`sphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget+/translations/zh_CN/admin-guide/hw-vuln/rsbmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/zh_TW/admin-guide/hw-vuln/rsbmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/it_IT/admin-guide/hw-vuln/rsbmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/ja_JP/admin-guide/hw-vuln/rsbmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/ko_KR/admin-guide/hw-vuln/rsbmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget+/translations/sp_SP/admin-guide/hw-vuln/rsbmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhhE/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/rsb.rsthKubhsection)}(hhh](htitle)}(hRSB-related mitigationsh]hRSB-related mitigations}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubhwarning)}(hPlease keep this document up-to-date, otherwise you will be volunteered to update it and convert it to a very long comment in bugs.c!h]h paragraph)}(hPlease keep this document up-to-date, otherwise you will be volunteered to update it and convert it to a very long comment in bugs.c!h]hPlease keep this document up-to-date, otherwise you will be volunteered to update it and convert it to a very long comment in bugs.c!}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhubah}(h]h ]h"]h$]h&]uh1hhhhhhhhNubh)}(hSince 2018 there have been many Spectre CVEs related to the Return Stack Buffer (RSB) (sometimes referred to as the Return Address Stack (RAS) or Return Address Predictor (RAP) on AMD).h]hSince 2018 there have been many Spectre CVEs related to the Return Stack Buffer (RSB) (sometimes referred to as the Return Address Stack (RAS) or Return Address Predictor (RAP) on AMD).}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(h|Information about these CVEs and how to mitigate them is scattered amongst a myriad of microarchitecture-specific documents.h]h|Information about these CVEs and how to mitigate them is scattered amongst a myriad of microarchitecture-specific documents.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hXDThis document attempts to consolidate all the relevant information in once place and clarify the reasoning behind the current RSB-related mitigations. It's meant to be as concise as possible, focused only on the current kernel mitigations: what are the RSB-related attack vectors and how are they currently being mitigated?h]hXFThis document attempts to consolidate all the relevant information in once place and clarify the reasoning behind the current RSB-related mitigations. It’s meant to be as concise as possible, focused only on the current kernel mitigations: what are the RSB-related attack vectors and how are they currently being mitigated?}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hIt's *not* meant to describe how the RSB mechanism operates or how the exploits work. More details about those can be found in the references below.h](hIt’s }(hjhhhNhNubhemphasis)}(h*not*h]hnot}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh meant to describe how the RSB mechanism operates or how the exploits work. More details about those can be found in the references below.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hRather, this is basically a glorified comment, but too long to actually be one. So when the next CVE comes along, a kernel developer can quickly refer to this as a refresher to see what we're actually doing and why.h]hRather, this is basically a glorified comment, but too long to actually be one. So when the next CVE comes along, a kernel developer can quickly refer to this as a refresher to see what we’re actually doing and why.}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hAt a high level, there are two classes of RSB attacks: RSB poisoning (Intel and AMD) and RSB underflow (Intel only). They must each be considered individually for each attack vector (and microarchitecture where applicable).h]hAt a high level, there are two classes of RSB attacks: RSB poisoning (Intel and AMD) and RSB underflow (Intel only). They must each be considered individually for each attack vector (and microarchitecture where applicable).}(hj?hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK"hhhhubh transition)}(h----h]h}(h]h ]h"]h$]h&]uh1jMhhhK'hhhhubh)}(hhh](h)}(hRSB poisoning (Intel and AMD)h]hRSB poisoning (Intel and AMD)}(hj\hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjYhhhhhK*ubh)}(hhh](h)}(h SpectreRSBh]h SpectreRSB}(hjmhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjjhhhhhK-ubh)}(hXRSB poisoning is a technique used by SpectreRSB [#spectre-rsb]_ where an attacker poisons an RSB entry to cause a victim's return instruction to speculate to an attacker-controlled address. This can happen when there are unbalanced CALLs/RETs after a context switch or VMEXIT.h](h0RSB poisoning is a technique used by SpectreRSB }(hj{hhhNhNubhfootnote_reference)}(h[#spectre-rsb]_h]h1}(hjhhhNhNubah}(h]id1ah ]h"]h$]h&]autoKrefid spectre-rsbdocnameadmin-guide/hw-vuln/rsbuh1jhj{resolvedKubh where an attacker poisons an RSB entry to cause a victim’s return instruction to speculate to an attacker-controlled address. This can happen when there are unbalanced CALLs/RETs after a context switch or VMEXIT.}(hj{hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK/hjjhhubh bullet_list)}(hhh](h list_item)}(hX All attack vectors can potentially be mitigated by flushing out any poisoned RSB entries using an RSB filling sequence [#intel-rsb-filling]_ [#amd-rsb-filling]_ when transitioning between untrusted and trusted domains. But this has a performance impact and should be avoided whenever possible. .. DANGER:: **FIXME**: Currently we're flushing 32 entries. However, some CPU models have more than 32 entries. The loop count needs to be increased for those. More detailed information is needed about RSB sizes. h](h)}(hX&All attack vectors can potentially be mitigated by flushing out any poisoned RSB entries using an RSB filling sequence [#intel-rsb-filling]_ [#amd-rsb-filling]_ when transitioning between untrusted and trusted domains. But this has a performance impact and should be avoided whenever possible.h](hwAll attack vectors can potentially be mitigated by flushing out any poisoned RSB entries using an RSB filling sequence }(hjhhhNhNubj)}(h[#intel-rsb-filling]_h]h2}(hjhhhNhNubah}(h]id2ah ]h"]h$]h&]jKjintel-rsb-fillingjjuh1jhjjKubh }(hjhhhNhNubj)}(h[#amd-rsb-filling]_h]h3}(hjhhhNhNubah}(h]id3ah ]h"]h$]h&]jKjamd-rsb-fillingjjuh1jhjjKubh when transitioning between untrusted and trusted domains. But this has a performance impact and should be avoided whenever possible.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK4hjubhdanger)}(h**FIXME**: Currently we're flushing 32 entries. However, some CPU models have more than 32 entries. The loop count needs to be increased for those. More detailed information is needed about RSB sizes.h]h)}(h**FIXME**: Currently we're flushing 32 entries. However, some CPU models have more than 32 entries. The loop count needs to be increased for those. More detailed information is needed about RSB sizes.h](hstrong)}(h **FIXME**h]hFIXME}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh: Currently we’re flushing 32 entries. However, some CPU models have more than 32 entries. The loop count needs to be increased for those. More detailed information is needed about RSB sizes.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK;hjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhhhNhNubj)}(hXdOn context switch, the user->user mitigation requires ensuring the RSB gets filled or cleared whenever IBPB gets written [#cond-ibpb]_ during a context switch: * AMD: On Zen 4+, IBPB (or SBPB [#amd-sbpb]_ if used) clears the RSB. This is indicated by IBPB_RET in CPUID [#amd-ibpb-rsb]_. On Zen < 4, the RSB filling sequence [#amd-rsb-filling]_ must be always be done in addition to IBPB [#amd-ibpb-no-rsb]_. This is indicated by X86_BUG_IBPB_NO_RET. * Intel: IBPB always clears the RSB: "Software that executed before the IBPB command cannot control the predicted targets of indirect branches executed after the command on the same logical processor. The term indirect branch in this context includes near return instructions, so these predicted targets may come from the RSB." [#intel-ibpb-rsb]_ h](h)}(hOn context switch, the user->user mitigation requires ensuring the RSB gets filled or cleared whenever IBPB gets written [#cond-ibpb]_ during a context switch:h](hyOn context switch, the user->user mitigation requires ensuring the RSB gets filled or cleared whenever IBPB gets written }(hjhhhNhNubj)}(h [#cond-ibpb]_h]h4}(hj!hhhNhNubah}(h]id4ah ]h"]h$]h&]jKj cond-ibpbjjuh1jhjjKubh during a context switch:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK@hjubj)}(hhh](j)}(hX6AMD: On Zen 4+, IBPB (or SBPB [#amd-sbpb]_ if used) clears the RSB. This is indicated by IBPB_RET in CPUID [#amd-ibpb-rsb]_. On Zen < 4, the RSB filling sequence [#amd-rsb-filling]_ must be always be done in addition to IBPB [#amd-ibpb-no-rsb]_. This is indicated by X86_BUG_IBPB_NO_RET. h]hdefinition_list)}(hhh]hdefinition_list_item)}(hX"AMD: On Zen 4+, IBPB (or SBPB [#amd-sbpb]_ if used) clears the RSB. This is indicated by IBPB_RET in CPUID [#amd-ibpb-rsb]_. On Zen < 4, the RSB filling sequence [#amd-rsb-filling]_ must be always be done in addition to IBPB [#amd-ibpb-no-rsb]_. This is indicated by X86_BUG_IBPB_NO_RET. h](hterm)}(hAMD:h]hAMD:}(hjOhhhNhNubah}(h]h ]h"]h$]h&]uh1jMhhhKJhjIubh definition)}(hhh](h)}(hwOn Zen 4+, IBPB (or SBPB [#amd-sbpb]_ if used) clears the RSB. This is indicated by IBPB_RET in CPUID [#amd-ibpb-rsb]_.h](hOn Zen 4+, IBPB (or SBPB }(hjbhhhNhNubj)}(h [#amd-sbpb]_h]h5}(hjjhhhNhNubah}(h]id5ah ]h"]h$]h&]jKjamd-sbpbjjuh1jhjbjKubhA if used) clears the RSB. This is indicated by IBPB_RET in CPUID }(hjbhhhNhNubj)}(h[#amd-ibpb-rsb]_h]h6}(hj~hhhNhNubah}(h]id6ah ]h"]h$]h&]jKj amd-ibpb-rsbjjuh1jhjbjKubh.}(hjbhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKEhj_ubh)}(hOn Zen < 4, the RSB filling sequence [#amd-rsb-filling]_ must be always be done in addition to IBPB [#amd-ibpb-no-rsb]_. This is indicated by X86_BUG_IBPB_NO_RET.h](h%On Zen < 4, the RSB filling sequence }(hjhhhNhNubj)}(h[#amd-rsb-filling]_h]h3}(hjhhhNhNubah}(h]id7ah ]h"]h$]h&]jKjjjjuh1jhjjKubh, must be always be done in addition to IBPB }(hjhhhNhNubj)}(h[#amd-ibpb-no-rsb]_h]h7}(hjhhhNhNubah}(h]id8ah ]h"]h$]h&]jKjamd-ibpb-no-rsbjjuh1jhjjKubh,. This is indicated by X86_BUG_IBPB_NO_RET.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKHhj_ubeh}(h]h ]h"]h$]h&]uh1j]hjIubeh}(h]h ]h"]h$]h&]uh1jGhhhKJhjDubah}(h]h ]h"]h$]h&]uh1jBhj>ubah}(h]h ]h"]h$]h&]uh1jhj;ubj)}(hXrIntel: IBPB always clears the RSB: "Software that executed before the IBPB command cannot control the predicted targets of indirect branches executed after the command on the same logical processor. The term indirect branch in this context includes near return instructions, so these predicted targets may come from the RSB." [#intel-ibpb-rsb]_ h]jC)}(hhh]jH)}(hXZIntel: IBPB always clears the RSB: "Software that executed before the IBPB command cannot control the predicted targets of indirect branches executed after the command on the same logical processor. The term indirect branch in this context includes near return instructions, so these predicted targets may come from the RSB." [#intel-ibpb-rsb]_ h](jN)}(hIntel:h]hIntel:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jMhhhKShjubj^)}(hhh](h)}(hIBPB always clears the RSB:h]hIBPB always clears the RSB:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKMhjubh)}(hX5"Software that executed before the IBPB command cannot control the predicted targets of indirect branches executed after the command on the same logical processor. The term indirect branch in this context includes near return instructions, so these predicted targets may come from the RSB." [#intel-ibpb-rsb]_h](hX'“Software that executed before the IBPB command cannot control the predicted targets of indirect branches executed after the command on the same logical processor. The term indirect branch in this context includes near return instructions, so these predicted targets may come from the RSB.” }(hjhhhNhNubj)}(h[#intel-ibpb-rsb]_h]h8}(hjhhhNhNubah}(h]id9ah ]h"]h$]h&]jKjintel-ibpb-rsbjjuh1jhjjKubeh}(h]h ]h"]h$]h&]uh1hhhhKOhjubeh}(h]h ]h"]h$]h&]uh1j]hjubeh}(h]h ]h"]h$]h&]uh1jGhhhKShjubah}(h]h ]h"]h$]h&]uh1jBhjubah}(h]h ]h"]h$]h&]uh1jhj;ubeh}(h]h ]h"]h$]h&]bullet*uh1jhhhKDhjubeh}(h]h ]h"]h$]h&]uh1jhjhhhNhNubj)}(hXOn context switch, user->kernel attacks are prevented by SMEP. User space can only insert user space addresses into the RSB. Even non-canonical addresses can't be inserted due to the page gap at the end of the user canonical address space reserved by TASK_SIZE_MAX. A SMEP #PF at instruction fetch prevents the kernel from speculatively executing user space. * AMD: "Finally, branches that are predicted as 'ret' instructions get their predicted targets from the Return Address Predictor (RAP). AMD recommends software use a RAP stuffing sequence (mitigation V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP) to ensure that the addresses in the RAP are safe for speculation. Collectively, we refer to these mitigations as "RAP Protection"." [#amd-smep-rsb]_ * Intel: "On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits." [#intel-smep-rsb]_ h](h)}(hXhOn context switch, user->kernel attacks are prevented by SMEP. User space can only insert user space addresses into the RSB. Even non-canonical addresses can't be inserted due to the page gap at the end of the user canonical address space reserved by TASK_SIZE_MAX. A SMEP #PF at instruction fetch prevents the kernel from speculatively executing user space.h]hXjOn context switch, user->kernel attacks are prevented by SMEP. User space can only insert user space addresses into the RSB. Even non-canonical addresses can’t be inserted due to the page gap at the end of the user canonical address space reserved by TASK_SIZE_MAX. A SMEP #PF at instruction fetch prevents the kernel from speculatively executing user space.}(hjWhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKUhjSubj)}(hhh](j)}(hXAMD: "Finally, branches that are predicted as 'ret' instructions get their predicted targets from the Return Address Predictor (RAP). AMD recommends software use a RAP stuffing sequence (mitigation V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP) to ensure that the addresses in the RAP are safe for speculation. Collectively, we refer to these mitigations as "RAP Protection"." [#amd-smep-rsb]_ h]jC)}(hhh]jH)}(hXAMD: "Finally, branches that are predicted as 'ret' instructions get their predicted targets from the Return Address Predictor (RAP). AMD recommends software use a RAP stuffing sequence (mitigation V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP) to ensure that the addresses in the RAP are safe for speculation. Collectively, we refer to these mitigations as "RAP Protection"." [#amd-smep-rsb]_ h](jN)}(hAMD:h]hAMD:}(hjshhhNhNubah}(h]h ]h"]h$]h&]uh1jMhhhKchjoubj^)}(hhh]h)}(hX"Finally, branches that are predicted as 'ret' instructions get their predicted targets from the Return Address Predictor (RAP). AMD recommends software use a RAP stuffing sequence (mitigation V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP) to ensure that the addresses in the RAP are safe for speculation. Collectively, we refer to these mitigations as "RAP Protection"." [#amd-smep-rsb]_h](hX“Finally, branches that are predicted as ‘ret’ instructions get their predicted targets from the Return Address Predictor (RAP). AMD recommends software use a RAP stuffing sequence (mitigation V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP) to ensure that the addresses in the RAP are safe for speculation. Collectively, we refer to these mitigations as “RAP Protection”.” }(hjhhhNhNubj)}(h[#amd-smep-rsb]_h]h9}(hjhhhNhNubah}(h]id10ah ]h"]h$]h&]jKj amd-smep-rsbjjuh1jhjjKubeh}(h]h ]h"]h$]h&]uh1hhhhK]hjubah}(h]h ]h"]h$]h&]uh1j]hjoubeh}(h]h ]h"]h$]h&]uh1jGhhhKchjlubah}(h]h ]h"]h$]h&]uh1jBhjhubah}(h]h ]h"]h$]h&]uh1jhjeubj)}(hXIntel: "On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits." [#intel-smep-rsb]_ h]jC)}(hhh]jH)}(hXuIntel: "On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits." [#intel-smep-rsb]_ h](jN)}(hIntel:h]hIntel:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jMhhhKkhjubj^)}(hhh]h)}(hXm"On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits." [#intel-smep-rsb]_h](hX_“On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits.” }(hjhhhNhNubj)}(h[#intel-smep-rsb]_h]h10}(hjhhhNhNubah}(h]id11ah ]h"]h$]h&]jKjintel-smep-rsbjjuh1jhjjKubeh}(h]h ]h"]h$]h&]uh1hhhhKfhjubah}(h]h ]h"]h$]h&]uh1j]hjubeh}(h]h ]h"]h$]h&]uh1jGhhhKkhjubah}(h]h ]h"]h$]h&]uh1jBhjubah}(h]h ]h"]h$]h&]uh1jhjeubeh}(h]h ]h"]h$]h&]jKjLuh1jhhhK\hjSubeh}(h]h ]h"]h$]h&]uh1jhjhhhNhNubj)}(hXOn VMEXIT, guest->host attacks are mitigated by eIBRS (and PBRSB mitigation if needed): * AMD: "When Automatic IBRS is enabled, the internal return address stack used for return address predictions is cleared on VMEXIT." [#amd-eibrs-vmexit]_ * Intel: "On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits. Processors with enhanced IBRS still support the usage model where IBRS is set only in the OS/VMM for OSes that enable SMEP. To do this, such processors will ensure that guest behavior cannot control the RSB after a VM exit once IBRS is set, even if IBRS was not set at the time of the VM exit." [#intel-eibrs-vmexit]_ Note that some Intel CPUs are susceptible to Post-barrier Return Stack Buffer Predictions (PBRSB) [#intel-pbrsb]_, where the last CALL from the guest can be used to predict the first unbalanced RET. In this case the PBRSB mitigation is needed in addition to eIBRS. h](h)}(hWOn VMEXIT, guest->host attacks are mitigated by eIBRS (and PBRSB mitigation if needed):h]hWOn VMEXIT, guest->host attacks are mitigated by eIBRS (and PBRSB mitigation if needed):}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKmhjubj)}(hhh](j)}(hAMD: "When Automatic IBRS is enabled, the internal return address stack used for return address predictions is cleared on VMEXIT." [#amd-eibrs-vmexit]_ h]jC)}(hhh]jH)}(hAMD: "When Automatic IBRS is enabled, the internal return address stack used for return address predictions is cleared on VMEXIT." [#amd-eibrs-vmexit]_ h](jN)}(hAMD:h]hAMD:}(hj8hhhNhNubah}(h]h ]h"]h$]h&]uh1jMhhhKshj4ubj^)}(hhh]h)}(h"When Automatic IBRS is enabled, the internal return address stack used for return address predictions is cleared on VMEXIT." [#amd-eibrs-vmexit]_h](h“When Automatic IBRS is enabled, the internal return address stack used for return address predictions is cleared on VMEXIT.” }(hjIhhhNhNubj)}(h[#amd-eibrs-vmexit]_h]h11}(hjQhhhNhNubah}(h]id12ah ]h"]h$]h&]jKjamd-eibrs-vmexitjjuh1jhjIjKubeh}(h]h ]h"]h$]h&]uh1hhhhKqhjFubah}(h]h ]h"]h$]h&]uh1j]hj4ubeh}(h]h ]h"]h$]h&]uh1jGhhhKshj1ubah}(h]h ]h"]h$]h&]uh1jBhj-ubah}(h]h ]h"]h$]h&]uh1jhj*ubj)}(hXIntel: "On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits. Processors with enhanced IBRS still support the usage model where IBRS is set only in the OS/VMM for OSes that enable SMEP. To do this, such processors will ensure that guest behavior cannot control the RSB after a VM exit once IBRS is set, even if IBRS was not set at the time of the VM exit." [#intel-eibrs-vmexit]_ Note that some Intel CPUs are susceptible to Post-barrier Return Stack Buffer Predictions (PBRSB) [#intel-pbrsb]_, where the last CALL from the guest can be used to predict the first unbalanced RET. In this case the PBRSB mitigation is needed in addition to eIBRS. h](jC)}(hhh]jH)}(hXIntel: "On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits. Processors with enhanced IBRS still support the usage model where IBRS is set only in the OS/VMM for OSes that enable SMEP. To do this, such processors will ensure that guest behavior cannot control the RSB after a VM exit once IBRS is set, even if IBRS was not set at the time of the VM exit." [#intel-eibrs-vmexit]_ h](jN)}(hIntel:h]hIntel:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jMhhhKhjubj^)}(hhh]h)}(hX"On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits. Processors with enhanced IBRS still support the usage model where IBRS is set only in the OS/VMM for OSes that enable SMEP. To do this, such processors will ensure that guest behavior cannot control the RSB after a VM exit once IBRS is set, even if IBRS was not set at the time of the VM exit." [#intel-eibrs-vmexit]_h](hX“On processors with enhanced IBRS, an RSB overwrite sequence may not suffice to prevent the predicted target of a near return from using an RSB entry created in a less privileged predictor mode. Software can prevent this by enabling SMEP (for transitions from user mode to supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits. Processors with enhanced IBRS still support the usage model where IBRS is set only in the OS/VMM for OSes that enable SMEP. To do this, such processors will ensure that guest behavior cannot control the RSB after a VM exit once IBRS is set, even if IBRS was not set at the time of the VM exit.” }(hjhhhNhNubj)}(h[#intel-eibrs-vmexit]_h]h12}(hjhhhNhNubah}(h]id13ah ]h"]h$]h&]jKjintel-eibrs-vmexitjjuh1jhjjKubeh}(h]h ]h"]h$]h&]uh1hhhhKvhjubah}(h]h ]h"]h$]h&]uh1j]hjubeh}(h]h ]h"]h$]h&]uh1jGhhhKhjubah}(h]h ]h"]h$]h&]uh1jBhjubh)}(hXNote that some Intel CPUs are susceptible to Post-barrier Return Stack Buffer Predictions (PBRSB) [#intel-pbrsb]_, where the last CALL from the guest can be used to predict the first unbalanced RET. In this case the PBRSB mitigation is needed in addition to eIBRS.h](hbNote that some Intel CPUs are susceptible to Post-barrier Return Stack Buffer Predictions (PBRSB) }(hjhhhNhNubj)}(h[#intel-pbrsb]_h]h13}(hjhhhNhNubah}(h]id14ah ]h"]h$]h&]jKj intel-pbrsbjjuh1jhjjKubh, where the last CALL from the guest can be used to predict the first unbalanced RET. In this case the PBRSB mitigation is needed in addition to eIBRS.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubeh}(h]h ]h"]h$]h&]uh1jhj*ubeh}(h]h ]h"]h$]h&]jKjLuh1jhhhKphjubeh}(h]h ]h"]h$]h&]uh1jhjhhhNhNubeh}(h]h ]h"]h$]h&]jKjLuh1jhhhK4hjjhhubeh}(h] spectrersbah ]h"] spectrersbah$]h&]uh1hhjYhhhhhK-ubh)}(hhh](h)}(h+AMD RETBleed / SRSO / Branch Type Confusionh]h+AMD RETBleed / SRSO / Branch Type Confusion}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhhhKubh)}(hX&On AMD, poisoned RSB entries can also be created by the AMD RETBleed variant [#retbleed-paper]_ [#amd-btc]_ or by Speculative Return Stack Overflow [#amd-srso]_ (Inception [#inception-paper]_). The kernel protects itself by replacing every RET in the kernel with a branch to a single safe RET.h](hMOn AMD, poisoned RSB entries can also be created by the AMD RETBleed variant }(hjhhhNhNubj)}(h[#retbleed-paper]_h]h14}(hj&hhhNhNubah}(h]id15ah ]h"]h$]h&]jKjretbleed-paperjjuh1jhjjKubh }(hjhhhNhNubj)}(h [#amd-btc]_h]h15}(hj:hhhNhNubah}(h]id16ah ]h"]h$]h&]jKjamd-btcjjuh1jhjjKubh) or by Speculative Return Stack Overflow }(hjhhhNhNubj)}(h [#amd-srso]_h]h16}(hjNhhhNhNubah}(h]id17ah ]h"]h$]h&]jKjamd-srsojjuh1jhjjKubh (Inception }(hjhhhNhNubj)}(h[#inception-paper]_h]h17}(hjbhhhNhNubah}(h]id18ah ]h"]h$]h&]jKjinception-paperjjuh1jhjjKubhg). The kernel protects itself by replacing every RET in the kernel with a branch to a single safe RET.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhj hhubeh}(h]'amd-retbleed-srso-branch-type-confusionah ]h"]+amd retbleed / srso / branch type confusionah$]h&]uh1hhjYhhhhhKubeh}(h]rsb-poisoning-intel-and-amdah ]h"]rsb poisoning (intel and amd)ah$]h&]uh1hhhhhhhhK*ubjN)}(h----h]h}(h]h ]h"]h$]h&]uh1jMhhhKhhhhubh)}(hhh](h)}(hRSB underflow (Intel only)h]hRSB underflow (Intel only)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(h'RSB Alternate (RSBA) ("Intel Retbleed")h]h+RSB Alternate (RSBA) (“Intel Retbleed”)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hXSome Intel Skylake-generation CPUs are susceptible to the Intel variant of RETBleed [#retbleed-paper]_ (Return Stack Buffer Underflow [#intel-rsbu]_). If a RET is executed when the RSB buffer is empty due to mismatched CALLs/RETs or returning from a deep call stack, the branch predictor can fall back to using the Branch Target Buffer (BTB). If a user forces a BTB collision then the RET can speculatively branch to a user-controlled address.h](hTSome Intel Skylake-generation CPUs are susceptible to the Intel variant of RETBleed }(hjhhhNhNubj)}(h[#retbleed-paper]_h]h14}(hjhhhNhNubah}(h]id19ah ]h"]h$]h&]jKjj5jjuh1jhjjKubh (Return Stack Buffer Underflow }(hjhhhNhNubj)}(h[#intel-rsbu]_h]h18}(hjhhhNhNubah}(h]id20ah ]h"]h$]h&]jKj intel-rsbujjuh1jhjjKubhX)). If a RET is executed when the RSB buffer is empty due to mismatched CALLs/RETs or returning from a deep call stack, the branch predictor can fall back to using the Branch Target Buffer (BTB). If a user forces a BTB collision then the RET can speculatively branch to a user-controlled address.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj)}(hhh](j)}(hNote that RSB filling doesn't fully mitigate this issue. If there are enough unbalanced RETs, the RSB may still underflow and fall back to using a poisoned BTB entry. h]h)}(hNote that RSB filling doesn't fully mitigate this issue. If there are enough unbalanced RETs, the RSB may still underflow and fall back to using a poisoned BTB entry.h]hNote that RSB filling doesn’t fully mitigate this issue. If there are enough unbalanced RETs, the RSB may still underflow and fall back to using a poisoned BTB entry.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubj)}(hXOn context switch, user->user underflow attacks are mitigated by the conditional IBPB [#cond-ibpb]_ on context switch which effectively clears the BTB: * "The indirect branch predictor barrier (IBPB) is an indirect branch control mechanism that establishes a barrier, preventing software that executed before the barrier from controlling the predicted targets of indirect branches executed after the barrier on the same logical processor." [#intel-ibpb-btb]_ h](h)}(hOn context switch, user->user underflow attacks are mitigated by the conditional IBPB [#cond-ibpb]_ on context switch which effectively clears the BTB:h](hVOn context switch, user->user underflow attacks are mitigated by the conditional IBPB }(hj hhhNhNubj)}(h [#cond-ibpb]_h]h4}(hjhhhNhNubah}(h]id21ah ]h"]h$]h&]jKjj0jjuh1jhj jKubh4 on context switch which effectively clears the BTB:}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubj)}(hhh]j)}(hX1"The indirect branch predictor barrier (IBPB) is an indirect branch control mechanism that establishes a barrier, preventing software that executed before the barrier from controlling the predicted targets of indirect branches executed after the barrier on the same logical processor." [#intel-ibpb-btb]_ h]h)}(hX0"The indirect branch predictor barrier (IBPB) is an indirect branch control mechanism that establishes a barrier, preventing software that executed before the barrier from controlling the predicted targets of indirect branches executed after the barrier on the same logical processor." [#intel-ibpb-btb]_h](hX"“The indirect branch predictor barrier (IBPB) is an indirect branch control mechanism that establishes a barrier, preventing software that executed before the barrier from controlling the predicted targets of indirect branches executed after the barrier on the same logical processor.” }(hj4hhhNhNubj)}(h[#intel-ibpb-btb]_h]h19}(hj<hhhNhNubah}(h]id22ah ]h"]h$]h&]jKjintel-ibpb-btbjjuh1jhj4jKubeh}(h]h ]h"]h$]h&]uh1hhhhKhj0ubah}(h]h ]h"]h$]h&]uh1jhj-ubah}(h]h ]h"]h$]h&]jKjLuh1jhhhKhjubeh}(h]h ]h"]h$]h&]uh1jhjhhhNhNubj)}(hXOn context switch and VMEXIT, user->kernel and guest->host RSB underflows are mitigated by IBRS or eIBRS: * "Enabling IBRS (including enhanced IBRS) will mitigate the "RSBU" attack demonstrated by the researchers. As previously documented, Intel recommends the use of enhanced IBRS, where supported. This includes any processor that enumerates RRSBA but not RRSBA_DIS_S." [#intel-rsbu]_ However, note that eIBRS and IBRS do not mitigate intra-mode attacks. Like RRSBA below, this is mitigated by clearing the BHB on kernel entry. As an alternative to classic IBRS, call depth tracking (combined with retpolines) can be used to track kernel returns and fill the RSB when it gets close to being empty. h](h)}(hiOn context switch and VMEXIT, user->kernel and guest->host RSB underflows are mitigated by IBRS or eIBRS:h]hiOn context switch and VMEXIT, user->kernel and guest->host RSB underflows are mitigated by IBRS or eIBRS:}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjdubj)}(hhh]j)}(hX"Enabling IBRS (including enhanced IBRS) will mitigate the "RSBU" attack demonstrated by the researchers. As previously documented, Intel recommends the use of enhanced IBRS, where supported. This includes any processor that enumerates RRSBA but not RRSBA_DIS_S." [#intel-rsbu]_ h]h)}(hX"Enabling IBRS (including enhanced IBRS) will mitigate the "RSBU" attack demonstrated by the researchers. As previously documented, Intel recommends the use of enhanced IBRS, where supported. This includes any processor that enumerates RRSBA but not RRSBA_DIS_S." [#intel-rsbu]_h](hX“Enabling IBRS (including enhanced IBRS) will mitigate the “RSBU” attack demonstrated by the researchers. As previously documented, Intel recommends the use of enhanced IBRS, where supported. This includes any processor that enumerates RRSBA but not RRSBA_DIS_S.” }(hj}hhhNhNubj)}(h[#intel-rsbu]_h]h18}(hjhhhNhNubah}(h]id23ah ]h"]h$]h&]jKjjjjuh1jhj}jKubeh}(h]h ]h"]h$]h&]uh1hhhhKhjyubah}(h]h ]h"]h$]h&]uh1jhjvubah}(h]h ]h"]h$]h&]jKjLuh1jhhhKhjdubh)}(hHowever, note that eIBRS and IBRS do not mitigate intra-mode attacks. Like RRSBA below, this is mitigated by clearing the BHB on kernel entry.h]hHowever, note that eIBRS and IBRS do not mitigate intra-mode attacks. Like RRSBA below, this is mitigated by clearing the BHB on kernel entry.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjdubh)}(hAs an alternative to classic IBRS, call depth tracking (combined with retpolines) can be used to track kernel returns and fill the RSB when it gets close to being empty.h]hAs an alternative to classic IBRS, call depth tracking (combined with retpolines) can be used to track kernel returns and fill the RSB when it gets close to being empty.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjdubeh}(h]h ]h"]h$]h&]uh1jhjhhhhhNubeh}(h]h ]h"]h$]h&]jKjLuh1jhhhKhjhhubeh}(h]!rsb-alternate-rsba-intel-retbleedah ]h"]'rsb alternate (rsba) ("intel retbleed")ah$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(h Restricted RSB Alternate (RRSBA)h]h Restricted RSB Alternate (RRSBA)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hXSome newer Intel CPUs have Restricted RSB Alternate (RRSBA) behavior, which, similar to RSBA described above, also falls back to using the BTB on RSB underflow. The only difference is that the predicted targets are restricted to the current domain when eIBRS is enabled:h]hXSome newer Intel CPUs have Restricted RSB Alternate (RRSBA) behavior, which, similar to RSBA described above, also falls back to using the BTB on RSB underflow. The only difference is that the predicted targets are restricted to the current domain when eIBRS is enabled:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj)}(hhh]j)}(hXX"Restricted RSB Alternate (RRSBA) behavior allows alternate branch predictors to be used by near RET instructions when the RSB is empty. When eIBRS is enabled, the predicted targets of these alternate predictors are restricted to those belonging to the indirect branch predictor entries of the current prediction domain. [#intel-eibrs-rrsba]_ h]h)}(hXW"Restricted RSB Alternate (RRSBA) behavior allows alternate branch predictors to be used by near RET instructions when the RSB is empty. When eIBRS is enabled, the predicted targets of these alternate predictors are restricted to those belonging to the indirect branch predictor entries of the current prediction domain. [#intel-eibrs-rrsba]_h](hXD“Restricted RSB Alternate (RRSBA) behavior allows alternate branch predictors to be used by near RET instructions when the RSB is empty. When eIBRS is enabled, the predicted targets of these alternate predictors are restricted to those belonging to the indirect branch predictor entries of the current prediction domain. }(hjhhhNhNubj)}(h[#intel-eibrs-rrsba]_h]h20}(hjhhhNhNubah}(h]id24ah ]h"]h$]h&]jKjintel-eibrs-rrsbajjuh1jhjjKubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubah}(h]h ]h"]h$]h&]jKjLuh1jhhhKhjhhubh)}(hWhen a CPU with RRSBA is vulnerable to Branch History Injection [#bhi-paper]_ [#intel-bhi]_, an RSB underflow could be used for an intra-mode BTI attack. This is mitigated by clearing the BHB on kernel entry.h](h@When a CPU with RRSBA is vulnerable to Branch History Injection }(hj&hhhNhNubj)}(h [#bhi-paper]_h]h21}(hj.hhhNhNubah}(h]id25ah ]h"]h$]h&]jKj bhi-paperjjuh1jhj&jKubh }(hj&hhhNhNubj)}(h [#intel-bhi]_h]h22}(hjBhhhNhNubah}(h]id26ah ]h"]h$]h&]jKj intel-bhijjuh1jhj&jKubhv, an RSB underflow could be used for an intra-mode BTI attack. This is mitigated by clearing the BHB on kernel entry.}(hj&hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hRHowever if the kernel uses retpolines instead of eIBRS, it needs to disable RRSBA:h]hRHowever if the kernel uses retpolines instead of eIBRS, it needs to disable RRSBA:}(hj\hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubj)}(hhh]j)}(h"Where software is using retpoline as a mitigation for BHI or intra-mode BTI, and the processor both enumerates RRSBA and enumerates RRSBA_DIS controls, it should disable this behavior." [#intel-retpoline-rrsba]_ h]h)}(h"Where software is using retpoline as a mitigation for BHI or intra-mode BTI, and the processor both enumerates RRSBA and enumerates RRSBA_DIS controls, it should disable this behavior." [#intel-retpoline-rrsba]_h](h“Where software is using retpoline as a mitigation for BHI or intra-mode BTI, and the processor both enumerates RRSBA and enumerates RRSBA_DIS controls, it should disable this behavior.” }(hjqhhhNhNubj)}(h[#intel-retpoline-rrsba]_h]h23}(hjyhhhNhNubah}(h]id27ah ]h"]h$]h&]jKjintel-retpoline-rrsbajjuh1jhjqjKubeh}(h]h ]h"]h$]h&]uh1hhhhKhjmubah}(h]h ]h"]h$]h&]uh1jhjjhhhhhNubah}(h]h ]h"]h$]h&]jKjLuh1jhhhKhjhhubeh}(h]restricted-rsb-alternate-rrsbaah ]h"] restricted rsb alternate (rrsba)ah$]h&]uh1hhjhhhhhKubeh}(h]rsb-underflow-intel-onlyah ]h"]rsb underflow (intel only)ah$]h&]uh1hhhhhhhhKubjN)}(h----h]h}(h]h ]h"]h$]h&]uh1jMhhhKhhhhubh)}(hhh](h)}(h Referencesh]h References}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubhfootnote)}(hm`Spectre Returns! Speculation Attacks using the Return Stack Buffer `_ h](hlabel)}(hhh]h1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhhhNhNubh)}(hl`Spectre Returns! Speculation Attacks using the Return Stack Buffer `_h](h reference)}(hjh]hBSpectre Returns! Speculation Attacks using the Return Stack Buffer}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameBSpectre Returns! Speculation Attacks using the Return Stack Bufferrefuri$https://arxiv.org/pdf/1807.07940.pdfuh1jhjubhtarget)}(h' h]h}(h]Aspectre-returns-speculation-attacks-using-the-return-stack-bufferah ]h"]Bspectre returns! speculation attacks using the return stack bufferah$]h&]refurijuh1j referencedKhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubeh}(h]jah ]h"] spectre-rsbah$]h&]jajKjjuh1jhhhKhjhhubj)}(hX"Empty RSB Mitigation on Skylake-generation" in `Retpoline: A Branch Target Injection Mitigation `_ h](j)}(hhh]h2}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhhhNhNubh)}(hX"Empty RSB Mitigation on Skylake-generation" in `Retpoline: A Branch Target Injection Mitigation `_h](h4“Empty RSB Mitigation on Skylake-generation” in }(hj hhhNhNubj)}(h`Retpoline: A Branch Target Injection Mitigation `_h]h/Retpoline: A Branch Target Injection Mitigation}(hj(hhhNhNubah}(h]h ]h"]h$]h&]name/Retpoline: A Branch Target Injection Mitigationjhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/retpoline-branch-target-injection-mitigation.html#inpage-nav-5-1uh1jhj ubj)}(h h]h}(h].retpoline-a-branch-target-injection-mitigationah ]h"]/retpoline: a branch target injection mitigationah$]h&]refurij8uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubeh}(h]jah ]h"]intel-rsb-fillingah$]h&]jajKjjuh1jhhhKhjhhubj)}(h"Mitigation V2-3" in `Software Techniques for Managing Speculation `_ h](j)}(hhh]h3}(hjWhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjShhhNhNubh)}(h"Mitigation V2-3" in `Software Techniques for Managing Speculation `_h](h“Mitigation V2-3” in }(hjdhhhNhNubj)}(h`Software Techniques for Managing Speculation `_h]h,Software Techniques for Managing Speculation}(hjlhhhNhNubah}(h]h ]h"]h$]h&]name,Software Techniques for Managing Speculationjhttps://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/software-techniques-for-managing-speculation.pdfuh1jhjdubj)}(h h]h}(h],software-techniques-for-managing-speculationah ]h"],software techniques for managing speculationah$]h&]refurij|uh1jjKhjdubeh}(h]h ]h"]h$]h&]uh1hhhhKhjSubeh}(h]jah ]h"]amd-rsb-fillingah$]h&](jjejKjjuh1jhhhKhjhhubj)}(hX)Whether IBPB is written depends on whether the prev and/or next task is protected from Spectre attacks. It typically requires opting in per task or system-wide. For more details see the documentation for the ``spectre_v2_user`` cmdline option in Documentation/admin-guide/kernel-parameters.txt. h](j)}(hhh]h4}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhhhNhNubh)}(hX(Whether IBPB is written depends on whether the prev and/or next task is protected from Spectre attacks. It typically requires opting in per task or system-wide. For more details see the documentation for the ``spectre_v2_user`` cmdline option in Documentation/admin-guide/kernel-parameters.txt.h](hWhether IBPB is written depends on whether the prev and/or next task is protected from Spectre attacks. It typically requires opting in per task or system-wide. For more details see the documentation for the }(hjhhhNhNubhliteral)}(h``spectre_v2_user``h]hspectre_v2_user}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhC cmdline option in Documentation/admin-guide/kernel-parameters.txt.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubeh}(h]j0ah ]h"] cond-ibpbah$]h&](j+jejKjjuh1jhhhKhjhhubj)}(hHIBPB without flushing of branch type predictions. Only exists for AMD. h](j)}(hhh]h5}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhhhNhNubh)}(hGIBPB without flushing of branch type predictions. Only exists for AMD.h]hGIBPB without flushing of branch type predictions. Only exists for AMD.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubeh}(h]jyah ]h"]amd-sbpbah$]h&]jtajKjjuh1jhhhKhjhhubj)}(hX"Function 8000_0008h -- Processor Capacity Parameters and Extended Feature Identification" in `AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions `_. SBPB behaves the same way according to `this email `_. h](j)}(hhh]h6}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhhhNhNubh)}(hX"Function 8000_0008h -- Processor Capacity Parameters and Extended Feature Identification" in `AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions `_. SBPB behaves the same way according to `this email `_.h](hb“Function 8000_0008h -- Processor Capacity Parameters and Extended Feature Identification” in }(hj hhhNhNubj)}(h`AMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructions `_h]hZAMD64 Architecture Programmer’s Manual Volume 3: General-Purpose and System Instructions}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameXAMD64 Architecture Programmer's Manual Volume 3: General-Purpose and System Instructionsjdhttps://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24594.pdfuh1jhj ubj)}(hg h]h}(h]Wamd64-architecture-programmer-s-manual-volume-3-general-purpose-and-system-instructionsah ]h"]Xamd64 architecture programmer's manual volume 3: general-purpose and system instructionsah$]h&]refurij uh1jjKhj ubh*. SBPB behaves the same way according to }(hj hhhNhNubj)}(hM`this email `_h]h this email}(hj2 hhhNhNubah}(h]h ]h"]h$]h&]name this emailj=https://lore.kernel.org/5175b163a3736ca5fd01cedf406735636c99auh1jhj ubj)}(h@ h]h}(h] this-emailah ]h"] this emailah$]h&]refurijB uh1jjKhj ubh.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubeh}(h]jah ]h"] amd-ibpb-rsbah$]h&]jajKjjuh1jhhhKhjhhubj)}(hm`Spectre Attacks: Exploiting Speculative Execution `_ h](j)}(hhh]h7}(hje hhhNhNubah}(h]h ]h"]h$]h&]uh1jhja hhhNhNubh)}(hl`Spectre Attacks: Exploiting Speculative Execution `_h](j)}(hjt h]h1Spectre Attacks: Exploiting Speculative Execution}(hjv hhhNhNubah}(h]h ]h"]h$]h&]name1Spectre Attacks: Exploiting Speculative Executionj5https://comsec.ethz.ch/wp-content/files/ibpb_sp25.pdfuh1jhjr ubj)}(h8 h]h}(h]0spectre-attacks-exploiting-speculative-executionah ]h"]1spectre attacks: exploiting speculative executionah$]h&]refurij uh1jjKhjr ubeh}(h]h ]h"]h$]h&]uh1hhhhKhja ubeh}(h]jah ]h"]amd-ibpb-no-rsbah$]h&]jajKjjuh1jhhhKhjhhubj)}(hX "Introduction" in `Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 `_ h](j)}(hhh]h8}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(hX "Introduction" in `Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 `_h](h“Introduction” in }(hj hhhNhNubj)}(h`Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 `_h]hNPost-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameNPost-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706jhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.htmluh1jhj ubj)}(h h]h}(h]Jpost-barrier-return-stack-buffer-predictions-cve-2022-26373-intel-sa-00706ah ]h"]Npost-barrier return stack buffer predictions / cve-2022-26373 / intel-sa-00706ah$]h&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubeh}(h]j&ah ]h"]intel-ibpb-rsbah$]h&]j!ajKjjuh1jhhhKhjhhubj)}(h"Existing Mitigations" in `Technical Guidance for Mitigating Branch Type Confusion `_ h](j)}(hhh]h9}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(h"Existing Mitigations" in `Technical Guidance for Mitigating Branch Type Confusion `_h](h“Existing Mitigations” in }(hj hhhNhNubj)}(h`Technical Guidance for Mitigating Branch Type Confusion `_h]h7Technical Guidance for Mitigating Branch Type Confusion}(hj hhhNhNubah}(h]h ]h"]h$]h&]name7Technical Guidance for Mitigating Branch Type Confusionjvhttps://www.amd.com/content/dam/amd/en/documents/resources/technical-guidance-for-mitigating-branch-type-confusion.pdfuh1jhj ubj)}(hy h]h}(h]7technical-guidance-for-mitigating-branch-type-confusionah ]h"]7technical guidance for mitigating branch type confusionah$]h&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubeh}(h]jah ]h"] amd-smep-rsbah$]h&]jajKjjuh1jhhhKhjhhubj)}(h"Enhanced IBRS" in `Indirect Branch Restricted Speculation `_ h](j)}(hhh]h10}(hj, hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj( hhhNhNubh)}(h"Enhanced IBRS" in `Indirect Branch Restricted Speculation `_h](h“Enhanced IBRS” in }(hj9 hhhNhNubj)}(h`Indirect Branch Restricted Speculation `_h]h&Indirect Branch Restricted Speculation}(hjA hhhNhNubah}(h]h ]h"]h$]h&]name&Indirect Branch Restricted Speculationjhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.htmluh1jhj9 ubj)}(h h]h}(h]&indirect-branch-restricted-speculationah ]h"]&indirect branch restricted speculationah$]h&]refurijQ uh1jjKhj9 ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj( ubeh}(h]jah ]h"]intel-smep-rsbah$]h&]jajKjjuh1jhhhKhjhhubj)}(h"Extended Feature Enable Register (EFER)" in `AMD64 Architecture Programmer's Manual Volume 2: System Programming `_ h](j)}(hhh]h11}(hjp hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjl hhhNhNubh)}(h"Extended Feature Enable Register (EFER)" in `AMD64 Architecture Programmer's Manual Volume 2: System Programming `_h](h1“Extended Feature Enable Register (EFER)” in }(hj} hhhNhNubj)}(h`AMD64 Architecture Programmer's Manual Volume 2: System Programming `_h]hEAMD64 Architecture Programmer’s Manual Volume 2: System Programming}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameCAMD64 Architecture Programmer's Manual Volume 2: System Programmingjdhttps://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/24593.pdfuh1jhj} ubj)}(hg h]h}(h]Bamd64-architecture-programmer-s-manual-volume-2-system-programmingah ]h"]Camd64 architecture programmer's manual volume 2: system programmingah$]h&]refurij uh1jjKhj} ubeh}(h]h ]h"]h$]h&]uh1hhhhKhjl ubeh}(h]j`ah ]h"]amd-eibrs-vmexitah$]h&]j[ajKjjuh1jhhhKhjhhubj)}(h"Enhanced IBRS" in `Indirect Branch Restricted Speculation `_ h](j)}(hhh]h12}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(h"Enhanced IBRS" in `Indirect Branch Restricted Speculation `_h](h“Enhanced IBRS” in }(hj hhhNhNubj)}(h`Indirect Branch Restricted Speculation `_h]h&Indirect Branch Restricted Speculation}(hj hhhNhNubah}(h]h ]h"]h$]h&]name&Indirect Branch Restricted Speculationjhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.htmluh1jhj ubj)}(h h]h}(h]id28ah ]h"]h$]&indirect branch restricted speculationah&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubeh}(h]jah ]h"]intel-eibrs-vmexitah$]h&]jajKjjuh1jhhhKhjhhubj)}(h`Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 `_ h](j)}(hhh]h13}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(h`Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 `_h](j)}(hj h]hNPost-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameNPost-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706jhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.htmluh1jhj ubj)}(h h]h}(h]id29ah ]h"]h$]Npost-barrier return stack buffer predictions / cve-2022-26373 / intel-sa-00706ah&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubeh}(h]jah ]h"] intel-pbrsbah$]h&]jajKjjuh1jhhhKhjhhubj)}(h`RETBleed: Arbitrary Speculative Code Execution with Return Instruction `_ Vh](j)}(hhh]h14}(hj7 hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj3 hhhNhNubh)}(h`RETBleed: Arbitrary Speculative Code Execution with Return Instruction `_h](j)}(hjF h]hFRETBleed: Arbitrary Speculative Code Execution with Return Instruction}(hjH hhhNhNubah}(h]h ]h"]h$]h&]nameFRETBleed: Arbitrary Speculative Code Execution with Return Instructionj:https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdfuh1jhjD ubj)}(h= h]h}(h]Eretbleed-arbitrary-speculative-code-execution-with-return-instructionah ]h"]Fretbleed: arbitrary speculative code execution with return instructionah$]h&]refurijW uh1jjKhjD ubeh}(h]h ]h"]h$]h&]uh1hhhhKhj3 ubeh}(h]j5ah ]h"]retbleed-paperah$]h&](j0jejKjjuh1jhhhKhjhhubj)}(h`Technical Guidance for Mitigating Branch Type Confusion `_ h](j)}(hhh]h15}(hjv hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjr hhhNhNubh)}(h`Technical Guidance for Mitigating Branch Type Confusion `_h](j)}(hj h]h7Technical Guidance for Mitigating Branch Type Confusion}(hj hhhNhNubah}(h]h ]h"]h$]h&]name7Technical Guidance for Mitigating Branch Type Confusionjvhttps://www.amd.com/content/dam/amd/en/documents/resources/technical-guidance-for-mitigating-branch-type-confusion.pdfuh1jhj ubj)}(hy h]h}(h]id30ah ]h"]h$]7technical guidance for mitigating branch type confusionah&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhjr ubeh}(h]jIah ]h"]amd-btcah$]h&]jDajKjjuh1jhhhKhjhhubj)}(h`Technical Update Regarding Speculative Return Stack Overflow `_ h](j)}(hhh]h16}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(h`Technical Update Regarding Speculative Return Stack Overflow `_h](j)}(hj h]hh]h}(h]`_ h](j)}(hhh]h17}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(h`Inception: Exposing New Attack Surfaces with Training in Transient Execution `_h](j)}(hj h]hLInception: Exposing New Attack Surfaces with Training in Transient Execution}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameLInception: Exposing New Attack Surfaces with Training in Transient Executionj;https://comsec.ethz.ch/wp-content/files/inception_sec23.pdfuh1jhj ubj)}(h> h]h}(h]Kinception-exposing-new-attack-surfaces-with-training-in-transient-executionah ]h"]Linception: exposing new attack surfaces with training in transient executionah$]h&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhMhj ubeh}(h]jqah ]h"]inception-paperah$]h&]jlajKjjuh1jhhhMhjhhubj)}(hX `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702 `_ h](j)}(hhh]h18}(hj3 hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj/ hhhNhNubh)}(hX `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702 `_h](j)}(hjB h]hoReturn Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702}(hjD hhhNhNubah}(h]h ]h"]h$]h&]nameoReturn Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702jhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.htmluh1jhj@ ubj)}(h h]h}(h]hreturn-stack-buffer-underflow-return-stack-buffer-underflow-cve-2022-29901-cve-2022-28693-intel-sa-00702ah ]h"]oreturn stack buffer underflow / return stack buffer underflow / cve-2022-29901, cve-2022-28693 / intel-sa-00702ah$]h&]refurijS uh1jjKhj@ ubeh}(h]h ]h"]h$]h&]uh1hhhhMhj/ ubeh}(h]jah ]h"] intel-rsbuah$]h&](jjejKjjuh1jhhhMhjhhubj)}(h`Indirect Branch Predictor Barrier' `_ h](j)}(hhh]h19}(hjr hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjn hhhNhNubh)}(h`Indirect Branch Predictor Barrier' `_h](j)}(hj h]h$Indirect Branch Predictor Barrier’}(hj hhhNhNubah}(h]h ]h"]h$]h&]name"Indirect Branch Predictor Barrier'jhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-predictor-barrier.htmluh1jhj ubj)}(h h]h}(h]!indirect-branch-predictor-barrierah ]h"]"indirect branch predictor barrier'ah$]h&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhMhjn ubeh}(h]jKah ]h"]intel-ibpb-btbah$]h&]jFajKjjuh1jhhhMhjhhubj)}(hX!"Guidance for RSBU" in `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702 `_ h](j)}(hhh]h20}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(hX "Guidance for RSBU" in `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702 `_h](h“Guidance for RSBU” in }(hj hhhNhNubj)}(hX `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702 `_h]hoReturn Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameoReturn Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-28693 / INTEL-SA-00702jhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.htmluh1jhj ubj)}(h h]h}(h]id31ah ]h"]h$]oreturn stack buffer underflow / return stack buffer underflow / cve-2022-29901, cve-2022-28693 / intel-sa-00702ah&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhMhj ubeh}(h]jah ]h"]intel-eibrs-rrsbaah$]h&]jajKjjuh1jhhhMhjhhubj)}(h`Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks `_ h](j)}(hhh]h21}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hhhNhNubh)}(h`Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks `_h](j)}(hj h]hqBranch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacks}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameqBranch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Privilege Spectre-v2 Attacksj:http://download.vusec.net/papers/bhi-spectre-bhb_sec22.pdfuh1jhj ubj)}(h= h]h}(h]pbranch-history-injection-on-the-effectiveness-of-hardware-mitigations-against-cross-privilege-spectre-v2-attacksah ]h"]qbranch history injection: on the effectiveness of hardware mitigations against cross-privilege spectre-v2 attacksah$]h&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhMhj ubeh}(h]j=ah ]h"] bhi-paperah$]h&]j8ajKjjuh1jhhhMhjhhubj)}(hX `Branch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598 `_ h](j)}(hhh]h22}(hj4 hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj0 hhhNhNubh)}(hX `Branch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598 `_h](j)}(hjC h]hoBranch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598}(hjE hhhNhNubah}(h]h ]h"]h$]h&]nameoBranch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598jhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.htmluh1jhjA ubj)}(h h]h}(h]jbranch-history-injection-and-intra-mode-branch-target-injection-cve-2022-0001-cve-2022-0002-intel-sa-00598ah ]h"]obranch history injection and intra-mode branch target injection / cve-2022-0001, cve-2022-0002 / intel-sa-00598ah$]h&]refurijT uh1jjKhjA ubeh}(h]h ]h"]h$]h&]uh1hhhhM hj0 ubeh}(h]jQah ]h"] intel-bhiah$]h&]jLajKjjuh1jhhhM hjhhubj)}(hX"Retpoline" in `Branch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598 `_h](j)}(hhh]h23}(hjs hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjo hhhNhNubh)}(hjq h](h“Retpoline” in }(hj hhhNhNubj)}(hX `Branch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598 `_h]hoBranch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameoBranch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0002 / INTEL-SA-00598jhttps://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.htmluh1jhj ubj)}(h h]h}(h]id32ah ]h"]h$]obranch history injection and intra-mode branch target injection / cve-2022-0001, cve-2022-0002 / intel-sa-00598ah&]refurij uh1jjKhj ubeh}(h]h ]h"]h$]h&]uh1hhhhM hjo ubeh}(h]jah ]h"]intel-retpoline-rrsbaah$]h&]jajKjjuh1jhhhM hjhhubeh}(h] referencesah ]h"] referencesah$]h&]uh1hhhhhhhhKubeh}(h]rsb-related-mitigationsah ]h"]rsb-related mitigationsah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerj error_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}( spectre-rsb]jaintel-rsb-filling]jaamd-rsb-filling](jje cond-ibpb](j!jeamd-sbpb]jja amd-ibpb-rsb]j~aamd-ibpb-no-rsb]jaintel-ibpb-rsb]ja amd-smep-rsb]jaintel-smep-rsb]jaamd-eibrs-vmexit]jQaintel-eibrs-vmexit]ja intel-pbrsb]jaretbleed-paper](j&jeamd-btc]j:aamd-srso]jNainception-paper]jba intel-rsbu](jjeintel-ibpb-btb]j<aintel-eibrs-rrsba]ja bhi-paper]j.a intel-bhi]jBaintel-retpoline-rrsba]jyaurefids}(j]jaj]jaj](jjej0](j!jejy]jjaj]j~aj]jaj&]jaj]jaj]jaj`]jQaj]jaj]jaj5](j&jejI]j:aj]]jNajq]jbaj](jjejK]j<aj]jaj=]j.ajQ]jBaj]jyaunameids}(j j jjj jjj~jjjjjjj j j jjjjPjjBj?jjjjjj0jjyj^ jj* j' jL jI j jj j j j&j j j% jj j ji jj[ jX j j`j j j jj0 jjo j5ja j^ j jIj j]j j j, jqj j jk jj] jZ j jKj j j jj- j=j j jl jQj^ j[ j ju nametypes}(j jj jjjjj j jjPjBjjjjj^ j* jL j j j j j% j ji j[ j j j j0 jo ja j j j j, j jk j] j j j j- j jl j^ j uh}(j hjjYjjjjjjjjjj+j!jtjjjj~jjjjj!jjjjjj[jQjjjjj~j j0j&jDj:jXjNjljbjjjjjjjjjjjFj<jjjjjjj8j.jLjBjjyj jjjjjjjj?j9jjSjj}j0jjyjjjj' j! jI jC jja j j j&j j j jj j j jj( jX jR j`jl j j jj j j jj j j j5j3 j^ jX jIjr j j j]j j j jqj j j jj/ jZ jT jKjn j j jj j j j=j j j jQj0 j[ jU jjo j j u footnote_refs}(j%]jaj']jaj)](jjej+](j!jej-]jjaj/]j~aj1]jaj3]jaj5]jaj7]jaj9]jQaj;]jaj=]jaj?](j&jejA]j:ajC]jNajE]jbajG](jjejI]j<ajK]jajM]j.ajO]jBajQ]jyau citation_refs} autofootnotes](jjjSjjjja j j j( jl j j j3 jr j j j/ jn j j j0 jo eautofootnote_refs](jjjj!jjj~jjjjjjQjjj&j:jNjbjjjj<jjj.jBjyesymbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}j K sRparse_messages](hsystem_message)}(hhh]h)}(hIDuplicate explicit target name: "indirect branch restricted speculation".h]hMDuplicate explicit target name: “indirect branch restricted speculation”.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]j alevelKtypeINFOsourcehlineKuh1jhj ubj)}(hhh]h)}(hqDuplicate explicit target name: "post-barrier return stack buffer predictions / cve-2022-26373 / intel-sa-00706".h]huDuplicate explicit target name: “post-barrier return stack buffer predictions / cve-2022-26373 / intel-sa-00706”.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]j alevelKtypejsourcehlineKuh1jhj ubj)}(hhh]h)}(hZDuplicate explicit target name: "technical guidance for mitigating branch type confusion".h]h^Duplicate explicit target name: “technical guidance for mitigating branch type confusion”.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]j alevelKtypejsourcehlineKuh1jhjr ubj)}(hhh]h)}(hDuplicate explicit target name: "return stack buffer underflow / return stack buffer underflow / cve-2022-29901, cve-2022-28693 / intel-sa-00702".h]hDuplicate explicit target name: “return stack buffer underflow / return stack buffer underflow / cve-2022-29901, cve-2022-28693 / intel-sa-00702”.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]j alevelKtypejsourcehlineKuh1jhj ubj)}(hhh]h)}(hDuplicate explicit target name: "branch history injection and intra-mode branch target injection / cve-2022-0001, cve-2022-0002 / intel-sa-00598".h]hDuplicate explicit target name: “branch history injection and intra-mode branch target injection / cve-2022-0001, cve-2022-0002 / intel-sa-00598”.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]j alevelKtypejsourcehlineKuh1jhjo ubetransform_messages] transformerN include_log] decorationNhhub.