x86 Straight-Line Speculation Mitigation Patches Updated For Linux

Written by Michael Larabel in Linux Security on 5 December 2021 at 06:13 AM EST. 7 Comments
LINUX SECURITY
A year after Arm processors began mitigating straight-line speculation, Linux developers have been working on similar straight-line speculation mitigations for x86/x86_64 processors.

The past few months we have been seeing Linux kernel and GCC and LLVM/Clang patches around straight-line speculation mitigation for Intel / AMD processors. The issue at hand is over processors speculatively executing instructions linearly in memory past an unconditional change in control flow.

The compilers are adding a "mharden-sls" option to add INT3 instructions after function returns and indirect branches to protect against possible straight-line speculation. On kernel side, the patches being worked on are to make use of the SLS hardening option where present. The patches would enable this hardening when on a supported kernel version (GCC 12+ and presumably Clang 14+) and when using a kernel build with Retpolines (return trampolines) enabled. As this option controls the code generation, it would be just a build-time option and not controllable at run-time for the kernel.


Sent out on Saturday were the latest patches for the kernel around this SLS mitigation handling as mostly a refactoring of the prior proposed changes, which also includes the objtool changes for validating the SLS mitigation handling with speculation traps after indirect calls and RETs. As a known side effect, SLS mitigation for the kernel does increase the text size of the kernel build by around 2.4% due to the additional (INT3) instructions.
7 Comments
Related News
Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora Linux 40 Cleared For Release Next Week
Mozilla Finally Begins Offering Firefox ARM64 Linux Binaries
Ubuntu 24.04 Supports Easy Installation Of OpenZFS Root File-System With Encryption
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
openSUSE Factory Achieves Bit-By-Bit Reproducible Builds
Linux 6.10 Preps A Kernel Panic Screen - Sort Of A "Blue Screen of Death"