Updates With IBRS/IBPB For Spectre Mitigation
Canonical has rolled out Spectre Variant One and Spectre Variant Two mitigation to their proposed repository with updated kernels for Ubuntu 14.04 LTS / 16.04 LTS / 17.10. These kernels with IBRS and IBPB added in will be sent down as stable release updates next week.
Canonical is mitigating Spectre Variant One/Two via the Intel IBRS/IBPB patches. Indirect Branch Predictor Barrier and Indirect Branch Restricted Speculation is the path being used by Ubuntu for addressing Spectre at this time. They do note they are investigating Retpoline support but given that it involves toolchain changes (patched GCC versions for now) for full support, they went ahead with the IBRS/IBPB approach although it may involve greater performance overhead.
The IBRS/IBPB means of restricting speculation of indirect branches and ensuring code does not control later indirect branch predictions does depend upon CPU microcode updates. The Intel CPU microcode updates are out there now on many Linux distributions and on the AMD side for some platforms but Ubuntu has yet to push out the updated AMD CPU microcode.
Canonical has back-ported Intel's patches to their Linux 4.13 kernel for Ubuntu 17.10, Linux 4.4 for Ubuntu 16.04 LTS, and Linux 3.13 for Ubuntu 14.04 LTS.
Canonical plans to promote these patched kernels to their stable update channel for all supported distributions next Monday, 22 January. Canonical previously sent down SRU kernel updates with KPTI (Kernel Page Table Isolation) for addressing the Meltdown vulnerability.
More details on the tentative kernel upgrades for testing via insights.ubuntu.com.
I've been meaning to run some IBRS/IBPB impact performance benchmark tests but have been occupied with Retpoline (and formerly KPTI) testing on top of my usual daily benchmarking workload. But plan to run some tests on these proposed Ubuntu kernel updates very soon for seeing how they compare to full Retpoline protection on Linux 4.15 built with GCC 8.0.1. Stay tuned...
Canonical is mitigating Spectre Variant One/Two via the Intel IBRS/IBPB patches. Indirect Branch Predictor Barrier and Indirect Branch Restricted Speculation is the path being used by Ubuntu for addressing Spectre at this time. They do note they are investigating Retpoline support but given that it involves toolchain changes (patched GCC versions for now) for full support, they went ahead with the IBRS/IBPB approach although it may involve greater performance overhead.
The IBRS/IBPB means of restricting speculation of indirect branches and ensuring code does not control later indirect branch predictions does depend upon CPU microcode updates. The Intel CPU microcode updates are out there now on many Linux distributions and on the AMD side for some platforms but Ubuntu has yet to push out the updated AMD CPU microcode.
Canonical has back-ported Intel's patches to their Linux 4.13 kernel for Ubuntu 17.10, Linux 4.4 for Ubuntu 16.04 LTS, and Linux 3.13 for Ubuntu 14.04 LTS.
Canonical plans to promote these patched kernels to their stable update channel for all supported distributions next Monday, 22 January. Canonical previously sent down SRU kernel updates with KPTI (Kernel Page Table Isolation) for addressing the Meltdown vulnerability.
More details on the tentative kernel upgrades for testing via insights.ubuntu.com.
I've been meaning to run some IBRS/IBPB impact performance benchmark tests but have been occupied with Retpoline (and formerly KPTI) testing on top of my usual daily benchmarking workload. But plan to run some tests on these proposed Ubuntu kernel updates very soon for seeing how they compare to full Retpoline protection on Linux 4.15 built with GCC 8.0.1. Stay tuned...
6 Comments