Actions
Bug #14575
closed
AMD-specific retpolines shouldn't be used for spectre v2
Start date:
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
Description
AMD has recently announced that one should not use the AMD, lfence optimized reptline format any longer. They turn out to be just as vulnerable. AMD's security advisory is here: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036. Given that they still don't have EIBRS, I have opted to remove the selection of AMD optimized retpolines from the spectre v2 mitigations selection, but have left the stubs there in case something changes in the future.
Updated by Robert Mustacchi 3 months ago
- Subject changed from disable use of AMD retpolines to AMD-specific retpolines shouldn't be used for spectre v2
Updated by Robert Mustacchi 2 months ago
To test this I've booted debug and non-debug bits on an AMD system and used it for a while. I verified that the retpoline in questions are the full ones. For example:
rm@beowulf:~$ pfexec mdb -k Loading modules: [ unix genunix specfs dtrace mac cpu.generic uppc apix scsi_vhci zfs sata ip hook neti sockfs arp usba xhci stmf stmf_sbd mm lofs cpc ufs logindmux ptm nfs ] > __x86_indirect_thunk_rax::dis __x86_indirect_thunk_rax: call +0x7 <__x86_indirect_thunk_rax+0xc> __x86_indirect_thunk_rax+5: pause __x86_indirect_thunk_rax+7: lfence __x86_indirect_thunk_rax+0xa: jmp -0x7 <__x86_indirect_thunk_rax+5> __x86_indirect_thunk_rax+0xc: movq %rax,(%rsp) __x86_indirect_thunk_rax+0x10: ret
Updated by Electric Monk 2 months ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit 9514ab446512446bdb11f38ddcd2b71404b155a1
commit 9514ab446512446bdb11f38ddcd2b71404b155a1
Author: Robert Mustacchi <rm@fingolfin.org>
Date: 2022-05-06T02:46:52.000Z
14575 AMD-specific retpolines shouldn't be used for spectre v2
Reviewed by: Rich Lowe <richlowe@richlowe.net>
Reviewed by: Toomas Soome <tsoome@me.com>
Approved by: Dan McDonald <danmcd@mnx.io>
Actions