Re: [go-nuts] retpolines in the go compiler?

2018-01-04 Thread Ian Lance Taylor 
On Thu, Jan 4, 2018 at 9:41 AM,   wrote:
>
> The last few days have seen some scary CPU security issues. One is Spectre,
> which takes advantage of branch prediction and cache timings to read memory
> that should be inaccessible.
>
> The main (only?) mitigation that I have seen is to use "retpolines" - a
> portmanteau of 'return trampoline' - instead of indirect jump instructions.
> The technique is described in detail in a blog post, and patches have been
> written for LLVM and Linux already. It replaces a single instruction with
> about seven and blocks branch prediction, so it is expected to have a
> significant performance impact, but the security is worth it in some
> contexts.
>
> Will the Go compiler be writing retpoline instructions instead of indirect
> jumps? I am particularly worried about the performance implications for code
> that calls lots of interface - will it use retpolines only under a
> configuration flag?

While I do not yet fully understand how this defense works, I want to
point out that the blog post you cite explicitly says "we do not need
to (strongly) worry for most binaries."  It goes on to say that the
primary concern is the host operating system, which at least at
present is not written in Go.

So at the moment I think that 1) we need do anything quickly; 2) there
is no reason to use retpolines for all programs, only those that
handle sensitive data, so if we do find it necessary to add this
feature to the Go compiler it will be optional; 3) it's at least
possible that hardware vendors will fix this in new processors before
we have to seriously worry about it for Go.

Ian

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] retpolines in the go compiler?

2018-01-04 Thread spenczar5 
The last few days have seen some scary CPU security issues. One is Spectre 
, which takes advantage of branch prediction 
and cache timings to read memory that should be inaccessible.

The main (only?) mitigation that I have seen is to use "retpolines" - a 
portmanteau of 'return trampoline' - instead of indirect jump instructions. 
The technique is described in detail in a blog post 
, and patches have been 
written for LLVM  and Linux 
 already. It replaces a single 
instruction with about seven and blocks branch prediction, so it is 
expected to have a significant performance impact, but the security is 
worth it in some contexts.

Will the Go compiler be writing retpoline instructions instead of indirect 
jumps? I am particularly worried about the performance implications for 
code that calls lots of interface - will it use retpolines only under a 
configuration flag?

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.