On Sun, Jan 21, 2018 at 4:04 AM, David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > >> On Sat, Jan 20, 2018 at 08:22:55PM +0100, KarimAllah Ahmed wrote: >>> From: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx> >>> >>> Flush indirect branches when switching into a process that marked >>> itself non dumpable. This protects high value processes like gpg >>> better, without having too high performance overhead. >> >> So if I understand it right, this is only needed if the 'other' >> executable itself is susceptible to spectre. If say someone audited gpg >> for spectre-v1 and build it with retpoline, it would be safe to not >> issue the IBPB, right? > > > Spectre V2 not v1. V1 is separate. > For V2 retpoline is enough... as long as all the libraries have it too. > >> So would it make sense to provide an ELF flag / personality thing such >> that userspace can indicate its spectre-safe? > > Yes, Arjan and I were pondering that yesterday; it probably does make > sense. Also for allowing a return to userspace after vmexit, if the army > process itself is so marked. Please take a look at how CET is handled in program property in x86-64 psABI for CET: https://github.com/hjl-tools/x86-psABI/wiki/x86-64-psABI-cet.pdf -- H.J.
