sphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget//translations/zh_CN/admin-guide/hw-vuln/spectremodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget//translations/zh_TW/admin-guide/hw-vuln/spectremodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget//translations/it_IT/admin-guide/hw-vuln/spectremodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget//translations/ja_JP/admin-guide/hw-vuln/spectremodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget//translations/ko_KR/admin-guide/hw-vuln/spectremodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget//translations/sp_SP/admin-guide/hw-vuln/spectremodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhhI/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/spectre.rsthKubhsection)}(hhh](htitle)}(hSpectre Side Channelsh]hSpectre Side Channels}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh paragraph)}(hXSpectre is a class of side channel attacks that exploit branch prediction and speculative execution on modern CPUs to read memory, possibly bypassing access controls. Speculative execution side channel exploits do not modify memory but attempt to infer privileged data in the memory.h]hXSpectre is a class of side channel attacks that exploit branch prediction and speculative execution on modern CPUs to read memory, possibly bypassing access controls. Speculative execution side channel exploits do not modify memory but attempt to infer privileged data in the memory.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(h=This document covers Spectre variant 1 and Spectre variant 2.h]h=This document covers Spectre variant 1 and Spectre variant 2.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(hhh](h)}(hAffected processorsh]hAffected processors}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh)}(hSpeculative execution side channel methods affect a wide range of modern high performance processors, since most modern high speed processors use branch prediction and speculative execution.h]hSpeculative execution side channel methods affect a wide range of modern high performance processors, since most modern high speed processors use branch prediction and speculative execution.}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(h"The following CPUs are vulnerable:h]h"The following CPUs are vulnerable:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh block_quote)}(hX- Intel Core, Atom, Pentium, and Xeon processors - AMD Phenom, EPYC, and Zen processors - IBM POWER and zSeries processors - Higher end ARM processors - Apple CPUs - Higher end MIPS CPUs - Likely most other high performance CPUs. Contact your CPU vendor for details. h]h bullet_list)}(hhh](h list_item)}(h/Intel Core, Atom, Pentium, and Xeon processors h]h)}(h.Intel Core, Atom, Pentium, and Xeon processorsh]h.Intel Core, Atom, Pentium, and Xeon processors}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj!ubah}(h]h ]h"]h$]h&]uh1jhjubj )}(h%AMD Phenom, EPYC, and Zen processors h]h)}(h$AMD Phenom, EPYC, and Zen processorsh]h$AMD Phenom, EPYC, and Zen processors}(hj=hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj9ubah}(h]h ]h"]h$]h&]uh1jhjubj )}(h!IBM POWER and zSeries processors h]h)}(h IBM POWER and zSeries processorsh]h IBM POWER and zSeries processors}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjQubah}(h]h ]h"]h$]h&]uh1jhjubj )}(hHigher end ARM processors h]h)}(hHigher end ARM processorsh]hHigher end ARM processors}(hjmhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjiubah}(h]h ]h"]h$]h&]uh1jhjubj )}(h Apple CPUs h]h)}(h Apple CPUsh]h Apple CPUs}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubah}(h]h ]h"]h$]h&]uh1jhjubj )}(hHigher end MIPS CPUs h]h)}(hHigher end MIPS CPUsh]hHigher end MIPS CPUs}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hjubah}(h]h ]h"]h$]h&]uh1jhjubj )}(hNLikely most other high performance CPUs. Contact your CPU vendor for details. h]h)}(hMLikely most other high performance CPUs. Contact your CPU vendor for details.h]hMLikely most other high performance CPUs. Contact your CPU vendor for details.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK"hjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]bullet-uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1jhhhKhhhhubh)}(hWhether a processor is affected or not can be read out from the Spectre vulnerability files in sysfs. See :ref:`spectre_sys_info`.h](hjWhether a processor is affected or not can be read out from the Spectre vulnerability files in sysfs. See }(hjhhhNhNubh)}(h:ref:`spectre_sys_info`h]hinline)}(hjh]hspectre_sys_info}(hjhhhNhNubah}(h]h ](xrefstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocadmin-guide/hw-vuln/spectre refdomainjreftyperef refexplicitrefwarn reftargetspectre_sys_infouh1hhhhK$hjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK$hhhhubeh}(h]affected-processorsah ]h"]affected processorsah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(h Related CVEsh]h Related CVEs}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK(ubh)}(h4The following CVE entries describe Spectre variants:h]h4The following CVE entries describe Spectre variants:}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK*hjhhubj)}(hXB============= ======================= ========================== CVE-2017-5753 Bounds check bypass Spectre variant 1 CVE-2017-5715 Branch target injection Spectre variant 2 CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs) ============= ======================= ========================== h]htable)}(hhh]htgroup)}(hhh](hcolspec)}(hhh]h}(h]h ]h"]h$]h&]colwidthK uh1jChj@ubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jChj@ubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jChj@ubhtbody)}(hhh](hrow)}(hhh](hentry)}(hhh]h)}(h CVE-2017-5753h]h CVE-2017-5753}(hjrhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK-hjoubah}(h]h ]h"]h$]h&]uh1jmhjjubjn)}(hhh]h)}(hBounds check bypassh]hBounds check bypass}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK-hjubah}(h]h ]h"]h$]h&]uh1jmhjjubjn)}(hhh]h)}(hSpectre variant 1h]hSpectre variant 1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK-hjubah}(h]h ]h"]h$]h&]uh1jmhjjubeh}(h]h ]h"]h$]h&]uh1jhhjeubji)}(hhh](jn)}(hhh]h)}(h CVE-2017-5715h]h CVE-2017-5715}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK.hjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(hBranch target injectionh]hBranch target injection}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK.hjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(hSpectre variant 2h]hSpectre variant 2}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK.hjubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhjeubji)}(hhh](jn)}(hhh]h)}(h CVE-2019-1125h]h CVE-2019-1125}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK/hj ubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(hSpectre v1 swapgsh]hSpectre v1 swapgs}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK/hj"ubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(hSpectre variant 1 (swapgs)h]hSpectre variant 1 (swapgs)}(hj<hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK/hj9ubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhjeubeh}(h]h ]h"]h$]h&]uh1jchj@ubeh}(h]h ]h"]h$]h&]colsKuh1j>hj;ubah}(h]h ]h"]h$]h&]uh1j9hj5ubah}(h]h ]h"]h$]h&]uh1jhhhK,hjhhubeh}(h] related-cvesah ]h"] related cvesah$]h&]uh1hhhhhhhhK(ubh)}(hhh](h)}(hProblemh]hProblem}(hjzhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjwhhhhhK3ubh)}(hXCPUs use speculative operations to improve performance. That may leave traces of memory accesses or computations in the processor's caches, buffers, and branch predictors. Malicious software may be able to influence the speculative execution paths, and then use the side effects of the speculative execution in the CPUs' caches and buffers to infer privileged data touched during the speculative execution.h]hXCPUs use speculative operations to improve performance. That may leave traces of memory accesses or computations in the processor’s caches, buffers, and branch predictors. Malicious software may be able to influence the speculative execution paths, and then use the side effects of the speculative execution in the CPUs’ caches and buffers to infer privileged data touched during the speculative execution.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK5hjwhhubh)}(hXWSpectre variant 1 attacks take advantage of speculative execution of conditional branches, while Spectre variant 2 attacks use speculative execution of indirect branches to leak privileged memory. See :ref:`[1] ` :ref:`[5] ` :ref:`[6] ` :ref:`[7] ` :ref:`[10] ` :ref:`[11] `.h](hSpectre variant 1 attacks take advantage of speculative execution of conditional branches, while Spectre variant 2 attacks use speculative execution of indirect branches to leak privileged memory. See }(hjhhhNhNubh)}(h:ref:`[1] `h]j)}(hjh]h[1]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref1uh1hhhhK`h]j)}(hjh]h[5]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref5uh1hhhhK`h]j)}(hjh]h[6]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref6uh1hhhhK`h]j)}(hj h]h[7]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref7uh1hhhhK`h]j)}(hj0h]h[10]}(hj2hhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhj.ubah}(h]h ]h"]h$]h&]refdocj refdomainj<reftyperef refexplicitrefwarnj spec_ref10uh1hhhhK`h]j)}(hjTh]h[11]}(hjVhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjRubah}(h]h ]h"]h$]h&]refdocj refdomainj`reftyperef refexplicitrefwarnj spec_ref11uh1hhhhK` takes advantage of speculative execution that bypasses conditional branch instructions used for memory access bounds check (e.g. checking if the index of an array results in memory access within a valid range). This results in memory accesses to invalid memory (with out-of-bound index) that are done speculatively before validation checks resolve. Such speculative memory accesses can leave side effects, creating side channels which leak information to the attacker.h](hThe bounds check bypass attack }(hjhhhNhNubh)}(h:ref:`[2] `h]j)}(hjh]h[2]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref2uh1hhhhKEhjubhX takes advantage of speculative execution that bypasses conditional branch instructions used for memory access bounds check (e.g. checking if the index of an array results in memory access within a valid range). This results in memory accesses to invalid memory (with out-of-bound index) that are done speculatively before validation checks resolve. Such speculative memory accesses can leave side effects, creating side channels which leak information to the attacker.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKEhjhhubh)}(hThere are some extensions of Spectre variant 1 attacks for reading data over the network, see :ref:`[12] `. However such attacks are difficult, low bandwidth, fragile, and are considered low risk.h](h^There are some extensions of Spectre variant 1 attacks for reading data over the network, see }(hjhhhNhNubh)}(h:ref:`[12] `h]j)}(hjh]h[12]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref12uh1hhhhKNhjubhZ. However such attacks are difficult, low bandwidth, fragile, and are considered low risk.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKNhjhhubh)}(hXmNote that, despite "Bounds Check Bypass" name, Spectre variant 1 is not only about user-controlled array bounds checks. It can affect any conditional checks. The kernel entry code interrupt, exception, and NMI handlers all have conditional swapgs checks. Those may be problematic in the context of Spectre v1, as kernel code can speculatively run with a user GS.h]hXqNote that, despite “Bounds Check Bypass” name, Spectre variant 1 is not only about user-controlled array bounds checks. It can affect any conditional checks. The kernel entry code interrupt, exception, and NMI handlers all have conditional swapgs checks. Those may be problematic in the context of Spectre v1, as kernel code can speculatively run with a user GS.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKRhjhhubeh}(h]%spectre-variant-1-bounds-check-bypassah ]h"]'spectre variant 1 (bounds check bypass)ah$]h&]uh1hhhhhhhhKCubh)}(hhh](h)}(h+Spectre variant 2 (Branch Target Injection)h]h+Spectre variant 2 (Branch Target Injection)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKZubh)}(hXThe branch target injection attack takes advantage of speculative execution of indirect branches :ref:`[3] `. The indirect branch predictors inside the processor used to guess the target of indirect branches can be influenced by an attacker, causing gadget code to be speculatively executed, thus exposing sensitive data touched by the victim. The side effects left in the CPU's caches during speculative execution can be measured to infer data values.h](haThe branch target injection attack takes advantage of speculative execution of indirect branches }(hj hhhNhNubh)}(h:ref:`[3] `h]j)}(hj*h]h[3]}(hj,hhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhj(ubah}(h]h ]h"]h$]h&]refdocj refdomainj6reftyperef refexplicitrefwarnj spec_ref3uh1hhhhK\hj ubhX[. The indirect branch predictors inside the processor used to guess the target of indirect branches can be influenced by an attacker, causing gadget code to be speculatively executed, thus exposing sensitive data touched by the victim. The side effects left in the CPU’s caches during speculative execution can be measured to infer data values.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK\hjhhubhtarget)}(h.. _poison_btb:h]h}(h]h ]h"]h$]h&]refid poison-btbuh1jRhKdhjhhhhubh)}(hXCIn Spectre variant 2 attacks, the attacker can steer speculative indirect branches in the victim to gadget code by poisoning the branch target buffer of a CPU used for predicting indirect branch addresses. Such poisoning could be done by indirect branching into existing code, with the address offset of the indirect branch under the attacker's control. Since the branch prediction on impacted hardware does not fully disambiguate branch address and uses the offset for prediction, this could cause privileged code's indirect branch to jump to a gadget code with the same offset.h]hXGIn Spectre variant 2 attacks, the attacker can steer speculative indirect branches in the victim to gadget code by poisoning the branch target buffer of a CPU used for predicting indirect branch addresses. Such poisoning could be done by indirect branching into existing code, with the address offset of the indirect branch under the attacker’s control. Since the branch prediction on impacted hardware does not fully disambiguate branch address and uses the offset for prediction, this could cause privileged code’s indirect branch to jump to a gadget code with the same offset.}(hj`hhhNhNubah}(h]j_ah ]h"] poison_btbah$]h&]uh1hhhhKfhjhhexpect_referenced_by_name}jljTsexpect_referenced_by_id}j_jTsubh)}(hXBThe most useful gadgets take an attacker-controlled input parameter (such as a register value) so that the memory read can be controlled. Gadgets without input parameters might be possible, but the attacker would have very little control over what memory can be read, reducing the risk of the attack revealing useful data.h]hXBThe most useful gadgets take an attacker-controlled input parameter (such as a register value) so that the memory read can be controlled. Gadgets without input parameters might be possible, but the attacker would have very little control over what memory can be read, reducing the risk of the attack revealing useful data.}(hjshhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKphjhhubh)}(hXOne other variant 2 attack vector is for the attacker to poison the return stack buffer (RSB) :ref:`[13] ` to cause speculative subroutine return instruction execution to go to a gadget. An attacker's imbalanced subroutine call instructions might "poison" entries in the return stack buffer which are later consumed by a victim's subroutine return instructions. This attack can be mitigated by flushing the return stack buffer on context switch, or virtual machine (VM) exit.h](h^One other variant 2 attack vector is for the attacker to poison the return stack buffer (RSB) }(hjhhhNhNubh)}(h:ref:`[13] `h]j)}(hjh]h[13]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref13uh1hhhhKvhjubhX{ to cause speculative subroutine return instruction execution to go to a gadget. An attacker’s imbalanced subroutine call instructions might “poison” entries in the return stack buffer which are later consumed by a victim’s subroutine return instructions. This attack can be mitigated by flushing the return stack buffer on context switch, or virtual machine (VM) exit.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKvhjhhubh)}(hXOn systems with simultaneous multi-threading (SMT), attacks are possible from the sibling thread, as level 1 cache and branch target buffer (BTB) may be shared between hardware threads in a CPU core. A malicious program running on the sibling thread may influence its peer's BTB to steer its indirect branch speculations to gadget code, and measure the speculative execution's side effects left in level 1 cache to infer the victim's data.h]hXOn systems with simultaneous multi-threading (SMT), attacks are possible from the sibling thread, as level 1 cache and branch target buffer (BTB) may be shared between hardware threads in a CPU core. A malicious program running on the sibling thread may influence its peer’s BTB to steer its indirect branch speculations to gadget code, and measure the speculative execution’s side effects left in level 1 cache to infer the victim’s data.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK~hjhhubh)}(hXsYet another variant 2 attack vector is for the attacker to poison the Branch History Buffer (BHB) to speculatively steer an indirect branch to a specific Branch Target Buffer (BTB) entry, even if the entry isn't associated with the source address of the indirect branch. Specifically, the BHB might be shared across privilege levels even in the presence of Enhanced IBRS.h]hXuYet another variant 2 attack vector is for the attacker to poison the Branch History Buffer (BHB) to speculatively steer an indirect branch to a specific Branch Target Buffer (BTB) entry, even if the entry isn’t associated with the source address of the indirect branch. Specifically, the BHB might be shared across privilege levels even in the presence of Enhanced IBRS.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hX Previously the only known real-world BHB attack vector was via unprivileged eBPF. Further research has found attacks that don't require unprivileged eBPF. For a full mitigation against BHB attacks it is recommended to set BHI_DIS_S or use the BHB clearing sequence.h]hX Previously the only known real-world BHB attack vector was via unprivileged eBPF. Further research has found attacks that don’t require unprivileged eBPF. For a full mitigation against BHB attacks it is recommended to set BHI_DIS_S or use the BHB clearing sequence.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubeh}(h])spectre-variant-2-branch-target-injectionah ]h"]+spectre variant 2 (branch target injection)ah$]h&]uh1hhhhhhhhKZubh)}(hhh](h)}(hAttack scenariosh]hAttack scenarios}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hlThe following list of attack scenarios have been anticipated, but may not cover all possible attack vectors.h]hlThe following list of attack scenarios have been anticipated, but may not cover all possible attack vectors.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hhh](h)}(h&1. A user process attacking the kernelh]h&1. A user process attacking the kernel}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(hSpectre variant 1h]hSpectre variant 1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubj)}(hXaThe attacker passes a parameter to the kernel via a register or via a known address in memory during a syscall. Such parameter may be used later by the kernel as an index to an array or to derive a pointer for a Spectre variant 1 attack. The index or pointer is invalid, but bound checks are bypassed in the code branch taken for speculative execution. This could cause privileged memory to be accessed and leaked. For kernel code that has been identified where data pointers could potentially be influenced for Spectre attacks, new "nospec" accessor macros are used to prevent speculative loading of data. h](h)}(hXThe attacker passes a parameter to the kernel via a register or via a known address in memory during a syscall. Such parameter may be used later by the kernel as an index to an array or to derive a pointer for a Spectre variant 1 attack. The index or pointer is invalid, but bound checks are bypassed in the code branch taken for speculative execution. This could cause privileged memory to be accessed and leaked.h]hXThe attacker passes a parameter to the kernel via a register or via a known address in memory during a syscall. Such parameter may be used later by the kernel as an index to an array or to derive a pointer for a Spectre variant 1 attack. The index or pointer is invalid, but bound checks are bypassed in the code branch taken for speculative execution. This could cause privileged memory to be accessed and leaked.}(hj*hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj&ubh)}(hFor kernel code that has been identified where data pointers could potentially be influenced for Spectre attacks, new "nospec" accessor macros are used to prevent speculative loading of data.h]hFor kernel code that has been identified where data pointers could potentially be influenced for Spectre attacks, new “nospec” accessor macros are used to prevent speculative loading of data.}(hj8hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj&ubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubeh}(h]spectre-variant-1ah ]h"]h$]spectre variant 1ah&]uh1hhjhhhhhK referencedKubh)}(hhh](h)}(hSpectre variant 1 (swapgs)h]hSpectre variant 1 (swapgs)}(hjXhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjUhhhhhKubj)}(hXAn attacker can train the branch predictor to speculatively skip the swapgs path for an interrupt or exception. If they initialize the GS register to a user-space value, if the swapgs is speculatively skipped, subsequent GS-related percpu accesses in the speculation window will be done with the attacker-controlled GS value. This could cause privileged memory to be accessed and leaked. For example: :: if (coming from user space) swapgs mov %gs:, %reg mov (%reg), %reg1 When coming from user space, the CPU can speculatively skip the swapgs, and then do a speculative percpu load using the user GS value. So the user can speculatively force a read of any kernel value. If a gadget exists which uses the percpu value as an address in another load/store, then the contents of the kernel value may become visible via an L1 side channel attack. A similar attack exists when coming from kernel space. The CPU can speculatively do the swapgs, causing the user GS to get used for the rest of the speculative window. h](h)}(hXAn attacker can train the branch predictor to speculatively skip the swapgs path for an interrupt or exception. If they initialize the GS register to a user-space value, if the swapgs is speculatively skipped, subsequent GS-related percpu accesses in the speculation window will be done with the attacker-controlled GS value. This could cause privileged memory to be accessed and leaked.h]hXAn attacker can train the branch predictor to speculatively skip the swapgs path for an interrupt or exception. If they initialize the GS register to a user-space value, if the swapgs is speculatively skipped, subsequent GS-related percpu accesses in the speculation window will be done with the attacker-controlled GS value. This could cause privileged memory to be accessed and leaked.}(hjjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjfubh)}(h For example:h]h For example:}(hjxhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjfubh literal_block)}(hVif (coming from user space) swapgs mov %gs:, %reg mov (%reg), %reg1h]hVif (coming from user space) swapgs mov %gs:, %reg mov (%reg), %reg1}hjsbah}(h]h ]h"]h$]h&]hhuh1jhhhKhjfubh)}(hXtWhen coming from user space, the CPU can speculatively skip the swapgs, and then do a speculative percpu load using the user GS value. So the user can speculatively force a read of any kernel value. If a gadget exists which uses the percpu value as an address in another load/store, then the contents of the kernel value may become visible via an L1 side channel attack.h]hXtWhen coming from user space, the CPU can speculatively skip the swapgs, and then do a speculative percpu load using the user GS value. So the user can speculatively force a read of any kernel value. If a gadget exists which uses the percpu value as an address in another load/store, then the contents of the kernel value may become visible via an L1 side channel attack.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjfubh)}(hA similar attack exists when coming from kernel space. The CPU can speculatively do the swapgs, causing the user GS to get used for the rest of the speculative window.h]hA similar attack exists when coming from kernel space. The CPU can speculatively do the swapgs, causing the user GS to get used for the rest of the speculative window.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjfubeh}(h]h ]h"]h$]h&]uh1jhhhKhjUhhubeh}(h]spectre-variant-1-swapgsah ]h"]spectre variant 1 (swapgs)ah$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(hSpectre variant 2h]hSpectre variant 2}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubj)}(hXVA spectre variant 2 attacker can :ref:`poison ` the branch target buffer (BTB) before issuing syscall to launch an attack. After entering the kernel, the kernel could use the poisoned branch target buffer on indirect jump and jump to gadget code in speculative execution. If an attacker tries to control the memory addresses leaked during speculative execution, he would also need to pass a parameter to the gadget, either through a register or a known address in memory. After the gadget has executed, he can measure the side effect. The kernel can protect itself against consuming poisoned branch target buffer entries by using return trampolines (also known as "retpoline") :ref:`[3] ` :ref:`[9] ` for all indirect branches. Return trampolines trap speculative execution paths to prevent jumping to gadget code during speculative execution. x86 CPUs with Enhanced Indirect Branch Restricted Speculation (Enhanced IBRS) available in hardware should use the feature to mitigate Spectre variant 2 instead of retpoline. Enhanced IBRS is more efficient than retpoline. There may be gadget code in firmware which could be exploited with Spectre variant 2 attack by a rogue user process. To mitigate such attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature is turned on before the kernel invokes any firmware code. h](h)}(hXA spectre variant 2 attacker can :ref:`poison ` the branch target buffer (BTB) before issuing syscall to launch an attack. After entering the kernel, the kernel could use the poisoned branch target buffer on indirect jump and jump to gadget code in speculative execution.h](h!A spectre variant 2 attacker can }(hjhhhNhNubh)}(h:ref:`poison `h]j)}(hjh]hpoison}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj poison_btbuh1hhhhKhjubh the branch target buffer (BTB) before issuing syscall to launch an attack. After entering the kernel, the kernel could use the poisoned branch target buffer on indirect jump and jump to gadget code in speculative execution.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hXIf an attacker tries to control the memory addresses leaked during speculative execution, he would also need to pass a parameter to the gadget, either through a register or a known address in memory. After the gadget has executed, he can measure the side effect.h]hXIf an attacker tries to control the memory addresses leaked during speculative execution, he would also need to pass a parameter to the gadget, either through a register or a known address in memory. After the gadget has executed, he can measure the side effect.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hX)The kernel can protect itself against consuming poisoned branch target buffer entries by using return trampolines (also known as "retpoline") :ref:`[3] ` :ref:`[9] ` for all indirect branches. Return trampolines trap speculative execution paths to prevent jumping to gadget code during speculative execution. x86 CPUs with Enhanced Indirect Branch Restricted Speculation (Enhanced IBRS) available in hardware should use the feature to mitigate Spectre variant 2 instead of retpoline. Enhanced IBRS is more efficient than retpoline.h](hThe kernel can protect itself against consuming poisoned branch target buffer entries by using return trampolines (also known as “retpoline”) }(hjhhhNhNubh)}(h:ref:`[3] `h]j)}(hjh]h[3]}(hj!hhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainj+reftyperef refexplicitrefwarnj spec_ref3uh1hhhhKhjubh }(hjhhhNhNubh)}(h:ref:`[9] `h]j)}(hjCh]h[9]}(hjEhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjAubah}(h]h ]h"]h$]h&]refdocj refdomainjOreftyperef refexplicitrefwarnj spec_ref9uh1hhhhKhjubhXn for all indirect branches. Return trampolines trap speculative execution paths to prevent jumping to gadget code during speculative execution. x86 CPUs with Enhanced Indirect Branch Restricted Speculation (Enhanced IBRS) available in hardware should use the feature to mitigate Spectre variant 2 instead of retpoline. Enhanced IBRS is more efficient than retpoline.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hXThere may be gadget code in firmware which could be exploited with Spectre variant 2 attack by a rogue user process. To mitigate such attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature is turned on before the kernel invokes any firmware code.h]hXThere may be gadget code in firmware which could be exploited with Spectre variant 2 attack by a rogue user process. To mitigate such attacks on x86, Indirect Branch Restricted Speculation (IBRS) feature is turned on before the kernel invokes any firmware code.}(hjkhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubeh}(h]spectre-variant-2ah ]h"]h$]spectre variant 2ah&]uh1hhjhhhhhKjTKubeh}(h]#a-user-process-attacking-the-kernelah ]h"]&1. a user process attacking the kernelah$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(h02. A user process attacking another user processh]h02. A user process attacking another user process}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubj)}(hXRA malicious user process can try to attack another user process, either via a context switch on the same hardware thread, or from the sibling hyperthread sharing a physical processor core on simultaneous multi-threading (SMT) system. Spectre variant 1 attacks generally require passing parameters between the processes, which needs a data passing relationship, such as remote procedure calls (RPC). Those parameters are used in gadget code to derive invalid data pointers accessing privileged memory in the attacked process. Spectre variant 2 attacks can be launched from a rogue process by :ref:`poisoning ` the branch target buffer. This can influence the indirect branch targets for a victim process that either runs later on the same hardware thread, or running concurrently on a sibling hardware thread sharing the same physical core. A user process can protect itself against Spectre variant 2 attacks by using the prctl() syscall to disable indirect branch speculation for itself. An administrator can also cordon off an unsafe process from polluting the branch target buffer by disabling the process's indirect branch speculation. This comes with a performance cost from not using indirect branch speculation and clearing the branch target buffer. When SMT is enabled on x86, for a process that has indirect branch speculation disabled, Single Threaded Indirect Branch Predictors (STIBP) :ref:`[4] ` are turned on to prevent the sibling thread from controlling branch target buffer. In addition, the Indirect Branch Prediction Barrier (IBPB) is issued to clear the branch target buffer when context switching to and from such process. On x86, the return stack buffer is stuffed on context switch. This prevents the branch target buffer from being used for branch prediction when the return stack buffer underflows while switching to a deeper call stack. Any poisoned entries in the return stack buffer left by the previous process will also be cleared. User programs should use address space randomization to make attacks more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2). h](h)}(hA malicious user process can try to attack another user process, either via a context switch on the same hardware thread, or from the sibling hyperthread sharing a physical processor core on simultaneous multi-threading (SMT) system.h]hA malicious user process can try to attack another user process, either via a context switch on the same hardware thread, or from the sibling hyperthread sharing a physical processor core on simultaneous multi-threading (SMT) system.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hX#Spectre variant 1 attacks generally require passing parameters between the processes, which needs a data passing relationship, such as remote procedure calls (RPC). Those parameters are used in gadget code to derive invalid data pointers accessing privileged memory in the attacked process.h]hX#Spectre variant 1 attacks generally require passing parameters between the processes, which needs a data passing relationship, such as remote procedure calls (RPC). Those parameters are used in gadget code to derive invalid data pointers accessing privileged memory in the attacked process.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hXGSpectre variant 2 attacks can be launched from a rogue process by :ref:`poisoning ` the branch target buffer. This can influence the indirect branch targets for a victim process that either runs later on the same hardware thread, or running concurrently on a sibling hardware thread sharing the same physical core.h](hBSpectre variant 2 attacks can be launched from a rogue process by }(hjhhhNhNubh)}(h:ref:`poisoning `h]j)}(hjh]h poisoning}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj poison_btbuh1hhhhKhjubh the branch target buffer. This can influence the indirect branch targets for a victim process that either runs later on the same hardware thread, or running concurrently on a sibling hardware thread sharing the same physical core.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hX0A user process can protect itself against Spectre variant 2 attacks by using the prctl() syscall to disable indirect branch speculation for itself. An administrator can also cordon off an unsafe process from polluting the branch target buffer by disabling the process's indirect branch speculation. This comes with a performance cost from not using indirect branch speculation and clearing the branch target buffer. When SMT is enabled on x86, for a process that has indirect branch speculation disabled, Single Threaded Indirect Branch Predictors (STIBP) :ref:`[4] ` are turned on to prevent the sibling thread from controlling branch target buffer. In addition, the Indirect Branch Prediction Barrier (IBPB) is issued to clear the branch target buffer when context switching to and from such process.h](hX0A user process can protect itself against Spectre variant 2 attacks by using the prctl() syscall to disable indirect branch speculation for itself. An administrator can also cordon off an unsafe process from polluting the branch target buffer by disabling the process’s indirect branch speculation. This comes with a performance cost from not using indirect branch speculation and clearing the branch target buffer. When SMT is enabled on x86, for a process that has indirect branch speculation disabled, Single Threaded Indirect Branch Predictors (STIBP) }(hjhhhNhNubh)}(h:ref:`[4] `h]j)}(hjh]h[4]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref4uh1hhhhKhjubh are turned on to prevent the sibling thread from controlling branch target buffer. In addition, the Indirect Branch Prediction Barrier (IBPB) is issued to clear the branch target buffer when context switching to and from such process.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hX=On x86, the return stack buffer is stuffed on context switch. This prevents the branch target buffer from being used for branch prediction when the return stack buffer underflows while switching to a deeper call stack. Any poisoned entries in the return stack buffer left by the previous process will also be cleared.h]hX=On x86, the return stack buffer is stuffed on context switch. This prevents the branch target buffer from being used for branch prediction when the return stack buffer underflows while switching to a deeper call stack. Any poisoned entries in the return stack buffer left by the previous process will also be cleared.}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubh)}(hUser programs should use address space randomization to make attacks more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2).h]hUser programs should use address space randomization to make attacks more difficult (Set /proc/sys/kernel/randomize_va_space = 1 or 2).}(hj2hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM hjubeh}(h]h ]h"]h$]h&]uh1jhhhKhjhhubeh}(h]-a-user-process-attacking-another-user-processah ]h"]02. a user process attacking another user processah$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(h)3. A virtualized guest attacking the hosth]h)3. A virtualized guest attacking the host}(hjQhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjNhhhhhMubj)}(hXkThe attack mechanism is similar to how user processes attack the kernel. The kernel is entered via hyper-calls or other virtualization exit paths. For Spectre variant 1 attacks, rogue guests can pass parameters (e.g. in registers) via hyper-calls to derive invalid pointers to speculate into privileged memory after entering the kernel. For places where such kernel code has been identified, nospec accessor macros are used to stop speculative memory access. For Spectre variant 2 attacks, rogue guests can :ref:`poison ` the branch target buffer or return stack buffer, causing the kernel to jump to gadget code in the speculative execution paths. To mitigate variant 2, the host kernel can use return trampolines for indirect branches to bypass the poisoned branch target buffer, and flushing the return stack buffer on VM exit. This prevents rogue guests from affecting indirect branching in the host kernel. To protect host processes from rogue guests, host processes can have indirect branch speculation disabled via prctl(). The branch target buffer is cleared before context switching to such processes. h](h)}(hThe attack mechanism is similar to how user processes attack the kernel. The kernel is entered via hyper-calls or other virtualization exit paths.h]hThe attack mechanism is similar to how user processes attack the kernel. The kernel is entered via hyper-calls or other virtualization exit paths.}(hjchhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj_ubh)}(hX8For Spectre variant 1 attacks, rogue guests can pass parameters (e.g. in registers) via hyper-calls to derive invalid pointers to speculate into privileged memory after entering the kernel. For places where such kernel code has been identified, nospec accessor macros are used to stop speculative memory access.h]hX8For Spectre variant 1 attacks, rogue guests can pass parameters (e.g. in registers) via hyper-calls to derive invalid pointers to speculate into privileged memory after entering the kernel. For places where such kernel code has been identified, nospec accessor macros are used to stop speculative memory access.}(hjqhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj_ubh)}(hFor Spectre variant 2 attacks, rogue guests can :ref:`poison ` the branch target buffer or return stack buffer, causing the kernel to jump to gadget code in the speculative execution paths.h](h0For Spectre variant 2 attacks, rogue guests can }(hjhhhNhNubh)}(h:ref:`poison `h]j)}(hjh]hpoison}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj poison_btbuh1hhhhMhjubh the branch target buffer or return stack buffer, causing the kernel to jump to gadget code in the speculative execution paths.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj_ubh)}(hXTo mitigate variant 2, the host kernel can use return trampolines for indirect branches to bypass the poisoned branch target buffer, and flushing the return stack buffer on VM exit. This prevents rogue guests from affecting indirect branching in the host kernel.h]hXTo mitigate variant 2, the host kernel can use return trampolines for indirect branches to bypass the poisoned branch target buffer, and flushing the return stack buffer on VM exit. This prevents rogue guests from affecting indirect branching in the host kernel.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM hj_ubh)}(hTo protect host processes from rogue guests, host processes can have indirect branch speculation disabled via prctl(). The branch target buffer is cleared before context switching to such processes.h]hTo protect host processes from rogue guests, host processes can have indirect branch speculation disabled via prctl(). The branch target buffer is cleared before context switching to such processes.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM%hj_ubeh}(h]h ]h"]h$]h&]uh1jhhhMhjNhhubeh}(h]&a-virtualized-guest-attacking-the-hostah ]h"])3. a virtualized guest attacking the hostah$]h&]uh1hhjhhhhhMubh)}(hhh](h)}(h,4. A virtualized guest attacking other guesth]h,4. A virtualized guest attacking other guest}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhM*ubj)}(hXA rogue guest may attack another guest to get data accessible by the other guest. Spectre variant 1 attacks are possible if parameters can be passed between guests. This may be done via mechanisms such as shared memory or message passing. Such parameters could be used to derive data pointers to privileged data in guest. The privileged data could be accessed by gadget code in the victim's speculation paths. Spectre variant 2 attacks can be launched from a rogue guest by :ref:`poisoning ` the branch target buffer or the return stack buffer. Such poisoned entries could be used to influence speculation execution paths in the victim guest. Linux kernel mitigates attacks to other guests running in the same CPU hardware thread by flushing the return stack buffer on VM exit, and clearing the branch target buffer before switching to a new guest. If SMT is used, Spectre variant 2 attacks from an untrusted guest in the sibling hyperthread can be mitigated by the administrator, by turning off the unsafe guest's indirect branch speculation via prctl(). A guest can also protect itself by turning on microcode based mitigations (such as IBPB or STIBP on x86) within the guest. h](h)}(hQA rogue guest may attack another guest to get data accessible by the other guest.h]hQA rogue guest may attack another guest to get data accessible by the other guest.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM,hjubh)}(hXJSpectre variant 1 attacks are possible if parameters can be passed between guests. This may be done via mechanisms such as shared memory or message passing. Such parameters could be used to derive data pointers to privileged data in guest. The privileged data could be accessed by gadget code in the victim's speculation paths.h]hXLSpectre variant 1 attacks are possible if parameters can be passed between guests. This may be done via mechanisms such as shared memory or message passing. Such parameters could be used to derive data pointers to privileged data in guest. The privileged data could be accessed by gadget code in the victim’s speculation paths.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM/hjubh)}(hSpectre variant 2 attacks can be launched from a rogue guest by :ref:`poisoning ` the branch target buffer or the return stack buffer. Such poisoned entries could be used to influence speculation execution paths in the victim guest.h](h@Spectre variant 2 attacks can be launched from a rogue guest by }(hj hhhNhNubh)}(h:ref:`poisoning `h]j)}(hj h]h poisoning}(hj hhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]refdocj refdomainj" reftyperef refexplicitrefwarnj poison_btbuh1hhhhM5hj ubh the branch target buffer or the return stack buffer. Such poisoned entries could be used to influence speculation execution paths in the victim guest.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhM5hjubh)}(hLinux kernel mitigates attacks to other guests running in the same CPU hardware thread by flushing the return stack buffer on VM exit, and clearing the branch target buffer before switching to a new guest.h]hLinux kernel mitigates attacks to other guests running in the same CPU hardware thread by flushing the return stack buffer on VM exit, and clearing the branch target buffer before switching to a new guest.}(hj> hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM:hjubh)}(hXJIf SMT is used, Spectre variant 2 attacks from an untrusted guest in the sibling hyperthread can be mitigated by the administrator, by turning off the unsafe guest's indirect branch speculation via prctl(). A guest can also protect itself by turning on microcode based mitigations (such as IBPB or STIBP on x86) within the guest.h]hXLIf SMT is used, Spectre variant 2 attacks from an untrusted guest in the sibling hyperthread can be mitigated by the administrator, by turning off the unsafe guest’s indirect branch speculation via prctl(). A guest can also protect itself by turning on microcode based mitigations (such as IBPB or STIBP on x86) within the guest.}(hjL hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM>hjubeh}(h]h ]h"]h$]h&]uh1jhhhM,hjhhubjS)}(h.. _spectre_sys_info:h]h}(h]h ]h"]h$]h&]j^spectre-sys-infouh1jRhMDhjhhhhubeh}(h])a-virtualized-guest-attacking-other-guestah ]h"],4. a virtualized guest attacking other guestah$]h&]uh1hhjhhhhhM*ubeh}(h]attack-scenariosah ]h"]attack scenariosah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hSpectre system informationh]hSpectre system information}(hj~ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj{ hhhhhMGubh)}(hThe Linux kernel provides a sysfs interface to enumerate the current mitigation status of the system for Spectre: whether the system is vulnerable, and which mitigations are active.h]hThe Linux kernel provides a sysfs interface to enumerate the current mitigation status of the system for Spectre: whether the system is vulnerable, and which mitigations are active.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMIhj{ hhubh)}(h>The sysfs file showing Spectre variant 1 mitigation status is:h]h>The sysfs file showing Spectre variant 1 mitigation status is:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMMhj{ hhubj)}(h3/sys/devices/system/cpu/vulnerabilities/spectre_v1 h]h)}(h2/sys/devices/system/cpu/vulnerabilities/spectre_v1h]h2/sys/devices/system/cpu/vulnerabilities/spectre_v1}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMOhj ubah}(h]h ]h"]h$]h&]uh1jhhhMOhj{ hhubh)}(h%The possible values in this file are:h]h%The possible values in this file are:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMQhj{ hhubj)}(hXT.. list-table:: * - 'Not affected' - The processor is not vulnerable. * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers' - The swapgs protections are disabled; otherwise it has protection in the kernel on a case by case base with explicit pointer sanitation and usercopy LFENCE barriers. * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization' - Protection in the kernel on a case by case base with explicit pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE barriers. h]j:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK2uh1jChj ubjD)}(hhh]h}(h]h ]h"]h$]h&]j K2uh1jChj ubjd)}(hhh](ji)}(hhh](jn)}(hhh]h)}(h'Not affected'h]h‘Not affected’}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMUhj ubah}(h]h ]h"]h$]h&]uh1jmhj ubjn)}(hhh]h)}(h The processor is not vulnerable.h]h The processor is not vulnerable.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMVhj ubah}(h]h ]h"]h$]h&]uh1jmhj ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(hX'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'h]h\‘Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers’}(hj+ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMWhj( ubah}(h]h ]h"]h$]h&]uh1jmhj% ubjn)}(hhh]h)}(hThe swapgs protections are disabled; otherwise it has protection in the kernel on a case by case base with explicit pointer sanitation and usercopy LFENCE barriers.h]hThe swapgs protections are disabled; otherwise it has protection in the kernel on a case by case base with explicit pointer sanitation and usercopy LFENCE barriers.}(hjB hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMXhj? ubah}(h]h ]h"]h$]h&]uh1jmhj% ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(hF'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'h]hJ‘Mitigation: usercopy/swapgs barriers and __user pointer sanitization’}(hjb hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM[hj_ ubah}(h]h ]h"]h$]h&]uh1jmhj\ ubjn)}(hhh]h)}(hProtection in the kernel on a case by case base with explicit pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE barriers.h]hProtection in the kernel on a case by case base with explicit pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE barriers.}(hjy hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM\hjv ubah}(h]h ]h"]h$]h&]uh1jmhj\ ubeh}(h]h ]h"]h$]h&]uh1jhhj ubeh}(h]h ]h"]h$]h&]uh1jchj ubeh}(h]h ]h"]h$]h&]colsKuh1j>hj ubah}(h]h ]h"]h$]h&]uh1j9hj ubah}(h]h ]h"]h$]h&]uh1jhhhMShj{ hhubh)}(hHowever, the protections are put in place on a case by case basis, and there is no guarantee that all possible attack vectors for Spectre variant 1 are covered.h]hHowever, the protections are put in place on a case by case basis, and there is no guarantee that all possible attack vectors for Spectre variant 1 are covered.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM`hj{ hhubh)}(hThe spectre_v2 kernel file reports if the kernel has been compiled with retpoline mitigation or if the CPU has hardware mitigation, and if the CPU has support for additional process-specific mitigation.h]hThe spectre_v2 kernel file reports if the kernel has been compiled with retpoline mitigation or if the CPU has hardware mitigation, and if the CPU has support for additional process-specific mitigation.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMdhj{ hhubh)}(hcThis file also reports CPU features enabled by microcode to mitigate attack between user processes:h]hcThis file also reports CPU features enabled by microcode to mitigate attack between user processes:}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhhj{ hhubhenumerated_list)}(hhh](j )}(hkIndirect Branch Prediction Barrier (IBPB) to add additional isolation between processes of different users.h]h)}(hkIndirect Branch Prediction Barrier (IBPB) to add additional isolation between processes of different users.h]hkIndirect Branch Prediction Barrier (IBPB) to add additional isolation between processes of different users.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMkhj ubah}(h]h ]h"]h$]h&]uh1jhj hhhhhNubj )}(h{Single Thread Indirect Branch Predictors (STIBP) to add additional isolation between CPU threads running on the same core. h]h)}(hzSingle Thread Indirect Branch Predictors (STIBP) to add additional isolation between CPU threads running on the same core.h]hzSingle Thread Indirect Branch Predictors (STIBP) to add additional isolation between CPU threads running on the same core.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMmhj ubah}(h]h ]h"]h$]h&]uh1jhj hhhhhNubeh}(h]h ]h"]h$]h&]enumtypearabicprefixhsuffix.uh1j hj{ hhhhhMkubh)}(hjThese CPU features may impact performance when used and can be enabled per process on a case-by-case base.h]hjThese CPU features may impact performance when used and can be enabled per process on a case-by-case base.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMphj{ hhubh)}(h>The sysfs file showing Spectre variant 2 mitigation status is:h]h>The sysfs file showing Spectre variant 2 mitigation status is:}(hj$ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMshj{ hhubj)}(h3/sys/devices/system/cpu/vulnerabilities/spectre_v2 h]h)}(h2/sys/devices/system/cpu/vulnerabilities/spectre_v2h]h2/sys/devices/system/cpu/vulnerabilities/spectre_v2}(hj6 hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMuhj2 ubah}(h]h ]h"]h$]h&]uh1jhhhMuhj{ hhubh)}(h%The possible values in this file are:h]h%The possible values in this file are:}(hjJ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMwhj{ hhubj)}(hXb - Kernel status: ======================================== ================================= 'Not affected' The processor is not vulnerable 'Mitigation: None' Vulnerable, no mitigation 'Mitigation: Retpolines' Use Retpoline thunks 'Mitigation: LFENCE' Use LFENCE instructions 'Mitigation: Enhanced IBRS' Hardware-focused mitigation 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE ======================================== ================================= - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is used to protect against Spectre variant 2 attacks when calling firmware (x86 only). ========== ============================================================= 'IBRS_FW' Protection against user program attacks when calling firmware ========== ============================================================= - Indirect branch prediction barrier (IBPB) status for protection between processes of different users. This feature can be controlled through prctl() per process, or through kernel command line options. This is an x86 only feature. For more details see below. =================== ======================================================== 'IBPB: disabled' IBPB unused 'IBPB: always-on' Use IBPB on all tasks 'IBPB: conditional' Use IBPB on SECCOMP or indirect branch restricted tasks =================== ======================================================== - Single threaded indirect branch prediction (STIBP) status for protection between different hyper threads. This feature can be controlled through prctl per process, or through kernel command line options. This is x86 only feature. For more details see below. ==================== ======================================================== 'STIBP: disabled' STIBP unused 'STIBP: forced' Use STIBP on all tasks 'STIBP: conditional' Use STIBP on SECCOMP or indirect branch restricted tasks ==================== ======================================================== - Return stack buffer (RSB) protection status: ============= =========================================== 'RSB filling' Protection of RSB on context switch enabled ============= =========================================== - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status: =========================== ======================================================= 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB =========================== ======================================================= - Branch History Injection (BHI) protection status: h](j)}(hhh]j )}(hKernel status: h]h)}(hKernel status:h]hKernel status:}(hjc hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMyhj_ ubah}(h]h ]h"]h$]h&]uh1jhj\ ubah}(h]h ]h"]h$]h&]jjuh1jhhhMyhjX ubj:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK(uh1jChj ubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK!uh1jChj ubjd)}(hhh](ji)}(hhh](jn)}(hhh]h)}(h'Not affected'h]h‘Not affected’}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM|hj ubah}(h]h ]h"]h$]h&]uh1jmhj ubjn)}(hhh]h)}(hThe processor is not vulnerableh]hThe processor is not vulnerable}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM|hj ubah}(h]h ]h"]h$]h&]uh1jmhj ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h'Mitigation: None'h]h‘Mitigation: None’}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM}hj ubah}(h]h ]h"]h$]h&]uh1jmhj ubjn)}(hhh]h)}(hVulnerable, no mitigationh]hVulnerable, no mitigation}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM}hj ubah}(h]h ]h"]h$]h&]uh1jmhj ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h'Mitigation: Retpolines'h]h‘Mitigation: Retpolines’}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM~hj ubah}(h]h ]h"]h$]h&]uh1jmhj ubjn)}(hhh]h)}(hUse Retpoline thunksh]hUse Retpoline thunks}(hj% hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM~hj" ubah}(h]h ]h"]h$]h&]uh1jmhj ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h'Mitigation: LFENCE'h]h‘Mitigation: LFENCE’}(hjE hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjB ubah}(h]h ]h"]h$]h&]uh1jmhj? ubjn)}(hhh]h)}(hUse LFENCE instructionsh]hUse LFENCE instructions}(hj\ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjY ubah}(h]h ]h"]h$]h&]uh1jmhj? ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h'Mitigation: Enhanced IBRS'h]h‘Mitigation: Enhanced IBRS’}(hj| hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjy ubah}(h]h ]h"]h$]h&]uh1jmhjv ubjn)}(hhh]h)}(hHardware-focused mitigationh]hHardware-focused mitigation}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhjv ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h('Mitigation: Enhanced IBRS + Retpolines'h]h,‘Mitigation: Enhanced IBRS + Retpolines’}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhj ubjn)}(hhh]h)}(hHardware-focused + Retpolinesh]hHardware-focused + Retpolines}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhj ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h$'Mitigation: Enhanced IBRS + LFENCE'h]h(‘Mitigation: Enhanced IBRS + LFENCE’}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhj ubjn)}(hhh]h)}(hHardware-focused + LFENCEh]hHardware-focused + LFENCE}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhj ubeh}(h]h ]h"]h$]h&]uh1jhhj ubeh}(h]h ]h"]h$]h&]uh1jchj ubeh}(h]h ]h"]h$]h&]colsKuh1j>hj} ubah}(h]h ]h"]h$]h&]uh1j9hjX ubj)}(hhh]j )}(hFirmware status: Show if Indirect Branch Restricted Speculation (IBRS) is used to protect against Spectre variant 2 attacks when calling firmware (x86 only). h]h)}(hFirmware status: Show if Indirect Branch Restricted Speculation (IBRS) is used to protect against Spectre variant 2 attacks when calling firmware (x86 only).h]hFirmware status: Show if Indirect Branch Restricted Speculation (IBRS) is used to protect against Spectre variant 2 attacks when calling firmware (x86 only).}(hj5 hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj1 ubah}(h]h ]h"]h$]h&]uh1jhj. ubah}(h]h ]h"]h$]h&]jjuh1jhhhMhjX ubj:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK uh1jChjR ubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK=uh1jChjR ubjd)}(hhh]ji)}(hhh](jn)}(hhh]h)}(h 'IBRS_FW'h]h ‘IBRS_FW’}(hjr hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjo ubah}(h]h ]h"]h$]h&]uh1jmhjl ubjn)}(hhh]h)}(h=Protection against user program attacks when calling firmwareh]h=Protection against user program attacks when calling firmware}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhjl ubeh}(h]h ]h"]h$]h&]uh1jhhji ubah}(h]h ]h"]h$]h&]uh1jchjR ubeh}(h]h ]h"]h$]h&]colsKuh1j>hjO ubah}(h]h ]h"]h$]h&]uh1j9hjX ubj)}(hhh]j )}(hXIndirect branch prediction barrier (IBPB) status for protection between processes of different users. This feature can be controlled through prctl() per process, or through kernel command line options. This is an x86 only feature. For more details see below. h]h)}(hXIndirect branch prediction barrier (IBPB) status for protection between processes of different users. This feature can be controlled through prctl() per process, or through kernel command line options. This is an x86 only feature. For more details see below.h]hXIndirect branch prediction barrier (IBPB) status for protection between processes of different users. This feature can be controlled through prctl() per process, or through kernel command line options. This is an x86 only feature. For more details see below.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]jjuh1jhhhMhjX ubj:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jChj ubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK8uh1jChj ubjd)}(hhh](ji)}(hhh](jn)}(hhh]h)}(h'IBPB: disabled'h]h‘IBPB: disabled’}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhj ubjn)}(hhh]h)}(h IBPB unusedh]h IBPB unused}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhj ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h'IBPB: always-on'h]h‘IBPB: always-on’}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj.ubah}(h]h ]h"]h$]h&]uh1jmhj+ubjn)}(hhh]h)}(hUse IBPB on all tasksh]hUse IBPB on all tasks}(hjHhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjEubah}(h]h ]h"]h$]h&]uh1jmhj+ubeh}(h]h ]h"]h$]h&]uh1jhhj ubji)}(hhh](jn)}(hhh]h)}(h'IBPB: conditional'h]h‘IBPB: conditional’}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjeubah}(h]h ]h"]h$]h&]uh1jmhjbubjn)}(hhh]h)}(h7Use IBPB on SECCOMP or indirect branch restricted tasksh]h7Use IBPB on SECCOMP or indirect branch restricted tasks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj|ubah}(h]h ]h"]h$]h&]uh1jmhjbubeh}(h]h ]h"]h$]h&]uh1jhhj ubeh}(h]h ]h"]h$]h&]uh1jchj ubeh}(h]h ]h"]h$]h&]colsKuh1j>hj ubah}(h]h ]h"]h$]h&]uh1j9hjX ubj)}(hhh]j )}(hXSingle threaded indirect branch prediction (STIBP) status for protection between different hyper threads. This feature can be controlled through prctl per process, or through kernel command line options. This is x86 only feature. For more details see below. h]h)}(hXSingle threaded indirect branch prediction (STIBP) status for protection between different hyper threads. This feature can be controlled through prctl per process, or through kernel command line options. This is x86 only feature. For more details see below.h]hXSingle threaded indirect branch prediction (STIBP) status for protection between different hyper threads. This feature can be controlled through prctl per process, or through kernel command line options. This is x86 only feature. For more details see below.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]jjuh1jhhhMhjX ubj:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jChjubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK8uh1jChjubjd)}(hhh](ji)}(hhh](jn)}(hhh]h)}(h'STIBP: disabled'h]h‘STIBP: disabled’}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(h STIBP unusedh]h STIBP unused}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhjubji)}(hhh](jn)}(hhh]h)}(h'STIBP: forced'h]h‘STIBP: forced’}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj$ubah}(h]h ]h"]h$]h&]uh1jmhj!ubjn)}(hhh]h)}(hUse STIBP on all tasksh]hUse STIBP on all tasks}(hj>hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj;ubah}(h]h ]h"]h$]h&]uh1jmhj!ubeh}(h]h ]h"]h$]h&]uh1jhhjubji)}(hhh](jn)}(hhh]h)}(h'STIBP: conditional'h]h‘STIBP: conditional’}(hj^hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj[ubah}(h]h ]h"]h$]h&]uh1jmhjXubjn)}(hhh]h)}(h8Use STIBP on SECCOMP or indirect branch restricted tasksh]h8Use STIBP on SECCOMP or indirect branch restricted tasks}(hjuhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjrubah}(h]h ]h"]h$]h&]uh1jmhjXubeh}(h]h ]h"]h$]h&]uh1jhhjubeh}(h]h ]h"]h$]h&]uh1jchjubeh}(h]h ]h"]h$]h&]colsKuh1j>hjubah}(h]h ]h"]h$]h&]uh1j9hjX ubj)}(hhh]j )}(h-Return stack buffer (RSB) protection status: h]h)}(h,Return stack buffer (RSB) protection status:h]h,Return stack buffer (RSB) protection status:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]jjuh1jhhhMhjX ubj:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK uh1jChjubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK+uh1jChjubjd)}(hhh]ji)}(hhh](jn)}(hhh]h)}(h 'RSB filling'h]h‘RSB filling’}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(h+Protection of RSB on context switch enabledh]h+Protection of RSB on context switch enabled}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhjubah}(h]h ]h"]h$]h&]uh1jchjubeh}(h]h ]h"]h$]h&]colsKuh1j>hjubah}(h]h ]h"]h$]h&]uh1j9hjX ubj)}(hhh]j )}(hBEIBRS Post-barrier Return Stack Buffer (PBRSB) protection status: h]h)}(hAEIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:h]hAEIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj-ubah}(h]h ]h"]h$]h&]uh1jhj*ubah}(h]h ]h"]h$]h&]jjuh1jhhhMhjX ubj:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]colwidthKuh1jChjNubjD)}(hhh]h}(h]h ]h"]h$]h&]colwidthK7uh1jChjNubjd)}(hhh](ji)}(hhh](jn)}(hhh]h)}(h'PBRSB-eIBRS: SW sequence'h]h‘PBRSB-eIBRS: SW sequence’}(hjnhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjkubah}(h]h ]h"]h$]h&]uh1jmhjhubjn)}(hhh]h)}(h7CPU is affected and protection of RSB on VMEXIT enabledh]h7CPU is affected and protection of RSB on VMEXIT enabled}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjhubeh}(h]h ]h"]h$]h&]uh1jhhjeubji)}(hhh](jn)}(hhh]h)}(h'PBRSB-eIBRS: Vulnerable'h]h‘PBRSB-eIBRS: Vulnerable’}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(hCPU is vulnerableh]hCPU is vulnerable}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhjeubji)}(hhh](jn)}(hhh]h)}(h'PBRSB-eIBRS: Not affected'h]h‘PBRSB-eIBRS: Not affected’}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(hCPU is not affected by PBRSBh]hCPU is not affected by PBRSB}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhjeubeh}(h]h ]h"]h$]h&]uh1jchjNubeh}(h]h ]h"]h$]h&]colsKuh1j>hjKubah}(h]h ]h"]h$]h&]uh1j9hjX ubj)}(hhh]j )}(h2Branch History Injection (BHI) protection status: h]h)}(h1Branch History Injection (BHI) protection status:h]h1Branch History Injection (BHI) protection status:}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj#ubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]jjuh1jhhhMhjX ubeh}(h]h ]h"]h$]h&]uh1jhhhMyhj{ hhubj:)}(hhh]j?)}(hhh](jD)}(hhh]h}(h]h ]h"]h$]h&]j K2uh1jChjJubjD)}(hhh]h}(h]h ]h"]h$]h&]j K2uh1jChjJubjd)}(hhh](ji)}(hhh](jn)}(hhh]h)}(hBHI: Not affectedh]hBHI: Not affected}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjeubah}(h]h ]h"]h$]h&]uh1jmhjbubjn)}(hhh]h)}(hSystem is not affectedh]hSystem is not affected}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj|ubah}(h]h ]h"]h$]h&]uh1jmhjbubeh}(h]h ]h"]h$]h&]uh1jhhj_ubji)}(hhh](jn)}(hhh]h)}(hBHI: Retpolineh]hBHI: Retpoline}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(h System is protected by retpolineh]h System is protected by retpoline}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhj_ubji)}(hhh](jn)}(hhh]h)}(hBHI: BHI_DIS_Sh]hBHI: BHI_DIS_S}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(h System is protected by BHI_DIS_Sh]h System is protected by BHI_DIS_S}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhj_ubji)}(hhh](jn)}(hhh]h)}(hBHI: SW loop, KVM SW looph]hBHI: SW loop, KVM SW loop}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubah}(h]h ]h"]h$]h&]uh1jmhjubjn)}(hhh]h)}(h1System is protected by software clearing sequenceh]h1System is protected by software clearing sequence}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj!ubah}(h]h ]h"]h$]h&]uh1jmhjubeh}(h]h ]h"]h$]h&]uh1jhhj_ubji)}(hhh](jn)}(hhh]h)}(hBHI: Vulnerableh]hBHI: Vulnerable}(hjDhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjAubah}(h]h ]h"]h$]h&]uh1jmhj>ubjn)}(hhh]h)}(hSystem is vulnerable to BHIh]hSystem is vulnerable to BHI}(hj[hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjXubah}(h]h ]h"]h$]h&]uh1jmhj>ubeh}(h]h ]h"]h$]h&]uh1jhhj_ubji)}(hhh](jn)}(hhh]h)}(hBHI: Vulnerable, KVM: SW looph]hBHI: Vulnerable, KVM: SW loop}(hj{hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjxubah}(h]h ]h"]h$]h&]uh1jmhjuubjn)}(hhh]h)}(hDSystem is vulnerable; KVM is protected by software clearing sequenceh]hDSystem is vulnerable; KVM is protected by software clearing sequence}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubah}(h]h ]h"]h$]h&]uh1jmhjuubeh}(h]h ]h"]h$]h&]uh1jhhj_ubeh}(h]h ]h"]h$]h&]uh1jchjJubeh}(h]h ]h"]h$]h&]colsKuh1j>hjGubah}(h]h ]h"]h$]h&]uh1j9hj{ hhhNhNubh)}(hFull mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will report vulnerability.h]hFull mitigation might require a microcode update from the CPU vendor. When the necessary microcode is not available, the kernel will report vulnerability.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj{ hhubeh}(h](spectre-system-informationjj eh ]h"](spectre system informationspectre_sys_infoeh$]h&]uh1hhhhhhhhMGjo}jj` sjq}jj j` subh)}(hhh](h)}(hATurning on mitigation for Spectre variant 1 and Spectre variant 2h]hATurning on mitigation for Spectre variant 1 and Spectre variant 2}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubh)}(hhh](h)}(h1. Kernel mitigationh]h1. Kernel mitigation}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubh)}(hhh](h)}(hSpectre variant 1h]hSpectre variant 1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubj)}(hXFor the Spectre variant 1, vulnerable kernel code (as determined by code audit or scanning tools) is annotated on a case by case basis to use nospec accessor macros for bounds clipping :ref:`[2] ` to avoid any usable disclosure gadgets. However, it may not cover all attack vectors for Spectre variant 1. Copy-from-user code has an LFENCE barrier to prevent the access_ok() check from being mis-speculated. The barrier is done by the barrier_nospec() macro. For the swapgs variant of Spectre variant 1, LFENCE barriers are added to interrupt, exception and NMI entry where needed. These barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and FENCE_SWAPGS_USER_ENTRY macros. h](h)}(hX;For the Spectre variant 1, vulnerable kernel code (as determined by code audit or scanning tools) is annotated on a case by case basis to use nospec accessor macros for bounds clipping :ref:`[2] ` to avoid any usable disclosure gadgets. However, it may not cover all attack vectors for Spectre variant 1.h](hFor the Spectre variant 1, vulnerable kernel code (as determined by code audit or scanning tools) is annotated on a case by case basis to use nospec accessor macros for bounds clipping }(hjhhhNhNubh)}(h:ref:`[2] `h]j)}(hjh]h[2]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainj%reftyperef refexplicitrefwarnj spec_ref2uh1hhhhMhjubhl to avoid any usable disclosure gadgets. However, it may not cover all attack vectors for Spectre variant 1.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj ubh)}(hCopy-from-user code has an LFENCE barrier to prevent the access_ok() check from being mis-speculated. The barrier is done by the barrier_nospec() macro.h]hCopy-from-user code has an LFENCE barrier to prevent the access_ok() check from being mis-speculated. The barrier is done by the barrier_nospec() macro.}(hjAhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubh)}(hFor the swapgs variant of Spectre variant 1, LFENCE barriers are added to interrupt, exception and NMI entry where needed. These barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and FENCE_SWAPGS_USER_ENTRY macros.h]hFor the swapgs variant of Spectre variant 1, LFENCE barriers are added to interrupt, exception and NMI entry where needed. These barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and FENCE_SWAPGS_USER_ENTRY macros.}(hjOhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubeh}(h]h ]h"]h$]h&]uh1jhhhMhjhhubeh}(h]id1ah ]h"]h$]jRah&]uh1hhjhhhhhMjTKubh)}(hhh](h)}(hSpectre variant 2h]hSpectre variant 2}(hjmhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjjhhhhhMubj)}(hXd For Spectre variant 2 mitigation, the compiler turns indirect calls or jumps in the kernel into equivalent return trampolines (retpolines) :ref:`[3] ` :ref:`[9] ` to go to the target addresses. Speculative execution paths under retpolines are trapped in an infinite loop to prevent any speculative execution jumping to a gadget. To turn on retpoline mitigation on a vulnerable CPU, the kernel needs to be compiled with a gcc compiler that supports the -mindirect-branch=thunk-extern -mindirect-branch-register options. If the kernel is compiled with a Clang compiler, the compiler needs to support -mretpoline-external-thunk option. The kernel config CONFIG_MITIGATION_RETPOLINE needs to be turned on, and the CPU needs to run with the latest updated microcode. On Intel Skylake-era systems the mitigation covers most, but not all, cases. See :ref:`[3] ` for more details. On CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS or enhanced IBRS on x86), retpoline is automatically disabled at run time. Systems which support enhanced IBRS (eIBRS) enable IBRS protection once at boot, by setting the IBRS bit, and they're automatically protected against some Spectre v2 variant attacks. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Systems which support BHI_DIS_S will set it to protect against BHI attacks. On Intel's enhanced IBRS systems, this includes cross-thread branch target injections on SMT systems (STIBP). In other words, Intel eIBRS enables STIBP, too. AMD Automatic IBRS does not protect userspace, and Legacy IBRS systems clear the IBRS bit on exit to userspace, therefore both explicitly enable STIBP. The retpoline mitigation is turned on by default on vulnerable CPUs. It can be forced on or off by the administrator via the kernel command line and sysfs control files. See :ref:`spectre_mitigation_control_command_line`. On x86, indirect branch restricted speculation is turned on by default before invoking any firmware code to prevent Spectre variant 2 exploits using the firmware. Using kernel address space randomization (CONFIG_RANDOMIZE_BASE=y and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes attacks on the kernel generally more difficult. h](h)}(hX_For Spectre variant 2 mitigation, the compiler turns indirect calls or jumps in the kernel into equivalent return trampolines (retpolines) :ref:`[3] ` :ref:`[9] ` to go to the target addresses. Speculative execution paths under retpolines are trapped in an infinite loop to prevent any speculative execution jumping to a gadget.h](hFor Spectre variant 2 mitigation, the compiler turns indirect calls or jumps in the kernel into equivalent return trampolines (retpolines) }(hjhhhNhNubh)}(h:ref:`[3] `h]j)}(hjh]h[3]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref3uh1hhhhMhjubh }(hjhhhNhNubh)}(h:ref:`[9] `h]j)}(hjh]h[9]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref9uh1hhhhMhjubh to go to the target addresses. Speculative execution paths under retpolines are trapped in an infinite loop to prevent any speculative execution jumping to a gadget.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hXTo turn on retpoline mitigation on a vulnerable CPU, the kernel needs to be compiled with a gcc compiler that supports the -mindirect-branch=thunk-extern -mindirect-branch-register options. If the kernel is compiled with a Clang compiler, the compiler needs to support -mretpoline-external-thunk option. The kernel config CONFIG_MITIGATION_RETPOLINE needs to be turned on, and the CPU needs to run with the latest updated microcode.h]hXTo turn on retpoline mitigation on a vulnerable CPU, the kernel needs to be compiled with a gcc compiler that supports the -mindirect-branch=thunk-extern -mindirect-branch-register options. If the kernel is compiled with a Clang compiler, the compiler needs to support -mretpoline-external-thunk option. The kernel config CONFIG_MITIGATION_RETPOLINE needs to be turned on, and the CPU needs to run with the latest updated microcode.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hyOn Intel Skylake-era systems the mitigation covers most, but not all, cases. See :ref:`[3] ` for more details.h](hQOn Intel Skylake-era systems the mitigation covers most, but not all, cases. See }(hjhhhNhNubh)}(h:ref:`[3] `h]j)}(hjh]h[3]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref3uh1hhhhMhjubh for more details.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hOn CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS or enhanced IBRS on x86), retpoline is automatically disabled at run time.h]hOn CPUs with hardware mitigation for Spectre variant 2 (e.g. IBRS or enhanced IBRS on x86), retpoline is automatically disabled at run time.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hXSystems which support enhanced IBRS (eIBRS) enable IBRS protection once at boot, by setting the IBRS bit, and they're automatically protected against some Spectre v2 variant attacks. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Systems which support BHI_DIS_S will set it to protect against BHI attacks.h]hXSystems which support enhanced IBRS (eIBRS) enable IBRS protection once at boot, by setting the IBRS bit, and they’re automatically protected against some Spectre v2 variant attacks. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes. Systems which support BHI_DIS_S will set it to protect against BHI attacks.}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hOn Intel's enhanced IBRS systems, this includes cross-thread branch target injections on SMT systems (STIBP). In other words, Intel eIBRS enables STIBP, too.h]hOn Intel’s enhanced IBRS systems, this includes cross-thread branch target injections on SMT systems (STIBP). In other words, Intel eIBRS enables STIBP, too.}(hj1hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hAMD Automatic IBRS does not protect userspace, and Legacy IBRS systems clear the IBRS bit on exit to userspace, therefore both explicitly enable STIBP.h]hAMD Automatic IBRS does not protect userspace, and Legacy IBRS systems clear the IBRS bit on exit to userspace, therefore both explicitly enable STIBP.}(hj?hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hThe retpoline mitigation is turned on by default on vulnerable CPUs. It can be forced on or off by the administrator via the kernel command line and sysfs control files. See :ref:`spectre_mitigation_control_command_line`.h](hThe retpoline mitigation is turned on by default on vulnerable CPUs. It can be forced on or off by the administrator via the kernel command line and sysfs control files. See }(hjMhhhNhNubh)}(h.:ref:`spectre_mitigation_control_command_line`h]j)}(hjWh]h'spectre_mitigation_control_command_line}(hjYhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjUubah}(h]h ]h"]h$]h&]refdocj refdomainjcreftyperef refexplicitrefwarnj'spectre_mitigation_control_command_lineuh1hhhhMhjMubh.}(hjMhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj{ubh)}(hOn x86, indirect branch restricted speculation is turned on by default before invoking any firmware code to prevent Spectre variant 2 exploits using the firmware.h]hOn x86, indirect branch restricted speculation is turned on by default before invoking any firmware code to prevent Spectre variant 2 exploits using the firmware.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM hj{ubh)}(hUsing kernel address space randomization (CONFIG_RANDOMIZE_BASE=y and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes attacks on the kernel generally more difficult.h]hUsing kernel address space randomization (CONFIG_RANDOMIZE_BASE=y and CONFIG_SLAB_FREELIST_RANDOM=y in the kernel configuration) makes attacks on the kernel generally more difficult.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM hj{ubeh}(h]h ]h"]h$]h&]uh1jhhhMhjjhhubeh}(h]id2ah ]h"]h$]jah&]uh1hhjhhhhhMjTKubeh}(h]kernel-mitigationah ]h"]1. kernel mitigationah$]h&]uh1hhjhhhhhMubh)}(hhh](h)}(h2. User program mitigationh]h2. User program mitigation}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubj)}(hX9User programs can mitigate Spectre variant 1 using LFENCE or "bounds clipping". For more details see :ref:`[2] `. For Spectre variant 2 mitigation, individual user programs can be compiled with return trampolines for indirect branches. This protects them from consuming poisoned entries in the branch target buffer left by malicious software. On legacy IBRS systems, at return to userspace, implicit STIBP is disabled because the kernel clears the IBRS bit. In this case, the userspace programs can disable indirect branch speculation via prctl() (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). On x86, this will turn on STIBP to guard against attacks from the sibling thread when the user program is running, and use IBPB to flush the branch target buffer when switching to/from the program. Restricting indirect branch speculation on a user program will also prevent the program from launching a variant 2 attack on x86. Administrators can change that behavior via the kernel command line and sysfs control files. See :ref:`spectre_mitigation_control_command_line`. Programs that disable their indirect branch speculation will have more overhead and run slower. User programs should use address space randomization (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more difficult. h](h)}(h|User programs can mitigate Spectre variant 1 using LFENCE or "bounds clipping". For more details see :ref:`[2] `.h](hiUser programs can mitigate Spectre variant 1 using LFENCE or “bounds clipping”. For more details see }(hjhhhNhNubh)}(h:ref:`[2] `h]j)}(hjh]h[2]}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj spec_ref2uh1hhhhMhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhjubh)}(hFor Spectre variant 2 mitigation, individual user programs can be compiled with return trampolines for indirect branches. This protects them from consuming poisoned entries in the branch target buffer left by malicious software.h]hFor Spectre variant 2 mitigation, individual user programs can be compiled with return trampolines for indirect branches. This protects them from consuming poisoned entries in the branch target buffer left by malicious software.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjubh)}(hXOn legacy IBRS systems, at return to userspace, implicit STIBP is disabled because the kernel clears the IBRS bit. In this case, the userspace programs can disable indirect branch speculation via prctl() (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). On x86, this will turn on STIBP to guard against attacks from the sibling thread when the user program is running, and use IBPB to flush the branch target buffer when switching to/from the program.h](hOn legacy IBRS systems, at return to userspace, implicit STIBP is disabled because the kernel clears the IBRS bit. In this case, the userspace programs can disable indirect branch speculation via prctl() (See }(hjhhhNhNubh)}(h@:ref:`Documentation/userspace-api/spec_ctrl.rst `h]j)}(hjh]h)Documentation/userspace-api/spec_ctrl.rst}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj set_spec_ctrluh1hhhhMhjubh). On x86, this will turn on STIBP to guard against attacks from the sibling thread when the user program is running, and use IBPB to flush the branch target buffer when switching to/from the program.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhjubh)}(hXRestricting indirect branch speculation on a user program will also prevent the program from launching a variant 2 attack on x86. Administrators can change that behavior via the kernel command line and sysfs control files. See :ref:`spectre_mitigation_control_command_line`.h](hRestricting indirect branch speculation on a user program will also prevent the program from launching a variant 2 attack on x86. Administrators can change that behavior via the kernel command line and sysfs control files. See }(hj7hhhNhNubh)}(h.:ref:`spectre_mitigation_control_command_line`h]j)}(hjAh]h'spectre_mitigation_control_command_line}(hjChhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhj?ubah}(h]h ]h"]h$]h&]refdocj refdomainjMreftyperef refexplicitrefwarnj'spectre_mitigation_control_command_lineuh1hhhhM$hj7ubh.}(hj7hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhM$hjubh)}(h_Programs that disable their indirect branch speculation will have more overhead and run slower.h]h_Programs that disable their indirect branch speculation will have more overhead and run slower.}(hjihhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM*hjubh)}(hUser programs should use address space randomization (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more difficult.h]hUser programs should use address space randomization (/proc/sys/kernel/randomize_va_space = 1 or 2) to make attacks more difficult.}(hjwhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM-hjubeh}(h]h ]h"]h$]h&]uh1jhhhMhjhhubeh}(h]user-program-mitigationah ]h"]2. user program mitigationah$]h&]uh1hhjhhhhhMubh)}(hhh](h)}(h3. VM mitigationh]h3. VM mitigation}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhM2ubj)}(hXWithin the kernel, Spectre variant 1 attacks from rogue guests are mitigated on a case by case basis in VM exit paths. Vulnerable code uses nospec accessor macros for "bounds clipping", to avoid any usable disclosure gadgets. However, this may not cover all variant 1 attack vectors. For Spectre variant 2 attacks from rogue guests to the kernel, the Linux kernel uses retpoline or Enhanced IBRS to prevent consumption of poisoned entries in branch target buffer left by rogue guests. It also flushes the return stack buffer on every VM exit to prevent a return stack buffer underflow so poisoned branch target buffer could be used, or attacker guests leaving poisoned entries in the return stack buffer. To mitigate guest-to-guest attacks in the same CPU hardware thread, the branch target buffer is sanitized by flushing before switching to a new guest on a CPU. The above mitigations are turned on by default on vulnerable CPUs. To mitigate guest-to-guest attacks from sibling thread when SMT is in use, an untrusted guest running in the sibling thread can have its indirect branch speculation disabled by administrator via prctl(). The kernel also allows guests to use any microcode based mitigation they choose to use (such as IBPB or STIBP on x86) to protect themselves. h](h)}(hXWithin the kernel, Spectre variant 1 attacks from rogue guests are mitigated on a case by case basis in VM exit paths. Vulnerable code uses nospec accessor macros for "bounds clipping", to avoid any usable disclosure gadgets. However, this may not cover all variant 1 attack vectors.h]hX Within the kernel, Spectre variant 1 attacks from rogue guests are mitigated on a case by case basis in VM exit paths. Vulnerable code uses nospec accessor macros for “bounds clipping”, to avoid any usable disclosure gadgets. However, this may not cover all variant 1 attack vectors.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM4hjubh)}(hXFor Spectre variant 2 attacks from rogue guests to the kernel, the Linux kernel uses retpoline or Enhanced IBRS to prevent consumption of poisoned entries in branch target buffer left by rogue guests. It also flushes the return stack buffer on every VM exit to prevent a return stack buffer underflow so poisoned branch target buffer could be used, or attacker guests leaving poisoned entries in the return stack buffer.h]hXFor Spectre variant 2 attacks from rogue guests to the kernel, the Linux kernel uses retpoline or Enhanced IBRS to prevent consumption of poisoned entries in branch target buffer left by rogue guests. It also flushes the return stack buffer on every VM exit to prevent a return stack buffer underflow so poisoned branch target buffer could be used, or attacker guests leaving poisoned entries in the return stack buffer.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM:hjubh)}(hTo mitigate guest-to-guest attacks in the same CPU hardware thread, the branch target buffer is sanitized by flushing before switching to a new guest on a CPU.h]hTo mitigate guest-to-guest attacks in the same CPU hardware thread, the branch target buffer is sanitized by flushing before switching to a new guest on a CPU.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMAhjubh)}(hBThe above mitigations are turned on by default on vulnerable CPUs.h]hBThe above mitigations are turned on by default on vulnerable CPUs.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMEhjubh)}(hTo mitigate guest-to-guest attacks from sibling thread when SMT is in use, an untrusted guest running in the sibling thread can have its indirect branch speculation disabled by administrator via prctl().h]hTo mitigate guest-to-guest attacks from sibling thread when SMT is in use, an untrusted guest running in the sibling thread can have its indirect branch speculation disabled by administrator via prctl().}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMGhjubh)}(hThe kernel also allows guests to use any microcode based mitigation they choose to use (such as IBPB or STIBP on x86) to protect themselves.h]hThe kernel also allows guests to use any microcode based mitigation they choose to use (such as IBPB or STIBP on x86) to protect themselves.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMKhjubeh}(h]h ]h"]h$]h&]uh1jhhhM4hjhhubjS)}(h,.. _spectre_mitigation_control_command_line:h]h}(h]h ]h"]h$]h&]j^'spectre-mitigation-control-command-lineuh1jRhMNhjhhhhubeh}(h] vm-mitigationah ]h"]3. vm mitigationah$]h&]uh1hhjhhhhhM2ubeh}(h]Aturning-on-mitigation-for-spectre-variant-1-and-spectre-variant-2ah ]h"]Aturning on mitigation for spectre variant 1 and spectre variant 2ah$]h&]uh1hhhhhhhhMubh)}(hhh](h)}(h-Mitigation control on the kernel command lineh]h-Mitigation control on the kernel command line}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMQubh)}(hQIn general the kernel selects reasonable default mitigations for the current CPU.h]hQIn general the kernel selects reasonable default mitigations for the current CPU.}(hj.hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMShjhhubh)}(hmSpectre default mitigations can be disabled or changed at the kernel command line with the following options:h]hmSpectre default mitigations can be disabled or changed at the kernel command line with the following options:}(hj<hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMVhjhhubj)}(hf- nospectre_v1 - nospectre_v2 - spectre_v2={option} - spectre_v2_user={option} - spectre_bhi={option} h]j)}(hhh](j )}(h nospectre_v1h]h)}(hjSh]h nospectre_v1}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMYhjQubah}(h]h ]h"]h$]h&]uh1jhjNubj )}(h nospectre_v2h]h)}(hjjh]h nospectre_v2}(hjlhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMZhjhubah}(h]h ]h"]h$]h&]uh1jhjNubj )}(hspectre_v2={option}h]h)}(hjh]hspectre_v2={option}}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM[hjubah}(h]h ]h"]h$]h&]uh1jhjNubj )}(hspectre_v2_user={option}h]h)}(hjh]hspectre_v2_user={option}}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM\hjubah}(h]h ]h"]h$]h&]uh1jhjNubj )}(hspectre_bhi={option} h]h)}(hspectre_bhi={option}h]hspectre_bhi={option}}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM]hjubah}(h]h ]h"]h$]h&]uh1jhjNubeh}(h]h ]h"]h$]h&]jjuh1jhhhMYhjJubah}(h]h ]h"]h$]h&]uh1jhhhMYhjhhubh)}(hcFor more details on the available options, refer to Documentation/admin-guide/kernel-parameters.txth]hcFor more details on the available options, refer to Documentation/admin-guide/kernel-parameters.txt}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM_hjhhubeh}(h](-mitigation-control-on-the-kernel-command-linej eh ]h"](-mitigation control on the kernel command line'spectre_mitigation_control_command_lineeh$]h&]uh1hhhhhhhhMQjo}jjsjq}j jsubh)}(hhh](h)}(hMitigation selection guideh]hMitigation selection guide}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMbubh)}(hhh](h)}(h1. Trusted userspaceh]h1. Trusted userspace}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMeubj)}(hIf all userspace applications are from trusted sources and do not execute externally supplied untrusted code, then the mitigations can be disabled. h]h)}(hIf all userspace applications are from trusted sources and do not execute externally supplied untrusted code, then the mitigations can be disabled.h]hIf all userspace applications are from trusted sources and do not execute externally supplied untrusted code, then the mitigations can be disabled.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMghj ubah}(h]h ]h"]h$]h&]uh1jhhhMghjhhubeh}(h]trusted-userspaceah ]h"]1. trusted userspaceah$]h&]uh1hhjhhhhhMeubh)}(hhh](h)}(h2. Protect sensitive programsh]h2. Protect sensitive programs}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj,hhhhhMlubj)}(hX For security-sensitive programs that have secrets (e.g. crypto keys), protection against Spectre variant 2 can be put in place by disabling indirect branch speculation when the program is running (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). h]h)}(hX For security-sensitive programs that have secrets (e.g. crypto keys), protection against Spectre variant 2 can be put in place by disabling indirect branch speculation when the program is running (See :ref:`Documentation/userspace-api/spec_ctrl.rst `).h](hFor security-sensitive programs that have secrets (e.g. crypto keys), protection against Spectre variant 2 can be put in place by disabling indirect branch speculation when the program is running (See }(hjAhhhNhNubh)}(h@:ref:`Documentation/userspace-api/spec_ctrl.rst `h]j)}(hjKh]h)Documentation/userspace-api/spec_ctrl.rst}(hjMhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjIubah}(h]h ]h"]h$]h&]refdocj refdomainjWreftyperef refexplicitrefwarnj set_spec_ctrluh1hhhhMnhjAubh).}(hjAhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMnhj=ubah}(h]h ]h"]h$]h&]uh1jhhhMnhj,hhubeh}(h]protect-sensitive-programsah ]h"]2. protect sensitive programsah$]h&]uh1hhjhhhhhMlubh)}(hhh](h)}(h3. Sandbox untrusted programsh]h3. Sandbox untrusted programs}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMtubj)}(hXUntrusted programs that could be a source of attacks can be cordoned off by disabling their indirect branch speculation when they are run (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). This prevents untrusted programs from polluting the branch target buffer. This behavior can be changed via the kernel command line and sysfs control files. See :ref:`spectre_mitigation_control_command_line`. h]h)}(hXUntrusted programs that could be a source of attacks can be cordoned off by disabling their indirect branch speculation when they are run (See :ref:`Documentation/userspace-api/spec_ctrl.rst `). This prevents untrusted programs from polluting the branch target buffer. This behavior can be changed via the kernel command line and sysfs control files. See :ref:`spectre_mitigation_control_command_line`.h](hUntrusted programs that could be a source of attacks can be cordoned off by disabling their indirect branch speculation when they are run (See }(hjhhhNhNubh)}(h@:ref:`Documentation/userspace-api/spec_ctrl.rst `h]j)}(hjh]h)Documentation/userspace-api/spec_ctrl.rst}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj set_spec_ctrluh1hhhhMvhjubh). This prevents untrusted programs from polluting the branch target buffer. This behavior can be changed via the kernel command line and sysfs control files. See }(hjhhhNhNubh)}(h.:ref:`spectre_mitigation_control_command_line`h]j)}(hjh]h'spectre_mitigation_control_command_line}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainjreftyperef refexplicitrefwarnj'spectre_mitigation_control_command_lineuh1hhhhMvhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMvhjubah}(h]h ]h"]h$]h&]uh1jhhhMvhjhhubeh}(h]sandbox-untrusted-programsah ]h"]3. sandbox untrusted programsah$]h&]uh1hhjhhhhhMtubh)}(hhh](h)}(h3. High security modeh]h3. High security mode}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubj)}(hX`All Spectre variant 2 mitigations can be forced on at boot time for all programs (See the "on" option in :ref:`spectre_mitigation_control_command_line`). This will add overhead as indirect branch speculations for all programs will be restricted. On x86, branch target buffer will be flushed with IBPB when switching to a new program. STIBP is left on all the time to protect programs against variant 2 attacks originating from programs running on sibling threads. Alternatively, STIBP can be used only when running programs whose indirect branch speculation is explicitly disabled, while IBPB is still used all the time when switching to a new program to clear the branch target buffer (See "ibpb" option in :ref:`spectre_mitigation_control_command_line`). This "ibpb" option has less performance cost than the "on" option, which leaves STIBP on all the time. h](h)}(hAll Spectre variant 2 mitigations can be forced on at boot time for all programs (See the "on" option in :ref:`spectre_mitigation_control_command_line`). This will add overhead as indirect branch speculations for all programs will be restricted.h](hmAll Spectre variant 2 mitigations can be forced on at boot time for all programs (See the “on” option in }(hjhhhNhNubh)}(h.:ref:`spectre_mitigation_control_command_line`h]j)}(hjh]h'spectre_mitigation_control_command_line}(hjhhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj refdomainj%reftyperef refexplicitrefwarnj'spectre_mitigation_control_command_lineuh1hhhhMhjubh_). This will add overhead as indirect branch speculations for all programs will be restricted.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj ubh)}(hOn x86, branch target buffer will be flushed with IBPB when switching to a new program. STIBP is left on all the time to protect programs against variant 2 attacks originating from programs running on sibling threads.h]hOn x86, branch target buffer will be flushed with IBPB when switching to a new program. STIBP is left on all the time to protect programs against variant 2 attacks originating from programs running on sibling threads.}(hjAhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhj ubh)}(hXAlternatively, STIBP can be used only when running programs whose indirect branch speculation is explicitly disabled, while IBPB is still used all the time when switching to a new program to clear the branch target buffer (See "ibpb" option in :ref:`spectre_mitigation_control_command_line`). This "ibpb" option has less performance cost than the "on" option, which leaves STIBP on all the time.h](hAlternatively, STIBP can be used only when running programs whose indirect branch speculation is explicitly disabled, while IBPB is still used all the time when switching to a new program to clear the branch target buffer (See “ibpb” option in }(hjOhhhNhNubh)}(h.:ref:`spectre_mitigation_control_command_line`h]j)}(hjYh]h'spectre_mitigation_control_command_line}(hj[hhhNhNubah}(h]h ](jstdstd-refeh"]h$]h&]uh1jhjWubah}(h]h ]h"]h$]h&]refdocj refdomainjereftyperef refexplicitrefwarnj'spectre_mitigation_control_command_lineuh1hhhhMhjOubhr). This “ibpb” option has less performance cost than the “on” option, which leaves STIBP on all the time.}(hjOhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj ubeh}(h]h ]h"]h$]h&]uh1jhhhMhjhhubeh}(h]high-security-modeah ]h"]3. high security modeah$]h&]uh1hhjhhhhhMubeh}(h]mitigation-selection-guideah ]h"]mitigation selection guideah$]h&]uh1hhhhhhhhMbubh)}(hhh](h)}(hReferences on Spectreh]hReferences on Spectre}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubh)}(hIntel white papers:h]hIntel white papers:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubjS)}(h.. _spec_ref1:h]h}(h]h ]h"]h$]h&]j^ spec-ref1uh1jRhMhjhhhhubh)}(h[1] `Intel analysis of speculative execution side channels `_.h](h[1] }(hjhhhNhNubh reference)}(h`Intel analysis of speculative execution side channels `_h]h5Intel analysis of speculative execution side channels}(hjhhhNhNubah}(h]h ]h"]h$]h&]name5Intel analysis of speculative execution side channelsrefurixhttps://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculative-Execution-Side-Channels.pdfuh1jhjubjS)}(h{ h]h}(h]5intel-analysis-of-speculative-execution-side-channelsah ]h"]5intel analysis of speculative execution side channelsah$]h&]refurijuh1jRjTKhjubh.}(hjhhhNhNubeh}(h]jah ]h"] spec_ref1ah$]h&]uh1hhhhMhjhhjo}jjsjq}jjsubjS)}(h.. _spec_ref2:h]h}(h]h ]h"]h$]h&]j^ spec-ref2uh1jRhMhjhhhhubh)}(hy[2] `Bounds check bypass `_.h](h[2] }(hjhhhNhNubj)}(ht`Bounds check bypass `_h]hBounds check bypass}(hj hhhNhNubah}(h]h ]h"]h$]h&]nameBounds check bypassj[https://software.intel.com/security-software-guidance/software-guidance/bounds-check-bypassuh1jhjubjS)}(h^ h]h}(h]bounds-check-bypassah ]h"]bounds check bypassah$]h&]refurijuh1jRjTKhjubh.}(hjhhhNhNubeh}(h]jah ]h"] spec_ref2ah$]h&]uh1hhhhMhjhhjo}j0jsjq}jjsubjS)}(h.. _spec_ref3:h]h}(h]h ]h"]h$]h&]j^ spec-ref3uh1jRhMhjhhhhubh)}(h[3] `Deep dive: Retpoline: A branch target injection mitigation `_.h](h[3] }(hj@hhhNhNubj)}(h`Deep dive: Retpoline: A branch target injection mitigation `_h]h:Deep dive: Retpoline: A branch target injection mitigation}(hjHhhhNhNubah}(h]h ]h"]h$]h&]name:Deep dive: Retpoline: A branch target injection mitigationjuhttps://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-target-injection-mitigationuh1jhj@ubjS)}(hx h]h}(h]8deep-dive-retpoline-a-branch-target-injection-mitigationah ]h"]:deep dive: retpoline: a branch target injection mitigationah$]h&]refurijXuh1jRjTKhj@ubh.}(hj@hhhNhNubeh}(h]j?ah ]h"] spec_ref3ah$]h&]uh1hhhhMhjhhjo}jnj5sjq}j?j5subjS)}(h.. _spec_ref4:h]h}(h]h ]h"]h$]h&]j^ spec-ref4uh1jRhMhjhhhhubh)}(h[4] `Deep Dive: Single Thread Indirect Branch Predictors `_.h](h[4] }(hj~hhhNhNubj)}(h`Deep Dive: Single Thread Indirect Branch Predictors `_h]h3Deep Dive: Single Thread Indirect Branch Predictors}(hjhhhNhNubah}(h]h ]h"]h$]h&]name3Deep Dive: Single Thread Indirect Branch Predictorsjqhttps://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictorsuh1jhj~ubjS)}(ht h]h}(h]2deep-dive-single-thread-indirect-branch-predictorsah ]h"]3deep dive: single thread indirect branch predictorsah$]h&]refurijuh1jRjTKhj~ubh.}(hj~hhhNhNubeh}(h]j}ah ]h"] spec_ref4ah$]h&]uh1hhhhMhjhhjo}jjssjq}j}jssubh)}(hAMD white papers:h]hAMD white papers:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubjS)}(h.. _spec_ref5:h]h}(h]h ]h"]h$]h&]j^ spec-ref5uh1jRhMhjhhhhubh)}(h[5] `AMD64 technology indirect branch control extension `_.h](h[5] }(hjhhhNhNubj)}(h`AMD64 technology indirect branch control extension `_h]h2AMD64 technology indirect branch control extension}(hjhhhNhNubah}(h]h ]h"]h$]h&]name2AMD64 technology indirect branch control extensionjihttps://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdfuh1jhjubjS)}(hl h]h}(h]2amd64-technology-indirect-branch-control-extensionah ]h"]2amd64 technology indirect branch control extensionah$]h&]refurijuh1jRjTKhjubh.}(hjhhhNhNubeh}(h]jah ]h"] spec_ref5ah$]h&]uh1hhhhMhjhhjo}jjsjq}jjsubjS)}(h.. _spec_ref6:h]h}(h]h ]h"]h$]h&]j^ spec-ref6uh1jRhMhjhhhhubh)}(h[6] `Software techniques for managing speculation on AMD processors `_.h](h[6] }(hjhhhNhNubj)}(h`Software techniques for managing speculation on AMD processors `_h]h>Software techniques for managing speculation on AMD processors}(hjhhhNhNubah}(h]h ]h"]h$]h&]name>Software techniques for managing speculation on AMD processorsjYhttps://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdfuh1jhjubjS)}(h\ h]h}(h]>software-techniques-for-managing-speculation-on-amd-processorsah ]h"]>software techniques for managing speculation on amd processorsah$]h&]refurij uh1jRjTKhjubh.}(hjhhhNhNubeh}(h]jah ]h"] spec_ref6ah$]h&]uh1hhhhMhjhhjo}j6jsjq}jjsubh)}(hARM white papers:h]hARM white papers:}(hj;hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubjS)}(h.. _spec_ref7:h]h}(h]h ]h"]h$]h&]j^ spec-ref7uh1jRhMhjhhhhubh)}(h[7] `Cache speculation side-channels `_.h](h[7] }(hjThhhNhNubj)}(h`Cache speculation side-channels `_h]hCache speculation side-channels}(hj\hhhNhNubah}(h]h ]h"]h$]h&]nameCache speculation side-channelsjrhttps://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/download-the-whitepaperuh1jhjTubjS)}(hu h]h}(h]cache-speculation-side-channelsah ]h"]cache speculation side-channelsah$]h&]refurijluh1jRjTKhjTubh.}(hjThhhNhNubeh}(h]jSah ]h"] spec_ref7ah$]h&]uh1hhhhMhjhhjo}jjIsjq}jSjIsubjS)}(h.. _spec_ref8:h]h}(h]h ]h"]h$]h&]j^ spec-ref8uh1jRhMhjhhhhubh)}(h[8] `Cache speculation issues update `_.h](h[8] }(hjhhhNhNubj)}(h`Cache speculation issues update `_h]hCache speculation issues update}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameCache speculation issues updatejhttps://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/cache-speculation-issues-updateuh1jhjubjS)}(h h]h}(h]cache-speculation-issues-updateah ]h"]cache speculation issues updateah$]h&]refurijuh1jRjTKhjubh.}(hjhhhNhNubehm7}(h]jah ]h"] spec_ref8ah$]h&]uh1hhhhMhjhhjo}jjsjq}jjsubh)}(hGoogle white paper:h]hGoogle white paper:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubjS)}(h.. _spec_ref9:h]h}(h]h ]h"]h$]h&]j^ spec-ref9uh1jRhMhjhhhhubh)}(h[9] `Retpoline: a software construct for preventing branch-target-injection `_.h](h[9] }(hjhhhNhNubj)}(hz`Retpoline: a software construct for preventing branch-target-injection `_h]hFRetpoline: a software construct for preventing branch-target-injection}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameFRetpoline: a software construct for preventing branch-target-injectionj.https://support.google.com/faqs/answer/7625886uh1jhjubjS)}(h1 h]h}(h]Eretpoline-a-software-construct-for-preventing-branch-target-injectionah ]h"]Fretpoline: a software construct for preventing branch-target-injectionah$]h&]refurijuh1jRjTKhjubh.}(hjhhhNhNubeh}(h]jah ]h"] spec_ref9ah$]h&]uh1hhhhMhjhhjo}j jsjq}jjsubh)}(hMIPS white paper:h]hMIPS white paper:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubjS)}(h.. _spec_ref10:h]h}(h]h ]h"]h$]h&]j^ spec-ref10uh1jRhMhjhhhhubh)}(h[10] `MIPS: response on speculative execution and side channel vulnerabilities `_.h](h[10] }(hj*hhhNhNubj)}(h`MIPS: response on speculative execution and side channel vulnerabilities `_h]hHMIPS: response on speculative execution and side channel vulnerabilities}(hj2hhhNhNubah}(h]h ]h"]h$]h&]nameHMIPS: response on speculative execution and side channel vulnerabilitiesjbhttps://www.mips.com/blog/mips-response-on-speculative-execution-and-side-channel-vulnerabilities/uh1jhj*ubjS)}(he h]h}(h]Gmips-response-on-speculative-execution-and-side-channel-vulnerabilitiesah ]h"]Hmips: response on speculative execution and side channel vulnerabilitiesah$]h&]refurijBuh1jRjTKhj*ubh.}(hj*hhhNhNubeh}(h]j)ah ]h"] spec_ref10ah$]h&]uh1hhhhMhjhhjo}jXjsjq}j)jsubh)}(hAcademic papers:h]hAcademic papers:}(hj]hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubjS)}(h.. _spec_ref11:h]h}(h]h ]h"]h$]h&]j^ spec-ref11uh1jRhMhjhhhhubh)}(hb[11] `Spectre Attacks: Exploiting Speculative Execution `_.h](h[11] }(hjvhhhNhNubj)}(h\`Spectre Attacks: Exploiting Speculative Execution `_h]h1Spectre Attacks: Exploiting Speculative Execution}(hj~hhhNhNubah}(h]h ]h"]h$]h&]name1Spectre Attacks: Exploiting Speculative Executionj%https://spectreattack.com/spectre.pdfuh1jhjvubjS)}(h( h]h}(h]0spectre-attacks-exploiting-speculative-executionah ]h"]1spectre attacks: exploiting speculative executionah$]h&]refurijuh1jRjTKhjvubh.}(hjvhhhNhNubeh}(h]juah ]h"] spec_ref11ah$]h&]uh1hhhhMhjhhjo}jjksjq}jujksubjS)}(h.. _spec_ref12:h]h}(h]h ]h"]h$]h&]j^ spec-ref12uh1jRhMhjhhhhubh)}(hZ[12] `NetSpectre: Read Arbitrary Memory over Network `_.h](h[12] }(hjhhhNhNubj)}(hT`NetSpectre: Read Arbitrary Memory over Network `_h]h.NetSpectre: Read Arbitrary Memory over Network}(hjhhhNhNubah}(h]h ]h"]h$]h&]name.NetSpectre: Read Arbitrary Memory over Networkj https://arxiv.org/abs/1807.10535uh1jhjubjS)}(h# h]h}(h]-netspectre-read-arbitrary-memory-over-networkah ]h"].netspectre: read arbitrary memory over networkah$]h&]refurijuh1jRjTKhjubh.}(hjhhhNhNubeh}(h]jah ]h"] spec_ref12ah$]h&]uh1hhhhMhjhhjo}jjsjq}jjsubjS)}(h.. _spec_ref13:h]h}(h]h ]h"]h$]h&]j^ spec-ref13uh1jRhMhjhhhhubh)}(h[13] `Spectre Returns! Speculation Attacks using the Return Stack Buffer `_.h](h[13] }(hjhhhNhNubj)}(h`Spectre Returns! Speculation Attacks using the Return Stack Buffer `_h]hBSpectre Returns! Speculation Attacks using the Return Stack Buffer}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameBSpectre Returns! Speculation Attacks using the Return Stack BufferjNhttps://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdfuh1jhjubjS)}(hQ h]h}(h]Aspectre-returns-speculation-attacks-using-the-return-stack-bufferah ]h"]Bspectre returns! speculation attacks using the return stack bufferah$]h&]refurij uh1jRjTKhjubh.}(hjhhhNhNubeh}(h]jah ]h"] spec_ref13ah$]h&]uh1hhhhMhjhhjo}j jsjq}jjsubeh}(h]references-on-spectreah ]h"]references on spectreah$]h&]uh1hhhhhhhhMubeh}(h]spectre-side-channelsah ]h"]spectre side channelsah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksjmfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerjWerror_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}refids}(j_]jTajj ]j` aj ]jaj]jaj]jaj?]j5aj}]jsaj]jaj]jajS]jIaj]jaj]jaj)]jaju]jkaj]jaj]jaunameids}(j2j/jjjtjqjj~j j jjjlj_jx ju jjspectre variant 1Njjspectre variant 2NjKjHjjjp jm jjj jjjjjjjjjjjj jjjjj)j&j~j{jjjjj*j'jjjjj0jj$j!jnj?jbj_jj}jjjjjjj6jj*j'jjSjvjsjjjjj jjjjXj)jLjIjjujjjjjjj jjju nametypes}(j2jjtjj jjljx jjjjjKjjp jjjjjjjjjj)j~jjj*jjj0j$jnjbjjjjj6j*jjvjjj jjXjLjjjjj juh}(j/hjhjqjj~jwj jjjj_j`ju jjjjNjjjUjjjHjjjNjm jjj j{ jj{ jjjjjejjjjjjjjj jjjjjj&jj{j,jjjjj'jjjjjjjj!jj?j@j_jYj}j~jjjjjjjjj'j!jSjTjsjmjjjjjjjjj)j*jIjCjujvjjjjjjjjjj u footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}jeKsRparse_messages](hsystem_message)}(hhh]h)}(h4Duplicate implicit target name: "spectre variant 1".h]h8Duplicate implicit target name: “spectre variant 1”.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]jealevelKtypeINFOsourcehlineMuh1jhjhhhhhMubj)}(hhh]h)}(h4Duplicate implicit target name: "spectre variant 2".h]h8Duplicate implicit target name: “spectre variant 2”.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]jalevelKtypejsourcehlineMuh1jhjjhhhhhMubetransform_messages](j)}(hhh]h)}(hhh]h0Hyperlink target "poison-btb" is not referenced.}hj sbah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineKduh1jubj)}(hhh]h)}(hhh]h6Hyperlink target "spectre-sys-info" is not referenced.}hj#sbah}(h]h ]h"]h$]h&]uh1hhj ubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMDuh1jubj)}(hhh]h)}(hhh]hMHyperlink target "spectre-mitigation-control-command-line" is not referenced.}hj=sbah}(h]h ]h"]h$]h&]uh1hhj:ubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMNuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref1" is not referenced.}hjWsbah}(h]h ]h"]h$]h&]uh1hhjTubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref2" is not referenced.}hjqsbah}(h]h ]h"]h$]h&]uh1hhjnubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref3" is not referenced.}hjsbah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref4" is not referenced.}hjsbah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref5" is not referenced.}hjsbah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref6" is not referenced.}hjsbah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref7" is not referenced.}hjsbah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref8" is not referenced.}hj sbah}(h]h ]h"]h$]h&]uh1hhj ubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h/Hyperlink target "spec-ref9" is not referenced.}hj'sbah}(h]h ]h"]h$]h&]uh1hhj$ubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h0Hyperlink target "spec-ref10" is not referenced.}hjAsbah}(h]h ]h"]h$]h&]uh1hhj>ubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h0Hyperlink target "spec-ref11" is not referenced.}hj[sbah}(h]h ]h"]h$]h&]uh1hhjXubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h0Hyperlink target "spec-ref12" is not referenced.}hjusbah}(h]h ]h"]h$]h&]uh1hhjrubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jubj)}(hhh]h)}(hhh]h0Hyperlink target "spec-ref13" is not referenced.}hjsbah}(h]h ]h"]h$]h&]uh1hhjubah}(h]h ]h"]h$]h&]levelKtypejsourcehlineMuh1jube transformerN include_log] decorationNhhub.