Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751860AbeACXLu (ORCPT + 1 other); Wed, 3 Jan 2018 18:11:50 -0500 Received: from mga05.intel.com ([192.55.52.43]:58816 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751226AbeACXJq (ORCPT ); Wed, 3 Jan 2018 18:09:46 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.45,504,1508828400"; d="scan'208";a="7182153" From: Andi Kleen To: tglx@linuxtronix.de Cc: torvalds@linux-foundation.org, gregkh@linux-foundation.org, dwmw@amazon.co.uk, tim.c.chen@linux.intel.com, linux-kernel@vger.kernel.org, dave.hansen@intel.com Subject: Avoid speculative indirect calls in kernel Date: Wed, 3 Jan 2018 15:09:23 -0800 Message-Id: <20180103230934.15788-1-andi@firstfloor.org> X-Mailer: git-send-email 2.14.3 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: This is a fix for Variant 2 in https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html Any speculative indirect calls in the kernel can be tricked to execute any kernel code, which may allow side channel attacks that can leak arbitrary kernel data. So we want to avoid speculative indirect calls in the kernel. There's a special code sequence called a retpoline that can do indirect calls without speculation. We use a new compiler option -mindirect-branch=thunk-extern (gcc patch will be released separately) to recompile the kernel with this new sequence. We also patch all the assembler code in the kernel to use the new sequence. The patches were originally from David Woodhouse and Tim Chen, but then reworked and enhanced by me. No performance numbers at this point. 32bit is only boot tested. Git tree available in git://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-misc spec/retpoline-415-1 v1: Initial post.