On 03/21/2018 05:09 PM, Maciej S. Szmigiero wrote: > As far as I understand the issue this should provide a good protection > for userspace processes that were recompiled with retpolines as they > won't have any indirect jumps and calls.
Instead of saying "good protection", let's just say that it could mitigate attacks that require consumption of attacker-placed RSB entries. >> Do you perhaps want to do RSB manipulation in lieu of IBPB when >> switching *to* a non-dumpable process and IBPB is not available? > > Is it worth differentiating such processes in this case? > IBPB is supposed to be very expensive so certainly it is worthwhile > to do it only for high-value processes (=non-dumpable). > > However, it is unlikely that existing RSB entries from the previous > task match the new task call stack anyway. > We already do unconditional RSB-filling-on-context-switch in many > cases. I think this case is a bit too obscure and theoretical to complicate the kernel with it. You need an unmitigated processor, a userspace-to-userspace attack that manages to satisfy the five "exploit composition" steps of Spectre/V2[1], and an application that has been retpoline-mitigated. While RSB manipulation is almost certainly less onerous than IBPB, it's still going to hurt context-switch rates, especially if applied indiscriminately like this patch does. So, I totally agree with your analysis about the theoretical potential for an issue, I'm just not really convinced the fix is worth it. 1. https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A-Branch-Target-Injection-Mitigation.pdf
