On Fri, 2018-01-05 at 03:52 -0800, Paul Turner wrote: > > These are also mitigatable; the retpoline sequence itself will never > result in an RSB underflow.
Unless an event occurs which clears the RSB between the CALL and the RET of the retpoline. > So long as the underlying binary satisfies the precondition that it > will not underflow its own RSB. > > Then we if we subsequently guarantee never to _reduce_ the number of > entries in its RSB at any point remote to its own execution, then the > precondition is preserved and underflow will not occur. The problem is that underflow can occur not only on a retpoline, but also on *any* bare ret. Unless we want to do something evil like turning them all into a sequence of 'call $+1; sub $8, %rsp; ret' and narrowing the race window for that 'external event' to be negligible. On the whole, since IBRS doesn't perform as badly on Skylake+ as it does on earlier CPUs, it makes more sense just to use IBRS on Skylake+. Unless we *only* have retpoline, of course, in which case we use that.
smime.p7s
Description: S/MIME cryptographic signature
