Ϥsphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftargetA/translations/zh_CN/admin-guide/hw-vuln/indirect-target-selectionmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftargetA/translations/zh_TW/admin-guide/hw-vuln/indirect-target-selectionmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftargetA/translations/it_IT/admin-guide/hw-vuln/indirect-target-selectionmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftargetA/translations/ja_JP/admin-guide/hw-vuln/indirect-target-selectionmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftargetA/translations/ko_KR/admin-guide/hw-vuln/indirect-target-selectionmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftargetA/translations/sp_SP/admin-guide/hw-vuln/indirect-target-selectionmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhh[/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/indirect-target-selection.rsthKubhsection)}(hhh](htitle)}(hIndirect Target Selection (ITS)h]hIndirect Target Selection (ITS)}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh paragraph)}(hITS is a vulnerability in some Intel CPUs that support Enhanced IBRS and were released before Alder Lake. ITS may allow an attacker to control the prediction of indirect branches and RETs located in the lower half of a cacheline.h]hITS is a vulnerability in some Intel CPUs that support Enhanced IBRS and were released before Alder Lake. ITS may allow an attacker to control the prediction of indirect branches and RETs located in the lower half of a cacheline.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hAITS is assigned CVE-2024-28956 with a CVSS score of 4.7 (Medium).h]hAITS is assigned CVE-2024-28956 with a CVSS score of 4.7 (Medium).}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(hhh](h)}(hScope of Impacth]hScope of Impact}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhK ubh bullet_list)}(hhh](h list_item)}(h**eIBRS Guest/Host Isolation**: Indirect branches in KVM/kernel may still be predicted with unintended target corresponding to a branch in the guest. h]h)}(h**eIBRS Guest/Host Isolation**: Indirect branches in KVM/kernel may still be predicted with unintended target corresponding to a branch in the guest.h](hstrong)}(h**eIBRS Guest/Host Isolation**h]heIBRS Guest/Host Isolation}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhw: Indirect branches in KVM/kernel may still be predicted with unintended target corresponding to a branch in the guest.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhhubah}(h]h ]h"]h$]h&]uh1hhhhhhhhNubh)}(hU**Intra-Mode BTI**: In-kernel training such as through cBPF or other native gadgets. h]h)}(hT**Intra-Mode BTI**: In-kernel training such as through cBPF or other native gadgets.h](j)}(h**Intra-Mode BTI**h]hIntra-Mode BTI}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj+ubhB: In-kernel training such as through cBPF or other native gadgets.}(hj+hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhj'ubah}(h]h ]h"]h$]h&]uh1hhhhhhhhNubh)}(hXY**Indirect Branch Prediction Barrier (IBPB)**: After an IBPB, indirect branches may still be predicted with targets corresponding to direct branches executed prior to the IBPB. This is fixed by the IPU 2025.1 microcode, which should be available via distro updates. Alternatively microcode can be obtained from Intel's github repository [#f1]_. h]h)}(hXX**Indirect Branch Prediction Barrier (IBPB)**: After an IBPB, indirect branches may still be predicted with targets corresponding to direct branches executed prior to the IBPB. This is fixed by the IPU 2025.1 microcode, which should be available via distro updates. Alternatively microcode can be obtained from Intel's github repository [#f1]_.h](j)}(h-**Indirect Branch Prediction Barrier (IBPB)**h]h)Indirect Branch Prediction Barrier (IBPB)}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjQubhX&: After an IBPB, indirect branches may still be predicted with targets corresponding to direct branches executed prior to the IBPB. This is fixed by the IPU 2025.1 microcode, which should be available via distro updates. Alternatively microcode can be obtained from Intel’s github repository }(hjQhhhNhNubhfootnote_reference)}(h[#f1]_h]h1}(hjihhhNhNubah}(h]id1ah ]h"]h$]h&]autoKrefidf1docname-admin-guide/hw-vuln/indirect-target-selectionuh1jghjQresolvedKubh.}(hjQhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjMubah}(h]h ]h"]h$]h&]uh1hhhhhhhhNubeh}(h]h ]h"]h$]h&]bullet-uh1hhhhKhhhhubeh}(h]scope-of-impactah ]h"]scope of impactah$]h&]uh1hhhhhhhhK ubh)}(hhh](h)}(h Affected CPUsh]h Affected CPUs}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(h5Below is the list of ITS affected CPUs [#f2]_ [#f3]_:h](h'Below is the list of ITS affected CPUs }(hjhhhNhNubjh)}(h[#f2]_h]h2}(hjhhhNhNubah}(h]id2ah ]h"]h$]h&]jxKjyf2j{j|uh1jghjj}Kubh }(hjhhhNhNubjh)}(h[#f3]_h]h3}(hjhhhNhNubah}(h]id3ah ]h"]h$]h&]jxKjyf3j{j|uh1jghjj}Kubh:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh block_quote)}(hX======================== ============ ==================== =============== Common name Family_Model eIBRS Intra-mode BTI Guest/Host Isolation ======================== ============ ==================== =============== SKYLAKE_X (step >= 6) 06_55H Affected Affected ICELAKE_X 06_6AH Not affected Affected ICELAKE_D 06_6CH Not affected Affected ICELAKE_L 06_7EH Not affected Affected TIGERLAKE_L 06_8CH Not affected Affected TIGERLAKE 06_8DH Not affected Affected KABYLAKE_L (step >= 12) 06_8EH Affected Affected KABYLAKE (step >= 13) 06_9EH Affected Affected COMETLAKE 06_A5H Affected Affected COMETLAKE_L 06_A6H Affected Affected ROCKETLAKE 06_A7H Not affected Affected ======================== ============ ==================== =============== h]htable)}(hhh]htgroup)}(hhh](hcolspec)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jhjubj)}(hhh]h}(h]h ]h"]h$]h&]colwidthK uh1jhjubj)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jhjubj)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jhjubhthead)}(hhh]hrow)}(hhh](hentry)}(hhh]h)}(h Common nameh]h Common name}(hj.hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj+ubah}(h]h ]h"]h$]h&]uh1j)hj&ubj*)}(hhh]h)}(h Family_Modelh]h Family_Model}(hjEhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjBubah}(h]h ]h"]h$]h&]uh1j)hj&ubj*)}(hhh]h)}(heIBRS Guest/Host Isolationh]heIBRS Guest/Host Isolation}(hj\hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjYubah}(h]h ]h"]h$]h&]uh1j)hj&ubj*)}(hhh]h)}(hIntra-mode BTIh]hIntra-mode BTI}(hjshhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjpubah}(h]h ]h"]h$]h&]uh1j)hj&ubeh}(h]h ]h"]h$]h&]uh1j$hj!ubah}(h]h ]h"]h$]h&]uh1jhjubhtbody)}(hhh](j%)}(hhh](j*)}(hhh]h)}(hSKYLAKE_X (step >= 6)h]hSKYLAKE_X (step >= 6)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK"hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h06_55Hh]h06_55H}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK"hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK"hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK"hjubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h ICELAKE_Xh]h ICELAKE_X}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK#hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h06_6AHh]h06_6AH}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK#hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h Not affectedh]h Not affected}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK#hj.ubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjHhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK#hjEubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h ICELAKE_Dh]h ICELAKE_D}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK$hjeubah}(h]h ]h"]h$]h&]uh1j)hjbubj*)}(hhh]h)}(h06_6CHh]h06_6CH}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK$hj|ubah}(h]h ]h"]h$]h&]uh1j)hjbubj*)}(hhh]h)}(h Not affectedh]h Not affected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK$hjubah}(h]h ]h"]h$]h&]uh1j)hjbubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK$hjubah}(h]h ]h"]h$]h&]uh1j)hjbubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h ICELAKE_Lh]h ICELAKE_L}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK%hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h06_7EHh]h06_7EH}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK%hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h Not affectedh]h Not affected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK%hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK%hjubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h TIGERLAKE_Lh]h TIGERLAKE_L}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK&hj/ubah}(h]h ]h"]h$]h&]uh1j)hj,ubj*)}(hhh]h)}(h06_8CHh]h06_8CH}(hjIhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK&hjFubah}(h]h ]h"]h$]h&]uh1j)hj,ubj*)}(hhh]h)}(h Not affectedh]h Not affected}(hj`hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK&hj]ubah}(h]h ]h"]h$]h&]uh1j)hj,ubj*)}(hhh]h)}(hAffectedh]hAffected}(hjwhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK&hjtubah}(h]h ]h"]h$]h&]uh1j)hj,ubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h TIGERLAKEh]h TIGERLAKE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK'hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h06_8DHh]h06_8DH}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK'hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h Not affectedh]h Not affected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK'hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK'hjubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(hKABYLAKE_L (step >= 12)h]hKABYLAKE_L (step >= 12)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK(hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h06_8EHh]h06_8EH}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK(hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hj*hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK(hj'ubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjAhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK(hj>ubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(hKABYLAKE (step >= 13)h]hKABYLAKE (step >= 13)}(hjahhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK)hj^ubah}(h]h ]h"]h$]h&]uh1j)hj[ubj*)}(hhh]h)}(h06_9EHh]h06_9EH}(hjxhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK)hjuubah}(h]h ]h"]h$]h&]uh1j)hj[ubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK)hjubah}(h]h ]h"]h$]h&]uh1j)hj[ubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK)hjubah}(h]h ]h"]h$]h&]uh1j)hj[ubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h COMETLAKEh]h COMETLAKE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK*hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h06_A5Hh]h06_A5H}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK*hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK*hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK*hjubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h COMETLAKE_Lh]h COMETLAKE_L}(hj+hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK+hj(ubah}(h]h ]h"]h$]h&]uh1j)hj%ubj*)}(hhh]h)}(h06_A6Hh]h06_A6H}(hjBhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK+hj?ubah}(h]h ]h"]h$]h&]uh1j)hj%ubj*)}(hhh]h)}(hAffectedh]hAffected}(hjYhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK+hjVubah}(h]h ]h"]h$]h&]uh1j)hj%ubj*)}(hhh]h)}(hAffectedh]hAffected}(hjphhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK+hjmubah}(h]h ]h"]h$]h&]uh1j)hj%ubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(h ROCKETLAKEh]h ROCKETLAKE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK,hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h06_A7Hh]h06_A7H}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK,hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h Not affectedh]h Not affected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK,hjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hAffectedh]hAffected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK,hjubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubeh}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]colsKuh1jhjubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jhhhKhjhhubh)}(hhh](h)}(h2All affected CPUs enumerate Enhanced IBRS feature.h]h)}(hj h]h2All affected CPUs enumerate Enhanced IBRS feature.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK/hj ubah}(h]h ]h"]h$]h&]uh1hhjhhhhhNubh)}(h`IBPB isolation is affected on all ITS affected CPUs, and need a microcode update for mitigation.h]h)}(h`IBPB isolation is affected on all ITS affected CPUs, and need a microcode update for mitigation.h]h`IBPB isolation is affected on all ITS affected CPUs, and need a microcode update for mitigation.}(hj&hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK0hj"ubah}(h]h ]h"]h$]h&]uh1hhjhhhhhNubh)}(hNone of the affected CPUs enumerate BHI_CTRL which was introduced in Golden Cove (Alder Lake and Sapphire Rapids). This can help guests to determine the host's affected status.h]h)}(hNone of the affected CPUs enumerate BHI_CTRL which was introduced in Golden Cove (Alder Lake and Sapphire Rapids). This can help guests to determine the host's affected status.h]hNone of the affected CPUs enumerate BHI_CTRL which was introduced in Golden Cove (Alder Lake and Sapphire Rapids). This can help guests to determine the host’s affected status.}(hj>hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK2hj:ubah}(h]h ]h"]h$]h&]uh1hhjhhhhhNubh)}(h)Intel Atom CPUs are not affected by ITS. h]h)}(h(Intel Atom CPUs are not affected by ITS.h]h(Intel Atom CPUs are not affected by ITS.}(hjVhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK5hjRubah}(h]h ]h"]h$]h&]uh1hhjhhhhhNubeh}(h]h ]h"]h$]h&]jjuh1hhhhK/hjhhubeh}(h] affected-cpusah ]h"] affected cpusah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(h Mitigationh]h Mitigation}(hj{hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjxhhhhhK8ubh)}(hAs only the indirect branches and RETs that have their last byte of instruction in the lower half of the cacheline are vulnerable to ITS, the basic idea behind the mitigation is to not allow indirect branches in the lower half.h]hAs only the indirect branches and RETs that have their last byte of instruction in the lower half of the cacheline are vulnerable to ITS, the basic idea behind the mitigation is to not allow indirect branches in the lower half.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK9hjxhhubh)}(hXThis is achieved by relying on existing retpoline support in the kernel, and in compilers. ITS-vulnerable retpoline sites are runtime patched to point to newly added ITS-safe thunks. These safe thunks consists of indirect branch in the second half of the cacheline. Not all retpoline sites are patched to thunks, if a retpoline site is evaluated to be ITS-safe, it is replaced with an inline indirect branch.h]hXThis is achieved by relying on existing retpoline support in the kernel, and in compilers. ITS-vulnerable retpoline sites are runtime patched to point to newly added ITS-safe thunks. These safe thunks consists of indirect branch in the second half of the cacheline. Not all retpoline sites are patched to thunks, if a retpoline site is evaluated to be ITS-safe, it is replaced with an inline indirect branch.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK=hjxhhubh)}(hhh](h)}(hDynamic thunksh]hDynamic thunks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKEubh)}(hFrom a dynamically allocated pool of safe-thunks, each vulnerable site is replaced with a new thunk, such that they get a unique address. This could improve the branch prediction accuracy. Also, it is a defense-in-depth measure against aliasing.h]hFrom a dynamically allocated pool of safe-thunks, each vulnerable site is replaced with a new thunk, such that they get a unique address. This could improve the branch prediction accuracy. Also, it is a defense-in-depth measure against aliasing.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKFhjhhubh)}(hNote, for simplicity, indirect branches in eBPF programs are always replaced with a jump to a static thunk in __x86_indirect_its_thunk_array. If required, in future this can be changed to use dynamic thunks.h]hNote, for simplicity, indirect branches in eBPF programs are always replaced with a jump to a static thunk in __x86_indirect_its_thunk_array. If required, in future this can be changed to use dynamic thunks.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKKhjhhubh)}(hXAll vulnerable RETs are replaced with a static thunk, they do not use dynamic thunks. This is because RETs get their prediction from RSB mostly that does not depend on source address. RETs that underflow RSB may benefit from dynamic thunks. But, RETs significantly outnumber indirect branches, and any benefit from a unique source address could be outweighed by the increased icache footprint and iTLB pressure.h]hXAll vulnerable RETs are replaced with a static thunk, they do not use dynamic thunks. This is because RETs get their prediction from RSB mostly that does not depend on source address. RETs that underflow RSB may benefit from dynamic thunks. But, RETs significantly outnumber indirect branches, and any benefit from a unique source address could be outweighed by the increased icache footprint and iTLB pressure.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKOhjhhubeh}(h]dynamic-thunksah ]h"]dynamic thunksah$]h&]uh1hhjxhhhhhKEubh)}(hhh](h)}(h Retpolineh]h Retpoline}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKWubh)}(hRetpoline sequence also mitigates ITS-unsafe indirect branches. For this reason, when retpoline is enabled, ITS mitigation only relocates the RETs to safe thunks. Unless user requested the RSB-stuffing mitigation.h]hRetpoline sequence also mitigates ITS-unsafe indirect branches. For this reason, when retpoline is enabled, ITS mitigation only relocates the RETs to safe thunks. Unless user requested the RSB-stuffing mitigation.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKXhjhhubeh}(h] retpolineah ]h"] retpolineah$]h&]uh1hhjxhhhhhKWubh)}(hhh](h)}(h RSB Stuffingh]h RSB Stuffing}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK]ubh)}(hRSB-stuffing via Call Depth Tracking is a mitigation for Retbleed RSB-underflow attacks. And it also mitigates RETs that are vulnerable to ITS.h]hRSB-stuffing via Call Depth Tracking is a mitigation for Retbleed RSB-underflow attacks. And it also mitigates RETs that are vulnerable to ITS.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK^hjhhubh)}(hhh](h)}(hMitigation in guestsh]hMitigation in guests}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj.hhhhhKbubh)}(hX&All guests deploy ITS mitigation by default, irrespective of eIBRS enumeration and Family/Model of the guest. This is because eIBRS feature could be hidden from a guest. One exception to this is when a guest enumerates BHI_DIS_S, which indicates that the guest is running on an unaffected host.h]hX&All guests deploy ITS mitigation by default, irrespective of eIBRS enumeration and Family/Model of the guest. This is because eIBRS feature could be hidden from a guest. One exception to this is when a guest enumerates BHI_DIS_S, which indicates that the guest is running on an unaffected host.}(hj?hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKchj.hhubh)}(hXbTo prevent guests from unnecessarily deploying the mitigation on unaffected platforms, Intel has defined ITS_NO bit(62) in MSR IA32_ARCH_CAPABILITIES. When a guest sees this bit set, it should not enumerate the ITS bug. Note, this bit is not set by any hardware, but is **intended for VMMs to synthesize** it for guests as per the host's affected status.h](hXTo prevent guests from unnecessarily deploying the mitigation on unaffected platforms, Intel has defined ITS_NO bit(62) in MSR IA32_ARCH_CAPABILITIES. When a guest sees this bit set, it should not enumerate the ITS bug. Note, this bit is not set by any hardware, but is }(hjMhhhNhNubj)}(h#**intended for VMMs to synthesize**h]hintended for VMMs to synthesize}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjMubh3 it for guests as per the host’s affected status.}(hjMhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhhj.hhubeh}(h]mitigation-in-guestsah ]h"]mitigation in guestsah$]h&]uh1hhjhhhhhKbubh)}(hhh](h)}(hMitigation optionsh]hMitigation options}(hjxhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjuhhhhhKoubh)}(hwThe ITS mitigation can be controlled using the "indirect_target_selection" kernel parameter. The available options are:h]h{The ITS mitigation can be controlled using the “indirect_target_selection” kernel parameter. The available options are:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKphjuhhubj)}(hX======== =================================================================== on (default) Deploy the "Aligned branch/return thunks" mitigation. If spectre_v2 mitigation enables retpoline, aligned-thunks are only deployed for the affected RET instructions. Retpoline mitigates indirect branches. off Disable ITS mitigation. vmexit Equivalent to "=on" if the CPU is affected by guest/host isolation part of ITS. Otherwise, mitigation is not deployed. This option is useful when host userspace is not in the threat model, and only attacks from guest to host are considered. stuff Deploy RSB-fill mitigation when retpoline is also deployed. Otherwise, deploy the default mitigation. When retpoline mitigation is enabled, RSB-stuffing via Call-Depth-Tracking also mitigates ITS. force Force the ITS bug and deploy the default mitigation. ======== =================================================================== h]j)}(hhh]j)}(hhh](j)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jhjubj)}(hhh]h}(h]h ]h"]h$]h&]colwidthKCuh1jhjubj)}(hhh](j%)}(hhh](j*)}(hhh]h)}(honh]hon}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKthjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(h(default) Deploy the "Aligned branch/return thunks" mitigation. If spectre_v2 mitigation enables retpoline, aligned-thunks are only deployed for the affected RET instructions. Retpoline mitigates indirect branches.h]h(default) Deploy the “Aligned branch/return thunks” mitigation. If spectre_v2 mitigation enables retpoline, aligned-thunks are only deployed for the affected RET instructions. Retpoline mitigates indirect branches.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKthjubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(hoffh]hoff}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKyhjubah}(h]h ]h"]h$]h&]uh1j)hjubj*)}(hhh]h)}(hDisable ITS mitigation.h]hDisable ITS mitigation.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKyhj ubah}(h]h ]h"]h$]h&]uh1j)hjubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(hvmexith]hvmexit}(hj) hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK{hj& ubah}(h]h ]h"]h$]h&]uh1j)hj# ubj*)}(hhh]h)}(hEquivalent to "=on" if the CPU is affected by guest/host isolation part of ITS. Otherwise, mitigation is not deployed. This option is useful when host userspace is not in the threat model, and only attacks from guest to host are considered.h]hEquivalent to “=on” if the CPU is affected by guest/host isolation part of ITS. Otherwise, mitigation is not deployed. This option is useful when host userspace is not in the threat model, and only attacks from guest to host are considered.}(hj@ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK{hj= ubah}(h]h ]h"]h$]h&]uh1j)hj# ubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(hstuffh]hstuff}(hj` hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj] ubah}(h]h ]h"]h$]h&]uh1j)hjZ ubj*)}(hhh]h)}(hDeploy RSB-fill mitigation when retpoline is also deployed. Otherwise, deploy the default mitigation. When retpoline mitigation is enabled, RSB-stuffing via Call-Depth-Tracking also mitigates ITS.h]hDeploy RSB-fill mitigation when retpoline is also deployed. Otherwise, deploy the default mitigation. When retpoline mitigation is enabled, RSB-stuffing via Call-Depth-Tracking also mitigates ITS.}(hjw hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjt ubah}(h]h ]h"]h$]h&]uh1j)hjZ ubeh}(h]h ]h"]h$]h&]uh1j$hjubj%)}(hhh](j*)}(hhh]h)}(hforceh]hforce}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hj ubj*)}(hhh]h)}(h4Force the ITS bug and deploy the default mitigation.h]h4Force the ITS bug and deploy the default mitigation.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hj ubeh}(h]h ]h"]h$]h&]uh1j$hjubeh}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]colsKuh1jhjubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jhhhKshjuhhubeh}(h]mitigation-optionsah ]h"]mitigation optionsah$]h&]uh1hhjhhhhhKoubeh}(h] rsb-stuffingah ]h"] rsb stuffingah$]h&]uh1hhjxhhhhhK]ubeh}(h] mitigationah ]h"] mitigationah$]h&]uh1hhhhhhhhK8ubh)}(hhh](h)}(hSysfs reportingh]hSysfs reporting}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhKubh)}(h0The sysfs file showing ITS mitigation status is:h]h0The sysfs file showing ITS mitigation status is:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj hhubj)}(hB/sys/devices/system/cpu/vulnerabilities/indirect_target_selection h]h)}(hA/sys/devices/system/cpu/vulnerabilities/indirect_target_selectionh]hA/sys/devices/system/cpu/vulnerabilities/indirect_target_selection}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1jhhhKhj hhubh)}(h?Note, microcode mitigation status is not reported in this file.h]h?Note, microcode mitigation status is not reported in this file.}(hj0 hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj hhubh)}(h%The possible values in this file are:h]h%The possible values in this file are:}(hj> hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj hhubj)}(hhh]j)}(hhh](j)}(hhh]h}(h]h ]h"]h$]h&]colwidthK2uh1jhjO ubj)}(hhh]h}(h]h ]h"]h$]h&]j[ K2uh1jhjO ubj)}(hhh](j%)}(hhh](j*)}(hhh]h)}(h Not affectedh]h Not affected}(hjn hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjk ubah}(h]h ]h"]h$]h&]uh1j)hjh ubj*)}(hhh]h)}(h The processor is not vulnerable.h]h The processor is not vulnerable.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hjh ubeh}(h]h ]h"]h$]h&]uh1j$hje ubj%)}(hhh](j*)}(hhh]h)}(h Vulnerableh]h Vulnerable}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hj ubj*)}(hhh]h)}(h8System is vulnerable and no mitigation has been applied.h]h8System is vulnerable and no mitigation has been applied.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hj ubeh}(h]h ]h"]h$]h&]uh1j$hje ubj%)}(hhh](j*)}(hhh]h)}(hVulnerable, KVM: Not affectedh]hVulnerable, KVM: Not affected}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hj ubj*)}(hhh]h)}(hWSystem is vulnerable to intra-mode BTI, but not affected by eIBRS guest/host isolation.h]hWSystem is vulnerable to intra-mode BTI, but not affected by eIBRS guest/host isolation.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hj ubeh}(h]h ]h"]h$]h&]uh1j$hje ubj%)}(hhh](j*)}(hhh]h)}(h(Mitigation: Aligned branch/return thunksh]h(Mitigation: Aligned branch/return thunks}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1j)hj ubj*)}(hhh]h)}(h\The mitigation is enabled, affected indirect branches and RETs are relocated to safe thunks.h]h\The mitigation is enabled, affected indirect branches and RETs are relocated to safe thunks.}(hj* hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj' ubah}(h]h ]h"]h$]h&]uh1j)hj ubeh}(h]h ]h"]h$]h&]uh1j$hje ubj%)}(hhh](j*)}(hhh]h)}(h$Mitigation: Retpolines, Stuffing RSBh]h$Mitigation: Retpolines, Stuffing RSB}(hjJ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjG ubah}(h]h ]h"]h$]h&]uh1j)hjD ubj*)}(hhh]h)}(h;The mitigation is enabled using retpoline and RSB stuffing.h]h;The mitigation is enabled using retpoline and RSB stuffing.}(hja hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj^ ubah}(h]h ]h"]h$]h&]uh1j)hjD ubeh}(h]h ]h"]h$]h&]uh1j$hje ubeh}(h]h ]h"]h$]h&]uh1jhjO ubeh}(h]h ]h"]h$]h&]colsKuh1jhjL ubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubeh}(h]sysfs-reportingah ]h"]sysfs reportingah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(h Referencesh]h References}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhKubhfootnote)}(h[Microcode repository - https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files h](hlabel)}(hhh]h1}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj hhhNhNubh)}(hZMicrocode repository - https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Filesh](hMicrocode repository - }(hj hhhNhNubh reference)}(hChttps://github.com/intel/Intel-Linux-Processor-Microcode-Data-Filesh]hChttps://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files}(hj hhhNhNubah}(h]h ]h"]h$]h&]refurij uh1j hj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubeh}(h]jzah ]h"]f1ah$]h&]jsajxKj{j|uh1j hhhKhj hhubj )}(hAffected Processors list - https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html h](j )}(hhh]h2}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj hhhNhNubh)}(hAffected Processors list - https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.htmlh](hAffected Processors list - }(hj hhhNhNubj )}(hhttps://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.htmlh]hhttps://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html}(hj hhhNhNubah}(h]h ]h"]h$]h&]refurij uh1j hj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubeh}(h]jah ]h"]f2ah$]h&]jajxKj{j|uh1j hhhKhj hhubj )}(hdAffected Processors list (machine readable) - https://github.com/intel/Intel-affected-processor-listh](j )}(hhh]h3}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1j hj hhhNhNubh)}(hj h](h.Affected Processors list (machine readable) - }(hj( hhhNhNubj )}(h6https://github.com/intel/Intel-affected-processor-listh]h6https://github.com/intel/Intel-affected-processor-list}(hj/ hhhNhNubah}(h]h ]h"]h$]h&]refurij1 uh1j hj( ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubeh}(h]jah ]h"]f3ah$]h&]jajxKj{j|uh1j hhhKhj hhubeh}(h] referencesah ]h"] referencesah$]h&]uh1hhhhhhhhKubeh}(h]indirect-target-selection-itsah ]h"]indirect target selection (its)ah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksj)footnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerj} error_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}(f1]jiaf2]jaf3]jaurefids}(jz]jiaj]jaj]jaunameids}(jX jU jjjujrj j jjj j j j jrjoj j j j jP jM j jzj jjH ju nametypes}(jX jjuj jj j jrj j jP j j jH uh}(jU hjhjsjijrjjjjjj jxjjj jj jjoj.j juj j jM j jzj jj jj u footnote_refs}(j ]jiaj ]jaj ]jau citation_refs} autofootnotes](j j j eautofootnote_refs](jijjesymbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}j KsRparse_messages]transform_messages] transformerN include_log] decorationNhhub.