On Thu, 2018-02-01 at 16:40 +0100, Peter Zijlstra wrote: > On Thu, Feb 01, 2018 at 03:32:11PM +0000, David Woodhouse wrote: > > > > On Thu, 2018-02-01 at 09:28 -0600, Josh Poimboeuf wrote: > > > > > > On Thu, Feb 01, 2018 at 03:34:21PM +0100, Peter Zijlstra wrote: > > > > > > > > > > > > There are the retpoline validation patches; they work with the > > > > __noretpoline > > > > thing from David. > > > Have you run this through 0-day bot yet? A manual awk/sed found > > > another > > > one, which objtool confirms: > > > > > > drivers/watchdog/.tmp_hpwdt.o: warning: objtool: .text+0x24: > > > indirect call found in RETPOLINE build > > > > > > And my search wasn't exhaustive so it would be good to sic 0-day bot on > > > it. > > We discussed that one. It's correct; we're calling into firmware so > > there's *no* point in retpolining that one. We need to set IBRS before > > any runtime calls into firmware, if we want to be safe. > > Ideally we'd have a way to mark the module 'unsafe' or something.
No, we just need to set IBRS before doing it. The same applies to any EFI runtime calls, APM and all kinds of other random crap that calls into firmware. I'm not sure why those aren't showing up.
smime.p7s
Description: S/MIME cryptographic signature