In Light Of Spectre BHI, The Performance Impact For Retpolines On Modern Intel CPUs
Made public on Tuesday was BHI / Spectre-BHB as the newest offshoot from Spectre V2. There were Linux patches immediately posted for affected Intel and Arm processors while also making adjustments to AMD CPUs around its Retpoline handling. The VUSec security researchers that discovered BHI are recommending Retpolines be enabled for newer processors even those with hardware mitigations against Spectre V2, but that's that performance cost? Here are some initial benchmarks.
Tuesday's Spectre Branch History Injection "BHI" disclosure leverages the global history to re-introduce the exploitation of cross-privilege BTI. BHI allows exploiting systems that already have new in-hardware mitigations such as Intel eIBRS and Arm CSV2. VUSec posted a proof-of-concept attack that makes use of the Linux kernel's eBPF in-kernel virtual machine for exploiting Intel's latest processors to leak kernel memory and in their PoC to leak the root hash password.
Intel confirmed that processors at least through Alder Lake are affected by BHI (tracked as CVE-2022-0001 and CVE-2022-0002) while in their public statements note that various Linux distributions have "mitigated by default" the researcher's particular attack. That prior mitigation is disabling by default unprivileged eBPF usage. It's not eBPF though that is fundamentally the problem here, just that it's the only known attack vector right now for easily exploiting BHI.
Disabling unprivileged eBPF usage by default though is indeed a wise security move to protect systems. That upstream kernel change happened only with Linux 5.16 and is now being back-ported. Distribution vendors like Canonical affirmed this week that they will be disabling unprivileged eBPF usage by default on the supported Ubuntu releases.
More technical details on Branch History Injection can be found via the Vrije Universiteit Amsterdam's VUSec site or in particular the BHI whitepaper. In that whitepaper, the researchers suggest that Retpolines (return trampolines) should be enabled for mitigating BHI:
The VUSec Branch History Injection whitepaper recommends even newer CPUs with Spectre V2 hardware mitigations re-enable the software Retpolines for better defenses against this new Spectre vulnerability.
AMD for their part isn't believed to be affected by BHI and has still been making use of Retpolines on newer Zen processors. They did discover though their LFENCE/JMP-focused AMD Retpolines implementation to be racy and thus are now moving to use generic Retpolines instead. I'll have benchmarks in a separate article looking at that performance difference of AMD Retpolines compared to the generic implementation while today is looking at the Retpolines cost in general if enabling it for newer CPUs such as Alder Lake.
Intel added eIBRS with Retpoline options to mitigate, but is not currently enabled by default.
With Tuesday's Linux x86/x86_64 BHI mitigations they were merged to the mainline Linux 5.17 Git tree (along with the Arm patches and using generic Retpolines on all AMD CPUs). Those mitigation patches are already queued up for back-porting into the various stable Linux kernel branches and will be part of this week's point releases to those series.
As part of the x86 patches is adding the ability to set "spectre_v2=eibrs,retpoline" for enabling Retpolines even on newer Intel processors that have enhanced IBRS for mitigating Spectre V2 up to this point. This Retpolines usage on newer Intel CPUs though isn't happening by default at this time -- just when using the new spectre_v2= options added.
For this article I ran some benchmarks on newer Intel CPUs with the latest Linux 5.17 Git kernel and repeating the tests with "spectre_v2=eibrs,retpoline" for enabling that software Retpoline protection on top of eIBRS, as recommended by the VUSec security researchers.