x86/speculation: Disable RRSBA behavior
Some Intel processors may use alternate predictors for RETs on RSB-underflow. This condition may be vulnerable to Branch History Injection (BHI) and intramode-BTI. Kernel earlier added spectre_v2 mitigation modes (eIBRS+Retpolines, eIBRS+LFENCE, Retpolines) which protect indirect CALLs and JMPs against such attacks. However, on RSB-underflow, RET target prediction may fallback to alternate predictors. As a result, RET's predicted target may get influenced by branch history. A new MSR_IA32_SPEC_CTRL bit (RRSBA_DIS_S) controls this fallback behavior when in kernel mode. When set, RETs will not take predictions from alternate predictors, hence mitigating RETs as well. Support for this is enumerated by CPUID.7.2.EDX[RRSBA_CTRL] (bit2). For spectre v2 mitigation, when a user selects a mitigation that protects indirect CALLs and JMPs against BHI and intramode-BTI, set RRSBA_DIS_S also to protect RETs for RSB-underflow case. Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Borislav Petkov <bp@suse.de>
parent
697977d8
-
mentioned in commit 91d248c3
-
mentioned in commit f098addb
-
mentioned in commit 73ad137d
-
mentioned in commit 1dd6c13b
-
mentioned in commit ac8edadc
-
mentioned in commit ffdd31e8
-
mentioned in commit 699b83c6
-
mentioned in commit 33e0e7fd
-
mentioned in commit eb38964b
-
mentioned in commit 3f93b863
-
mentioned in commit 81604506
-
mentioned in commit 7f7f86a7
-
mentioned in commit 62ed93d1
-
mentioned in commit 9862c0f4
-
mentioned in commit 738b239a
-
mentioned in commit 48eb8d6a
Please register or sign in to comment