Clarifying the Spectre mitigations...

my123 (@never_released) securetalk at
Sun Jan 7 05:23:52 PST 2018


The kernel is protected against Spectre  with retpoline but application-specific patches are required except when IBPB=2 + STIBP, IBRS=1 + IBPB=1, or IBRS=2 are used.

IBPB is a branch prediction barrier that solves Spectre on its maximum setting, but it comes with a performance hit. It requires enabling STIBP for full protection too, except when hyperthreading is disabled.

IBRS is the restricted indirect branch speculation feature, which solves Spectre on its maximum setting, except for VM isolation but requires a performance hit too. In order to protect virtual machines from other virtual machines, ibpb=1 is needed even if ibrs is set to 2..

IBPB=1 *and* IBRS=1 works too but it causes a performance hit, and IBRS=2 + IBPB=1 is needed for isolation between virtual machines, but isn't required when VMs aren't used.

AMD implements IBRS and IBPB for CPU families before 17h (Zen), but only IBPB and STIBP for Zen.

All those features require newer microcode to work... and the impact on performance is not zero.

The alternative is recompiling every sensitive thing with retpoline... which is what Linux is trying to implement on mainline. On Windows, as convincing developers to update their toolchain is hard there, IBRS and IBPB are used there despite the performance hit.

Hoping that I made things a bit clearer...

More information about the Users mailing list