News: 0001474230

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Linux Prepares New Spectre BHI Mitigation Option For Cloud Environments

([Linux Security] 4 Hours Ago spectre_bhi=vmexit)


For the Branch History Injection variant of Spectre ( [1]Spectre BHI ) there is a patch pending to add a new mitigation option for that two year old CPU security vulnerability.

Spectre BHI/BHB can lead to leaking arbitrary kernel memory on modern Intel CPUs and was disclosed back in 2022 by [2]VUSec . The Linux kernel has supported enabling the hardware mitigations and otherwise software fallback mitigations for Spectre BHI to protect both system calls and virtual machines. Via the "spectre_bhi=" boot argument, administrators can enable/disable the Spectre BHI mitigation state.

What's coming now to the Linux kernel is supporting the "spectre_bhi=vmexit" option. The new VMEXIT option will only protect the VM exit process on systems needing software-based mitigations. To avoid the performance costs of software mitigating the system calls, this new option is intended for cloud environments on older processors to just fend off VM-originated Spectre BHI attacks. System calls are left vulnerable but at least in cloud/virtualized environments is protecting against attacks from inside the virtual machines.

Thus spectre_bhi=vmexit is a lower-cost mitigation for such cloud environments with untrusted VMs while not going full bore with spectre_bhi=on.

This new Spectre BHI mitigation option can be found in [3]TIP.git's x86/bugs branch ahead of the upcoming Linux 6.11 merge window.



[1] https://www.phoronix.com/search/Spectre%20BHI

[2] https://www.vusec.net/projects/bhi-spectre-bhb/

[3] https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=42c141fbb651b64db492aab35bc1d96eb4c20261



drastic

Real software engineers don't debug programs, they verify correctness.
This process doesn't necessarily involve execution of anything on a
computer, except perhaps a Correctness Verification Aid package.