x86 Straight Line Speculation CPU Mitigation Appears For Linux 5.17
The Linux 5.17 kernel is introducing support for the x86 straight-line speculation "SLS" mitigation with it becoming increasingly clear modern x86_64 CPUs are susceptible to speculatively executing linearly in memory past an unconditional change in control flow.
Back in mid-2020 Straight Line Speculation was made public for Arm CPUs based on research by Google's SafeSide initiative. Arm processors were found to be able to speculatively execute linearly in memory beyond what should be an unconditional change in control flow, such as for exception returns, other exception generating instructions, unconditional direct/indirect branches, and function returns. If speculatively executing a "Spectre revelation gadget" it could in turn make secrets vulnerable to revelation through timing analysis.
Following that disclosure, open-source software quickly mitigated for Arm SLS via GCC and LLVM/Clang compiler hardening around BLR and RETBR instructions.
It wasn't until late 2021 that straight-line speculation mitigation for x86/x86_64 CPUs heated up for the leading open-source code compilers and then for the Linux kernel. The compiler patches when enabled via the -mharden-sls= option will emit an INT3 instruction following any return (RET) instruction and any indirect jump. This support is appearing in GCC 12 and on the LLVM/Clang side hasn't yet landed for x86/x86_64 but could appear still for LLVM 14.0.
Now with the x86/core updates for Linux 5.17 is the landing of the SLS mitigation handling on the kernel side to enable this compiler hardening when on a supported compiler.
Borislav Petkov wrote in the x86/core pull request for Linux 5.17, "Add Straight [Line] Speculation mitigation support which uses a new compiler switch -mharden-sls= which sticks an INT3 after a RET or an indirect branch in order to block speculation after them. Reportedly, CPUs do speculate behind such [instructions]."
The consequence to this compiler hardening is known to be around a 2~3% larger kernel image size due to the extra instructions. For now at least the "CONFIG_SLS" know defaults to disabled while I haven't seen any public communication from Intel or AMD for which processors they would recommend mitigating against Straight Line Speculation or other related guidance. Intel engineers have been involved with the x86 SLS compiler/kernel patches so presumably at least for them some subset of their processors is impacted by straight line speculation.
Back in mid-2020 Straight Line Speculation was made public for Arm CPUs based on research by Google's SafeSide initiative. Arm processors were found to be able to speculatively execute linearly in memory beyond what should be an unconditional change in control flow, such as for exception returns, other exception generating instructions, unconditional direct/indirect branches, and function returns. If speculatively executing a "Spectre revelation gadget" it could in turn make secrets vulnerable to revelation through timing analysis.
Following that disclosure, open-source software quickly mitigated for Arm SLS via GCC and LLVM/Clang compiler hardening around BLR and RETBR instructions.
It wasn't until late 2021 that straight-line speculation mitigation for x86/x86_64 CPUs heated up for the leading open-source code compilers and then for the Linux kernel. The compiler patches when enabled via the -mharden-sls= option will emit an INT3 instruction following any return (RET) instruction and any indirect jump. This support is appearing in GCC 12 and on the LLVM/Clang side hasn't yet landed for x86/x86_64 but could appear still for LLVM 14.0.
Now with the x86/core updates for Linux 5.17 is the landing of the SLS mitigation handling on the kernel side to enable this compiler hardening when on a supported compiler.
Borislav Petkov wrote in the x86/core pull request for Linux 5.17, "Add Straight [Line] Speculation mitigation support which uses a new compiler switch -mharden-sls= which sticks an INT3 after a RET or an indirect branch in order to block speculation after them. Reportedly, CPUs do speculate behind such [instructions]."
The consequence to this compiler hardening is known to be around a 2~3% larger kernel image size due to the extra instructions. For now at least the "CONFIG_SLS" know defaults to disabled while I haven't seen any public communication from Intel or AMD for which processors they would recommend mitigating against Straight Line Speculation or other related guidance. Intel engineers have been involved with the x86 SLS compiler/kernel patches so presumably at least for them some subset of their processors is impacted by straight line speculation.
4 Comments