As far as I can tell, one bit of news to me at least in this Intel whitepaper from today is that the microcode update to mitigate “variant #2” would be needed for Broadwell+, rather than the Skylake+ that had been stated yesterday on LKML. From Intel's PDF today:
"For Intel® Core™ processors of the Broadwell generation and later, this retpoline mitigation strategy also requires a microcode update to be applied for the mitigation to be fully effective."
vs. at least what I had seen on LKML list yesterday seemed to indicate Skylake+.
Sample snippet from LKML[1]:
"The x86 IBRS feature requires corresponding microcode support.
It mitigates the variant 2 vulnerability..."
and related sample snippet from LKML[2]:
"On Skylake the target for a 'ret' instruction may also come from the
BTB. So if you ever let the RSB (which remembers where the 'call's came
from get empty, you end up vulnerable.
Other than the obvious call stack of more than 16 calls in depth,
there's also a big list of other things which can empty the RSB,
including an SMI.
Which basically makes retpoline on Skylake+ very hard to use
reliably. The plan is to use IBRS there and not retpoline."
I'll confess I'm not 100% following all the ins and outs of this, but can anyone comment on any additional details regarding the Skylake+ vs. Broadwell+, and/or confirm if there was seemingly a change?
Presumably they've found a way to make retpoline work on Broadwell using a microcode update, which is probably better than the alternative of adding a very expensive kludged way of clearing the indirect branch cache in a microcode update.
"For Intel® Core™ processors of the Broadwell generation and later, this retpoline mitigation strategy also requires a microcode update to be applied for the mitigation to be fully effective."
vs. at least what I had seen on LKML list yesterday seemed to indicate Skylake+.
Sample snippet from LKML[1]:
"The x86 IBRS feature requires corresponding microcode support. It mitigates the variant 2 vulnerability..."
and related sample snippet from LKML[2]:
"On Skylake the target for a 'ret' instruction may also come from the BTB. So if you ever let the RSB (which remembers where the 'call's came from get empty, you end up vulnerable.
Other than the obvious call stack of more than 16 calls in depth, there's also a big list of other things which can empty the RSB, including an SMI.
Which basically makes retpoline on Skylake+ very hard to use reliably. The plan is to use IBRS there and not retpoline."
I'll confess I'm not 100% following all the ins and outs of this, but can anyone comment on any additional details regarding the Skylake+ vs. Broadwell+, and/or confirm if there was seemingly a change?
[1] https://lkml.org/lkml/2018/1/4/615
[2] https://lkml.org/lkml/2018/1/4/708