More Spectre Variant Two Patches Queued For The Linux Kernel
Written by Michael Larabel in Linux Security on 26 September 2018 at 07:20 PM EDT. Add A Comment
LINUX SECURITY --
Besides the Spectre V2 userspace-userspace mitigation patches revised and sent out earlier today, some related Spectre V2 changes are now queued for soon merging to the mainline Linux kernel.

Thomas Gleixner has queued a few new patches today in his x86/pti tree for soon calling upon Linus/Greg for merging into the mainline kernel. The two patches worth noting include more strict Indirect Branch Predictor Barrier (IBPB) to prevent possible cross-process leakage:
x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
Currently, IBPB is only issued in cases when switching into a non-dumpable process, the rationale being to protect such 'important and security sensitive' processes (such as GPG) from data leaking into a different userspace process via spectre v2.

This is however completely insufficient to provide proper userspace-to-userpace spectrev2 protection, as any process can poison branch buffers before being scheduled out, and the newly scheduled process immediately becomes spectrev2 victim.

In order to minimize the performance impact (for usecases that do require spectrev2 protection), issue the barrier only in cases when switching between processes where the victim can't be ptraced by the potential attacker (as in such cases, the attacker doesn't have to bother with branch buffers at all).

And enabling cross-hyperthread Spectre V2 STIBP (Single Thread Indirect Branch Predictors) mitigation:
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation

STIBP is a feature provided by certain Intel ucodes / CPUs. This feature (once enabled) prevents cross-hyperthread control of decisions made by indirect branch predictors.

Enable this feature if

- the CPU is vulnerable to spectre v2
- the CPU supports SMT and has SMT siblings online
- spectre_v2 mitigation autoselection is enabled (default)

After some previous discussion, this leaves STIBP on all the time, as wrmsr on crossing kernel boundary is a no-no. This could perhaps later be a bit more optimized (like disabling it in NOHZ, experiment with disabling it in idle, etc) if needed.

Note that the synchronization of the mask manipulation via newly added spec_ctrl_mutex is currently not strictly needed, as the only updater is already being serialized by cpu_add_remove_lock, but let's make this a little bit more future-proof.

Both patches were written by SUSE's Jiri Kosina. These patches are also a prerequisite for applying the Spectre V2 userspace-userspace patches (already done and been in the process of testing these patches today... should have results in the next day or two).

About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Linux Security News
Popular News This Week