Linux 6.15 Lands Patches To Further Clean Up Its Spectre RSB Mitigations
([Linux Security] 3 Hours Ago
Return Stack Buffer)
- Reference: 0001539889
- News link: https://www.phoronix.com/news/Linux-6.15-x86-Fixes-RSB
- Source link:
Merged today was this week's batch of x86 fixes ahead of the Linux 6.15-rc2 release on Sunday. Notable with these x86 fixes are landing several patches to fix and clean-up the Spectre Return Stack Buffer "RSB" mitigation handling as well as introducing a new document to clarify the overall state and current mitigations.
For the past few months Josh Poimboeuf of Red Hat has been working on cleaning up the existing RSB mitigation handling within the Linux kernel for Intel and AMD CPUs along with introducing a document to better sum up the conditions and handling for the Return Stack Buffer treatment on AMD and Intel processors.
The fixes include a fix for RSB clearing within the indirect_branch_prediction_barrier() call, not filling the RSB on VMEXIT when using eIBRS and Retpolines, not filling RSB on context switches when using eIBRS. [1]This patch series contains that most recent work on the RSB patches that were merged today via the x86/fixes pull.
[2]This Git view shows the new RSB mitigation documentation for those wondering about the current mitigation treatment under Linux.
"Since 2018 there have been many Spectre CVEs related to the Return Stack Buffer (RSB) (sometimes referred to as the Return Address Stack (RAS) or Return Address Predictor (RAP) on AMD).
Information about these CVEs and how to mitigate them is scattered amongst a myriad of microarchitecture-specific documents.
This document attempts to consolidate all the relevant information in once place and clarify the reasoning behind the current RSB-related mitigations. It's meant to be as concise as possible, focused only on the current kernel mitigations: what are the RSB-related attack vectors and how are they currently being mitigated?
It's *not* meant to describe how the RSB mechanism operates or how the exploits work.
...
Rather, this is basically a glorified comment, but too long to actually be one. So when the next CVE comes along, a kernel developer can quickly refer to this as a refresher to see what we're actually doing and why.
At a high level, there are two classes of RSB attacks: RSB poisoning (Intel and AMD) and RSB underflow (Intel only). They must each be considered individually for each attack vector (and microarchitecture where applicable)."
With [3]this Git merge these x86 RSB bug fixes and documentation is now present in Linux Git ahead of this weekend's Linux 6.15-rc2. The other x86 fixes this week are mostly the small random fixes.
[1] https://lkml.iu.edu/hypermail/linux/kernel/2504.1/01924.html
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/rsb.rst?id=3c9de67dd37029cca1d0f391ff565b3809b40a1f
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c9de67dd37029cca1d0f391ff565b3809b40a1f
For the past few months Josh Poimboeuf of Red Hat has been working on cleaning up the existing RSB mitigation handling within the Linux kernel for Intel and AMD CPUs along with introducing a document to better sum up the conditions and handling for the Return Stack Buffer treatment on AMD and Intel processors.
The fixes include a fix for RSB clearing within the indirect_branch_prediction_barrier() call, not filling the RSB on VMEXIT when using eIBRS and Retpolines, not filling RSB on context switches when using eIBRS. [1]This patch series contains that most recent work on the RSB patches that were merged today via the x86/fixes pull.
[2]This Git view shows the new RSB mitigation documentation for those wondering about the current mitigation treatment under Linux.
"Since 2018 there have been many Spectre CVEs related to the Return Stack Buffer (RSB) (sometimes referred to as the Return Address Stack (RAS) or Return Address Predictor (RAP) on AMD).
Information about these CVEs and how to mitigate them is scattered amongst a myriad of microarchitecture-specific documents.
This document attempts to consolidate all the relevant information in once place and clarify the reasoning behind the current RSB-related mitigations. It's meant to be as concise as possible, focused only on the current kernel mitigations: what are the RSB-related attack vectors and how are they currently being mitigated?
It's *not* meant to describe how the RSB mechanism operates or how the exploits work.
...
Rather, this is basically a glorified comment, but too long to actually be one. So when the next CVE comes along, a kernel developer can quickly refer to this as a refresher to see what we're actually doing and why.
At a high level, there are two classes of RSB attacks: RSB poisoning (Intel and AMD) and RSB underflow (Intel only). They must each be considered individually for each attack vector (and microarchitecture where applicable)."
With [3]this Git merge these x86 RSB bug fixes and documentation is now present in Linux Git ahead of this weekend's Linux 6.15-rc2. The other x86 fixes this week are mostly the small random fixes.
[1] https://lkml.iu.edu/hypermail/linux/kernel/2504.1/01924.html
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/rsb.rst?id=3c9de67dd37029cca1d0f391ff565b3809b40a1f
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c9de67dd37029cca1d0f391ff565b3809b40a1f
phoronix