€•gŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ,/translations/zh_CN/admin-guide/hw-vuln/srso”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/zh_TW/admin-guide/hw-vuln/srso”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/it_IT/admin-guide/hw-vuln/srso”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/ja_JP/admin-guide/hw-vuln/srso”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/ko_KR/admin-guide/hw-vuln/srso”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/pt_BR/admin-guide/hw-vuln/srso”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ,/translations/sp_SP/admin-guide/hw-vuln/srso”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hµhhh²hh³ŒF/var/lib/git/docbuild/linux/Documentation/admin-guide/hw-vuln/srso.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ(Speculative Return Stack Overflow (SRSO)”h]”hŒ(Speculative Return Stack Overflow (SRSO)”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhŒ paragraph”“”)”}”(hXkThis is a mitigation for the speculative return stack overflow (SRSO) vulnerability found on AMD processors. The mechanism is by now the well known scenario of poisoning CPU functional units - the Branch Target Buffer (BTB) and Return Address Predictor (RAP) in this case - and then tricking the elevated privilege domain (the kernel) into leaking sensitive data.”h]”hXkThis is a mitigation for the speculative return stack overflow (SRSO) vulnerability found on AMD processors. The mechanism is by now the well known scenario of poisoning CPU functional units - the Branch Target Buffer (BTB) and Return Address Predictor (RAP) in this case - and then tricking the elevated privilege domain (the kernel) into leaking sensitive data.”…””}”(hhßh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KhhÊh²hubhŞ)”}”(hXWAMD CPUs predict RET instructions using a Return Address Predictor (aka Return Address Stack/Return Stack Buffer). In some cases, a non-architectural CALL instruction (i.e., an instruction predicted to be a CALL but is not actually a CALL) can create an entry in the RAP which may be used to predict the target of a subsequent RET instruction.”h]”hXWAMD CPUs predict RET instructions using a Return Address Predictor (aka Return Address Stack/Return Stack Buffer). In some cases, a non-architectural CALL instruction (i.e., an instruction predicted to be a CALL but is not actually a CALL) can create an entry in the RAP which may be used to predict the target of a subsequent RET instruction.”…””}”(hhíh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K hhÊh²hubhŞ)”}”(hX^The specific circumstances that lead to this varies by microarchitecture but the concern is that an attacker can mis-train the CPU BTB to predict non-architectural CALL instructions in kernel space and use this to control the speculative target of a subsequent kernel RET, potentially leading to information disclosure via a speculative side-channel.”h]”hX^The specific circumstances that lead to this varies by microarchitecture but the concern is that an attacker can mis-train the CPU BTB to predict non-architectural CALL instructions in kernel space and use this to control the speculative target of a subsequent kernel RET, potentially leading to information disclosure via a speculative side-channel.”…””}”(hhûh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KhhÊh²hubhŞ)”}”(hŒ*The issue is tracked under CVE-2023-20569.”h]”hŒ*The issue is tracked under CVE-2023-20569.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KhhÊh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒAffected processors”h]”hŒAffected processors”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjh²hh³hÇh´KubhŞ)”}”(hŒkAMD Zen, generations 1-4. That is, all families 0x17 and 0x19. Older processors have not been investigated.”h]”hŒkAMD Zen, generations 1-4. That is, all families 0x17 and 0x19. Older processors have not been investigated.”…””}”(hj(h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khjh²hubeh}”(h]”Œaffected-processors”ah ]”h"]”Œaffected processors”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒSystem information and options”h]”hŒSystem information and options”…””}”(hjAh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj>h²hh³hÇh´K"ubhŞ)”}”(hŒaFirst of all, it is required that the latest microcode be loaded for mitigations to be effective.”h]”hŒaFirst of all, it is required that the latest microcode be loaded for mitigations to be effective.”…””}”(hjOh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K$hj>h²hubhŞ)”}”(hŒ1The sysfs file showing SRSO mitigation status is:”h]”hŒ1The sysfs file showing SRSO mitigation status is:”…””}”(hj]h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K'hj>h²hubhŒ block_quote”“”)”}”(hŒ=/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow ”h]”hŞ)”}”(hŒh²hubhŞ)”}”(hŒ%The possible values in this file are:”h]”hŒ%The possible values in this file are:”…””}”(hj…h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K+hj>h²hubjl)”}”(hŒ5* 'Not affected': The processor is not vulnerable ”h]”hŒ bullet_list”“”)”}”(hhh]”hŒ list_item”“”)”}”(hŒ1'Not affected': The processor is not vulnerable ”h]”(hŞ)”}”(hŒ'Not affected':”h]”hŒ‘Not affected’:”…””}”(hj¢h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K-hjubhŞ)”}”(hŒThe processor is not vulnerable”h]”hŒThe processor is not vulnerable”…””}”(hj°h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K/hjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhj™ubah}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1j—h³hÇh´K-hj“ubah}”(h]”h ]”h"]”h$]”h&]”uh1jkh³hÇh´K-hj>h²hubj˜)”}”(hhh]”j)”}”(hŒR'Vulnerable': The processor is vulnerable and no mitigations have been applied. ”h]”(hŞ)”}”(hŒ 'Vulnerable':”h]”hŒ‘Vulnerable’:”…””}”(hjÙh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K1hjÕubjl)”}”(hŒBThe processor is vulnerable and no mitigations have been applied. ”h]”hŞ)”}”(hŒAThe processor is vulnerable and no mitigations have been applied.”h]”hŒAThe processor is vulnerable and no mitigations have been applied.”…””}”(hjëh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K3hjçubah}”(h]”h ]”h"]”h$]”h&]”uh1jkh³hÇh´K3hjÕubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjÒh²hh³hÇh´Nubah}”(h]”h ]”h"]”h$]”h&]”jÊjËuh1j—h³hÇh´K1hj>h²hubjl)”}”(hX? * 'Vulnerable: No microcode': The processor is vulnerable, no microcode extending IBPB functionality to address the vulnerability has been applied. * 'Vulnerable: Safe RET, no microcode': The "Safe RET" mitigation (see below) has been applied to protect the kernel, but the IBPB-extending microcode has not been applied. User space tasks may still be vulnerable. * 'Vulnerable: Microcode, no safe RET': Extended IBPB functionality microcode patch has been applied. It does not address User->Kernel and Guest->Host transitions protection but it does address User->User and VM->VM attack vectors. Note that User->User mitigation is controlled by how the IBPB aspect in the Spectre v2 mitigation is selected: * conditional IBPB: where each process can select whether it needs an IBPB issued around it PR_SPEC_DISABLE/_ENABLE etc, see :doc:`spectre` * strict: i.e., always on - by supplying spectre_v2_user=on on the kernel command line (spec_rstack_overflow=microcode) * 'Mitigation: Safe RET': Combined microcode/software mitigation. It complements the extended IBPB microcode patch functionality by addressing User->Kernel and Guest->Host transitions protection. Selected by default or by spec_rstack_overflow=safe-ret * 'Mitigation: IBPB': Similar protection as "safe RET" above but employs an IBPB barrier on privilege domain crossings (User->Kernel, Guest->Host). (spec_rstack_overflow=ibpb) * 'Mitigation: IBPB on VMEXIT': Mitigation addressing the cloud provider scenario - the Guest->Host transitions only. (spec_rstack_overflow=ibpb-vmexit) * 'Mitigation: Reduced Speculation': This mitigation gets automatically enabled when the above one "IBPB on VMEXIT" has been selected and the CPU supports the BpSpecReduce bit. It gets automatically enabled on machines which have the SRSO_USER_KERNEL_NO=1 CPUID bit. In that case, the code logic is to switch to the above =ibpb-vmexit mitigation because the user/kernel boundary is not affected anymore and thus "safe RET" is not needed. After enabling the IBPB on VMEXIT mitigation option, the BpSpecReduce bit is detected (functionality present on all such machines) and that practically overrides IBPB on VMEXIT as it has a lot less performance impact and takes care of the guest->host attack vector too. ”h]”(j˜)”}”(hhh]”(j)”}”(hŒ“'Vulnerable: No microcode': The processor is vulnerable, no microcode extending IBPB functionality to address the vulnerability has been applied. ”h]”(hŞ)”}”(hŒ'Vulnerable: No microcode':”h]”hŒ‘Vulnerable: No microcode’:”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K5hjubhŞ)”}”(hŒuThe processor is vulnerable, no microcode extending IBPB functionality to address the vulnerability has been applied.”h]”hŒuThe processor is vulnerable, no microcode extending IBPB functionality to address the vulnerability has been applied.”…””}”(hj$h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K7hjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjubj)”}”(hŒ×'Vulnerable: Safe RET, no microcode': The "Safe RET" mitigation (see below) has been applied to protect the kernel, but the IBPB-extending microcode has not been applied. User space tasks may still be vulnerable. ”h]”(hŞ)”}”(hŒ%'Vulnerable: Safe RET, no microcode':”h]”hŒ)‘Vulnerable: Safe RET, no microcode’:”…””}”(hj<h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K:hj8ubhŞ)”}”(hŒ¯The "Safe RET" mitigation (see below) has been applied to protect the kernel, but the IBPB-extending microcode has not been applied. User space tasks may still be vulnerable.”h]”hŒ³The “Safe RET†mitigation (see below) has been applied to protect the kernel, but the IBPB-extending microcode has not been applied. User space tasks may still be vulnerable.”…””}”(hjJh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KKernel and Guest->Host transitions protection but it does address User->User and VM->VM attack vectors. Note that User->User mitigation is controlled by how the IBPB aspect in the Spectre v2 mitigation is selected: * conditional IBPB: where each process can select whether it needs an IBPB issued around it PR_SPEC_DISABLE/_ENABLE etc, see :doc:`spectre` * strict: i.e., always on - by supplying spectre_v2_user=on on the kernel command line (spec_rstack_overflow=microcode) ”h]”(hŞ)”}”(hŒ%'Vulnerable: Microcode, no safe RET':”h]”hŒ)‘Vulnerable: Microcode, no safe RET’:”…””}”(hjbh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K@hj^ubhŞ)”}”(hŒ¿Extended IBPB functionality microcode patch has been applied. It does not address User->Kernel and Guest->Host transitions protection but it does address User->User and VM->VM attack vectors.”h]”hŒ¿Extended IBPB functionality microcode patch has been applied. It does not address User->Kernel and Guest->Host transitions protection but it does address User->User and VM->VM attack vectors.”…””}”(hjph²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KBhj^ubhŞ)”}”(hŒnNote that User->User mitigation is controlled by how the IBPB aspect in the Spectre v2 mitigation is selected:”h]”hŒnNote that User->User mitigation is controlled by how the IBPB aspect in the Spectre v2 mitigation is selected:”…””}”(hj~h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KFhj^ubjl)”}”(hŒî* conditional IBPB: where each process can select whether it needs an IBPB issued around it PR_SPEC_DISABLE/_ENABLE etc, see :doc:`spectre` * strict: i.e., always on - by supplying spectre_v2_user=on on the kernel command line ”h]”j˜)”}”(hhh]”(j)”}”(hŒ‹conditional IBPB: where each process can select whether it needs an IBPB issued around it PR_SPEC_DISABLE/_ENABLE etc, see :doc:`spectre` ”h]”(hŞ)”}”(hŒconditional IBPB:”h]”hŒconditional IBPB:”…””}”(hj—h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KIhj“ubhŞ)”}”(hŒwwhere each process can select whether it needs an IBPB issued around it PR_SPEC_DISABLE/_ENABLE etc, see :doc:`spectre`”h]”(hŒiwhere each process can select whether it needs an IBPB issued around it PR_SPEC_DISABLE/_ENABLE etc, see ”…””}”(hj¥h²hh³Nh´Nubh)”}”(hŒ:doc:`spectre`”h]”hŒinline”“”)”}”(hj¯h]”hŒspectre”…””}”(hj³h²hh³Nh´Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-doc”eh"]”h$]”h&]”uh1j±hj­ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œadmin-guide/hw-vuln/srso”Œ refdomain”j¾Œreftype”Œdoc”Œ refexplicit”‰Œrefwarn”ˆŒ reftarget”Œspectre”uh1hh³hÇh´KKhj¥ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KKhj“ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjubj)”}”(hŒVstrict: i.e., always on - by supplying spectre_v2_user=on on the kernel command line ”h]”(hŞ)”}”(hŒstrict:”h]”hŒstrict:”…””}”(hjâh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KNhjŞubhŞ)”}”(hŒLi.e., always on - by supplying spectre_v2_user=on on the kernel command line”h]”hŒLi.e., always on - by supplying spectre_v2_user=on on the kernel command line”…””}”(hjğh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KPhjŞubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjubeh}”(h]”h ]”h"]”h$]”h&]”jÊjËuh1j—h³hÇh´KIhjŒubah}”(h]”h ]”h"]”h$]”h&]”uh1jkh³hÇh´KIhj^ubhŞ)”}”(hŒ (spec_rstack_overflow=microcode)”h]”hŒ (spec_rstack_overflow=microcode)”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KShj^ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjubj)”}”(hŒü'Mitigation: Safe RET': Combined microcode/software mitigation. It complements the extended IBPB microcode patch functionality by addressing User->Kernel and Guest->Host transitions protection. Selected by default or by spec_rstack_overflow=safe-ret ”h]”(hŞ)”}”(hŒ'Mitigation: Safe RET':”h]”hŒ‘Mitigation: Safe RET’:”…””}”(hj(h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KUhj$ubhŞ)”}”(hŒ©Combined microcode/software mitigation. It complements the extended IBPB microcode patch functionality by addressing User->Kernel and Guest->Host transitions protection.”h]”hŒ©Combined microcode/software mitigation. It complements the extended IBPB microcode patch functionality by addressing User->Kernel and Guest->Host transitions protection.”…””}”(hj6h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KWhj$ubhŞ)”}”(hŒ7Selected by default or by spec_rstack_overflow=safe-ret”h]”hŒ7Selected by default or by spec_rstack_overflow=safe-ret”…””}”(hjDh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K[hj$ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjubj)”}”(hŒ“'Mitigation: IBPB': Similar protection as "safe RET" above but employs an IBPB barrier on privilege domain crossings (User->Kernel, Guest->Host). ”h]”(hŞ)”}”(hŒ'Mitigation: IBPB':”h]”hŒ‘Mitigation: IBPB’:”…””}”(hj\h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K]hjXubhŞ)”}”(hŒ}Similar protection as "safe RET" above but employs an IBPB barrier on privilege domain crossings (User->Kernel, Guest->Host).”h]”hŒSimilar protection as “safe RET†above but employs an IBPB barrier on privilege domain crossings (User->Kernel, Guest->Host).”…””}”(hjjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K_hjXubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjubeh}”(h]”h ]”h"]”h$]”h&]”jÊjËuh1j—h³hÇh´K5hj ubjl)”}”(hŒ(spec_rstack_overflow=ibpb) ”h]”hŞ)”}”(hŒ(spec_rstack_overflow=ibpb)”h]”hŒ(spec_rstack_overflow=ibpb)”…””}”(hjˆh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Kbhj„ubah}”(h]”h ]”h"]”h$]”h&]”uh1jkh³hÇh´Kbhj ubj˜)”}”(hhh]”(j)”}”(hŒ™'Mitigation: IBPB on VMEXIT': Mitigation addressing the cloud provider scenario - the Guest->Host transitions only. (spec_rstack_overflow=ibpb-vmexit) ”h]”(hŞ)”}”(hŒ'Mitigation: IBPB on VMEXIT':”h]”hŒ!‘Mitigation: IBPB on VMEXIT’:”…””}”(hj£h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KdhjŸubhŞ)”}”(hŒUMitigation addressing the cloud provider scenario - the Guest->Host transitions only.”h]”hŒUMitigation addressing the cloud provider scenario - the Guest->Host transitions only.”…””}”(hj±h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KfhjŸubhŞ)”}”(hŒ"(spec_rstack_overflow=ibpb-vmexit)”h]”hŒ"(spec_rstack_overflow=ibpb-vmexit)”…””}”(hj¿h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KihjŸubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjœubj)”}”(hXÅ'Mitigation: Reduced Speculation': This mitigation gets automatically enabled when the above one "IBPB on VMEXIT" has been selected and the CPU supports the BpSpecReduce bit. It gets automatically enabled on machines which have the SRSO_USER_KERNEL_NO=1 CPUID bit. In that case, the code logic is to switch to the above =ibpb-vmexit mitigation because the user/kernel boundary is not affected anymore and thus "safe RET" is not needed. After enabling the IBPB on VMEXIT mitigation option, the BpSpecReduce bit is detected (functionality present on all such machines) and that practically overrides IBPB on VMEXIT as it has a lot less performance impact and takes care of the guest->host attack vector too. ”h]”(hŞ)”}”(hŒ"'Mitigation: Reduced Speculation':”h]”hŒ&‘Mitigation: Reduced Speculation’:”…””}”(hj×h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KkhjÓubhŞ)”}”(hŒ‹This mitigation gets automatically enabled when the above one "IBPB on VMEXIT" has been selected and the CPU supports the BpSpecReduce bit.”h]”hŒThis mitigation gets automatically enabled when the above one “IBPB on VMEXIT†has been selected and the CPU supports the BpSpecReduce bit.”…””}”(hjåh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KmhjÓubhŞ)”}”(hXIt gets automatically enabled on machines which have the SRSO_USER_KERNEL_NO=1 CPUID bit. In that case, the code logic is to switch to the above =ibpb-vmexit mitigation because the user/kernel boundary is not affected anymore and thus "safe RET" is not needed.”h]”hXIt gets automatically enabled on machines which have the SRSO_USER_KERNEL_NO=1 CPUID bit. In that case, the code logic is to switch to the above =ibpb-vmexit mitigation because the user/kernel boundary is not affected anymore and thus “safe RET†is not needed.”…””}”(hjóh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KphjÓubhŞ)”}”(hX After enabling the IBPB on VMEXIT mitigation option, the BpSpecReduce bit is detected (functionality present on all such machines) and that practically overrides IBPB on VMEXIT as it has a lot less performance impact and takes care of the guest->host attack vector too.”h]”hX After enabling the IBPB on VMEXIT mitigation option, the BpSpecReduce bit is detected (functionality present on all such machines) and that practically overrides IBPB on VMEXIT as it has a lot less performance impact and takes care of the guest->host attack vector too.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KuhjÓubeh}”(h]”h ]”h"]”h$]”h&]”uh1jœhjœubeh}”(h]”h ]”h"]”h$]”h&]”jÊjËuh1j—h³hÇh´Kdhj ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jkh³hÇh´K5hj>h²hubhŞ)”}”(hŒ8In order to exploit vulnerability, an attacker needs to:”h]”hŒ8In order to exploit vulnerability, an attacker needs to:”…””}”(hj!h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Kzhj>h²hubjl)”}”(hX- gain local access on the machine - break kASLR - find gadgets in the running kernel in order to use them in the exploit - potentially create and pin an additional workload on the sibling thread, depending on the microarchitecture (not necessary on fam 0x19) - run the exploit ”h]”j˜)”}”(hhh]”(j)”}”(hŒ!gain local access on the machine ”h]”hŞ)”}”(hŒ gain local access on the machine”h]”hŒ gain local access on the machine”…””}”(hj:h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K|hj6ubah}”(h]”h ]”h"]”h$]”h&]”uh1jœhj3ubj)”}”(hŒ break kASLR ”h]”hŞ)”}”(hŒ break kASLR”h]”hŒ break kASLR”…””}”(hjRh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K~hjNubah}”(h]”h ]”h"]”h$]”h&]”uh1jœhj3ubj)”}”(hŒGfind gadgets in the running kernel in order to use them in the exploit ”h]”hŞ)”}”(hŒFfind gadgets in the running kernel in order to use them in the exploit”h]”hŒFfind gadgets in the running kernel in order to use them in the exploit”…””}”(hjjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K€hjfubah}”(h]”h ]”h"]”h$]”h&]”uh1jœhj3ubj)”}”(hŒˆpotentially create and pin an additional workload on the sibling thread, depending on the microarchitecture (not necessary on fam 0x19) ”h]”hŞ)”}”(hŒ‡potentially create and pin an additional workload on the sibling thread, depending on the microarchitecture (not necessary on fam 0x19)”h]”hŒ‡potentially create and pin an additional workload on the sibling thread, depending on the microarchitecture (not necessary on fam 0x19)”…””}”(hj‚h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K‚hj~ubah}”(h]”h ]”h"]”h$]”h&]”uh1jœhj3ubj)”}”(hŒrun the exploit ”h]”hŞ)”}”(hŒrun the exploit”h]”hŒrun the exploit”…””}”(hjšh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K…hj–ubah}”(h]”h ]”h"]”h$]”h&]”uh1jœhj3ubeh}”(h]”h ]”h"]”h$]”h&]”jÊŒ-”uh1j—h³hÇh´K|hj/ubah}”(h]”h ]”h"]”h$]”h&]”uh1jkh³hÇh´K|hj>h²hubhŞ)”}”(hŒÀConsidering the performance implications of each mitigation type, the default one is 'Mitigation: safe RET' which should take care of most attack vectors, including the local User->Kernel one.”h]”hŒÄConsidering the performance implications of each mitigation type, the default one is ‘Mitigation: safe RET’ which should take care of most attack vectors, including the local User->Kernel one.”…””}”(hj»h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K‡hj>h²hubhŞ)”}”(hŒhAs always, the user is advised to keep her/his system up-to-date by applying software updates regularly.”h]”hŒhAs always, the user is advised to keep her/his system up-to-date by applying software updates regularly.”…””}”(hjÉh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K‹hj>h²hubhŞ)”}”(hŒbThe default setting will be reevaluated when needed and especially when new attack vectors appear.”h]”hŒbThe default setting will be reevaluated when needed and especially when new attack vectors appear.”…””}”(hj×h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khj>h²hubhŞ)”}”(hXAs one can surmise, 'Mitigation: safe RET' does come at the cost of some performance depending on the workload. If one trusts her/his userspace and does not want to suffer the performance impact, one can always disable the mitigation with spec_rstack_overflow=off.”h]”hX As one can surmise, ‘Mitigation: safe RET’ does come at the cost of some performance depending on the workload. If one trusts her/his userspace and does not want to suffer the performance impact, one can always disable the mitigation with spec_rstack_overflow=off.”…””}”(hjåh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K‘hj>h²hubhŞ)”}”(hŒãSimilarly, 'Mitigation: IBPB' is another full mitigation type employing an indirect branch prediction barrier after having applied the required microcode patch for one's system. This mitigation comes also at a performance cost.”h]”hŒéSimilarly, ‘Mitigation: IBPB’ is another full mitigation type employing an indirect branch prediction barrier after having applied the required microcode patch for one’s system. This mitigation comes also at a performance cost.”…””}”(hjóh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K–hj>h²hubeh}”(h]”Œsystem-information-and-options”ah ]”h"]”Œsystem information and options”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K"ubhÉ)”}”(hhh]”(hÎ)”}”(hŒMitigation: Safe RET”h]”hŒMitigation: Safe RET”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj h²hh³hÇh´KœubhŞ)”}”(hXThe mitigation works by ensuring all RET instructions speculate to a controlled location, similar to how speculation is controlled in the retpoline sequence. To accomplish this, the __x86_return_thunk forces the CPU to mispredict every function return using a 'safe return' sequence.”h]”hX The mitigation works by ensuring all RET instructions speculate to a controlled location, similar to how speculation is controlled in the retpoline sequence. To accomplish this, the __x86_return_thunk forces the CPU to mispredict every function return using a ‘safe return’ sequence.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Khj h²hubhŞ)”}”(hX¡To ensure the safety of this mitigation, the kernel must ensure that the safe return sequence is itself free from attacker interference. In Zen3 and Zen4, this is accomplished by creating a BTB alias between the untraining function srso_alias_untrain_ret() and the safe return function srso_alias_safe_ret() which results in evicting a potentially poisoned BTB entry and using that safe one for all function returns.”h]”hX¡To ensure the safety of this mitigation, the kernel must ensure that the safe return sequence is itself free from attacker interference. In Zen3 and Zen4, this is accomplished by creating a BTB alias between the untraining function srso_alias_untrain_ret() and the safe return function srso_alias_safe_ret() which results in evicting a potentially poisoned BTB entry and using that safe one for all function returns.”…””}”(hj(h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K¤hj h²hubhŞ)”}”(hŒIn older Zen1 and Zen2, this is accomplished using a reinterpretation technique similar to Retbleed one: srso_untrain_ret() and srso_safe_ret().”h]”hŒIn older Zen1 and Zen2, this is accomplished using a reinterpretation technique similar to Retbleed one: srso_untrain_ret() and srso_safe_ret().”…””}”(hj6h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K«hj h²hubeh}”(h]”Œmitigation-safe-ret”ah ]”h"]”Œmitigation: safe ret”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´KœubhÉ)”}”(hhh]”(hÎ)”}”(hŒ/Checking the safe RET mitigation actually works”h]”hŒ/Checking the safe RET mitigation actually works”…””}”(hjOh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjLh²hh³hÇh´K°ubhŞ)”}”(hŒ|In case one wants to validate whether the SRSO safe RET mitigation works on a kernel, one could use two performance counters”h]”hŒ|In case one wants to validate whether the SRSO safe RET mitigation works on a kernel, one could use two performance counters”…””}”(hj]h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K²hjLh²hubj˜)”}”(hhh]”(j)”}”(hŒ&PMC_0xc8 - Count of RET/RET lw retired”h]”hŞ)”}”(hjph]”hŒ&PMC_0xc8 - Count of RET/RET lw retired”…””}”(hjrh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´Kµhjnubah}”(h]”h ]”h"]”h$]”h&]”uh1jœhjkh²hh³hÇh´Nubj)”}”(hŒ4PMC_0xc9 - Count of RET/RET lw retired mispredicted ”h]”hŞ)”}”(hŒ3PMC_0xc9 - Count of RET/RET lw retired mispredicted”h]”hŒ3PMC_0xc9 - Count of RET/RET lw retired mispredicted”…””}”(hj‰h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K¶hj…ubah}”(h]”h ]”h"]”h$]”h&]”uh1jœhjkh²hh³hÇh´Nubeh}”(h]”h ]”h"]”h$]”h&]”jÊjËuh1j—h³hÇh´KµhjLh²hubhŞ)”}”(hŒŠand compare the number of RETs retired properly vs those retired mispredicted, in kernel mode. Another way of specifying those events is::”h]”hŒ‰and compare the number of RETs retired properly vs those retired mispredicted, in kernel mode. Another way of specifying those events is:”…””}”(hj£h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´K¸hjLh²hubhŒ literal_block”“”)”}”(hŒÍ# perf list ex_ret_near_ret List of pre-defined events (to be used in -e or -M): core: ex_ret_near_ret [Retired Near Returns] ex_ret_near_ret_mispred [Retired Near Returns Mispredicted]”h]”hŒÍ# perf list ex_ret_near_ret List of pre-defined events (to be used in -e or -M): core: ex_ret_near_ret [Retired Near Returns] ex_ret_near_ret_mispred [Retired Near Returns Mispredicted]”…””}”hj³sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j±h³hÇh´K¼hjLh²hubhŞ)”}”(hŒ.Either the command using the event mnemonics::”h]”hŒ-Either the command using the event mnemonics:”…””}”(hjÁh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KÆhjLh²hubj²)”}”(hŒG# perf stat -e ex_ret_near_ret:k -e ex_ret_near_ret_mispred:k sleep 10s”h]”hŒG# perf stat -e ex_ret_near_ret:k -e ex_ret_near_ret_mispred:k sleep 10s”…””}”hjÏsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j±h³hÇh´KÈhjLh²hubhŞ)”}”(hŒor using the raw PMC numbers::”h]”hŒor using the raw PMC numbers:”…””}”(hjİh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KÊhjLh²hubj²)”}”(hŒM# perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s”h]”hŒM# perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s”…””}”hjësbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j±h³hÇh´KÌhjLh²hubhŞ)”}”(hŒMshould give the same amount. I.e., every RET retired should be mispredicted::”h]”hŒLshould give the same amount. I.e., every RET retired should be mispredicted:”…””}”(hjùh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KÎhjLh²hubj²)”}”(hXn[root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s Performance counter stats for 'sleep 10s': 137,167 cpu/event=0xc8,umask=0/k 137,173 cpu/event=0xc9,umask=0/k 10.004110303 seconds time elapsed 0.000000000 seconds user 0.004462000 seconds sys”h]”hXn[root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s Performance counter stats for 'sleep 10s': 137,167 cpu/event=0xc8,umask=0/k 137,173 cpu/event=0xc9,umask=0/k 10.004110303 seconds time elapsed 0.000000000 seconds user 0.004462000 seconds sys”…””}”hjsbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j±h³hÇh´KÑhjLh²hubhŞ)”}”(hŒŞvs the case when the mitigation is disabled (spec_rstack_overflow=off) or not functioning properly, showing usually a lot smaller number of mispredicted retired RETs vs the overall count of retired RETs during a workload::”h]”hŒİvs the case when the mitigation is disabled (spec_rstack_overflow=off) or not functioning properly, showing usually a lot smaller number of mispredicted retired RETs vs the overall count of retired RETs during a workload:”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KİhjLh²hubj²)”}”(hXn[root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s Performance counter stats for 'sleep 10s': 201,627 cpu/event=0xc8,umask=0/k 4,074 cpu/event=0xc9,umask=0/k 10.003267252 seconds time elapsed 0.002729000 seconds user 0.000000000 seconds sys”h]”hXn[root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s Performance counter stats for 'sleep 10s': 201,627 cpu/event=0xc8,umask=0/k 4,074 cpu/event=0xc9,umask=0/k 10.003267252 seconds time elapsed 0.002729000 seconds user 0.000000000 seconds sys”…””}”hj#sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j±h³hÇh´KâhjLh²hubhŞ)”}”(hŒ_Also, there is a selftest which performs the above, go to tools/testing/selftests/x86/ and do::”h]”hŒ^Also, there is a selftest which performs the above, go to tools/testing/selftests/x86/ and do:”…””}”(hj1h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hİh³hÇh´KîhjLh²hubj²)”}”(hŒmake srso ./srso”h]”hŒmake srso ./srso”…””}”hj?sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j±h³hÇh´KñhjLh²hubeh}”(h]”Œ/checking-the-safe-ret-mitigation-actually-works”ah ]”h"]”Œ/checking the safe ret mitigation actually works”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K°ubeh}”(h]”Œ&speculative-return-stack-overflow-srso”ah ]”h"]”Œ(speculative return stack overflow (srso)”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j€Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jZjWj;j8jjjIjFjRjOuŒ nametypes”}”(jZ‰j;‰j‰jI‰jR‰uh}”(jWhÊj8jjj>jFj jOjLuŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.