On Tue, 2022-10-25 at 12:38 -0700, Pawan Gupta wrote: > > > And how is sprinking random LFENCEs around better than running with > > spectre_v2=eibrs,retpoline which is the current recommended mitigation > > against all this IIRC (or even eibrs,lfence for lesser values of > > paranoia). > > Its a trade-off between performance and spot fixing (hopefully handful > of) gadgets. Even the gadget in question here is not demonstrated to be > exploitable. If this scenario changes, polluting the kernel all over is > definitely not the right approach. > Btw, now I'm wondering - you were detecting these with the compiler based something, could there be a compiler pass to insert appropriate things, perhaps as a gcc plugin or something? Now honestly I have no idea if it's feasible, but since you're detecting it that way, and presumably then we'd have to maintain the detection and run it regularly to make sure that (a) things didn't bitrot and the gadget is still there, and (b) no new places show up ... perhaps the better way would be to combine both? johannes
