> On Sat, Jan 20, 2018 at 08:22:55PM +0100, KarimAllah Ahmed wrote: >> From: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx> >> >> Flush indirect branches when switching into a process that marked >> itself non dumpable. This protects high value processes like gpg >> better, without having too high performance overhead. > > So if I understand it right, this is only needed if the 'other' > executable itself is susceptible to spectre. If say someone audited gpg > for spectre-v1 and build it with retpoline, it would be safe to not > issue the IBPB, right? Spectre V2 not v1. V1 is separate. For V2 retpoline is enough... as long as all the libraries have it too. > So would it make sense to provide an ELF flag / personality thing such > that userspace can indicate its spectre-safe? Yes, Arjan and I were pondering that yesterday; it probably does make sense. Also for allowing a return to userspace after vmexit, if the army process itself is so marked. > I realize that this is all future work, because so far auditing for v1 > is a lot of pain (we need better tools), but would it be something that > makes sense in the longer term? It's *only* retpoline so it isn't actually that much. Although I'm wary of Cc'ing HJ on such thoughts because he seems to never sleep and always respond promptly with "OK I did that... " :) If we did systematically do this in userspace we'd probably want to do external thunks there too, and a flag in the auxvec to tell it not to bother (for IBRS_ALL etc.). -- dwmw2
