On Wed, Sep 30, 2020 at 07:08:58AM -0700, Dave Hansen wrote: > On 9/30/20 7:01 AM, Jarkko Sakkinen wrote: > > The user handler, which can be optionally used to handle enclave > > exceptions, is always the same global handler provided by the SGX > > runtime, who wants to use such a handler instead returning on exception. > > > > Thus, there is no any non-deterministic branch prediction happening. > > The code path is always the same and never change. Obviously, you could > > change it all the time purposely but for any sane real-world use that > > would not make any sense. > > The fundamental problem mitigated by retpolines is that indirect branch > instructions themselves are non-deterministic (speculatively). > > This: > > > + call *%rax > > is an indirect branch instruction. That leaves me a bit confused since > the changelog doesn't really match the code. > > Do we care about mitigating Spectre-v2-style attacks for the VDSO's > indirect calls? It is yes, my wording was just extremely bad. What I meant to say is that there is branch prediction happening but it is, given how runtime will use the handler, leading always unconditionally to the same destination. I asked does this have any bad mitigations yesterday: https://lkml.org/lkml/2020/9/29/2505 I'm not expert on Spectre, or any sort of security researcher, but I've read a few papers about and understand the general concept. With the constraints how the callback is used in practice, I'd *guess* it is fine to drop retpoline but I really need some feedback on this from people who understand these attacks better. I'll submit a patch with boot time patching (aka using ALTERNATE) if this does not get the buy-in. Just have to evaluate the both options before making any decisions. /Jarkko
