xref: /linux/Documentation/admin-guide/hw-vuln/spectre.rst

6 Spectre is a class of side channel attacks that exploit branch prediction
18 use branch prediction and speculative execution.
55 buffers, and branch predictors. Malicious software may be able to
70 of speculative execution that bypasses conditional branch instructions
92 The branch target injection attack takes advantage of speculative
94 branch predictors inside the processor used to guess the target of
103 branches in the victim to gadget code by poisoning the branch target
104 buffer of a CPU used for predicting indirect branch addresses. Such
106 with the address offset of the indirect branch under the attacker's
107 control. Since the branch prediction on impacted hardware does not
108 fully disambiguate branch address and uses the offset for prediction,
109 this could cause privileged code's indirect branch to jump to a gadget
127 from the sibling thread, as level 1 cache and branch target buffer
130 steer its indirect branch speculations to gadget code, and measure the
150    is invalid, but bound checks are bypassed in the code branch taken
161    An attacker can train the branch predictor to speculatively skip the
191    A spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
193    After entering the kernel, the kernel could use the poisoned branch
202    The kernel can protect itself against consuming poisoned branch
232    :ref:`poisoning <poison_btb>` the branch target buffer.  This can
233    influence the indirect branch targets for a victim process that either
238    by using the prctl() syscall to disable indirect branch speculation
240    from polluting the branch target buffer by disabling the process's
241    indirect branch speculation. This comes with a performance cost
242    from not using indirect branch speculation and clearing the branch
244    indirect branch speculation disabled, Single Threaded Indirect Branch
246    sibling thread from controlling branch target buffer.  In addition,
248    branch target buffer when context switching to and from such process.
251    This prevents the branch target buffer from being used for branch
273    <poison_btb>` the branch target buffer or return stack buffer, causing
277    for indirect branches to bypass the poisoned branch target buffer,
282    indirect branch speculation disabled via prctl().  The branch target
298    :ref:`poisoning <poison_btb>` the branch target buffer or the return
304    and clearing the branch target buffer before switching to a new guest.
308    by turning off the unsafe guest's indirect branch speculation via
382   - Indirect branch prediction barrier (IBPB) status for protection between
390   'IBPB: conditional'   Use IBPB on SECCOMP or indirect branch restricted tasks
393   - Single threaded indirect branch prediction (STIBP) status for protection
401   'STIBP: conditional'  Use STIBP on SECCOMP or indirect branch restricted tasks
450    -mindirect-branch=thunk-extern -mindirect-branch-register options.
467    On x86, indirect branch restricted speculation is turned on by default
483    This protects them from consuming poisoned entries in the branch
485    programs can disable their indirect branch speculation via prctl()
489    flush the branch target buffer when switching to/from the program.
491    Restricting indirect branch speculation on a user program will
497    Programs that disable their indirect branch speculation will have
515    poisoned entries in branch target buffer left by rogue guests.  It also
517    stack buffer underflow so poisoned branch target buffer could be used,
521    the branch target buffer is sanitized by flushing before switching
528    its indirect branch speculation disabled by administrator via prctl().
550 		(indirect branch prediction) vulnerability. System may
558 		(indirect branch speculation) vulnerability.
619    disabling indirect branch speculation when the program is running
626    off by disabling their indirect branch speculation when they are run
628    This prevents untrusted programs from polluting the branch target
639    overhead as indirect branch speculations for all programs will be
642    On x86, branch target buffer will be flushed with IBPB when switching
648    whose indirect branch speculation is explicitly disabled,
650    program to clear the branch target buffer (See "ibpb" option in
670 … Retpoline: A branch target injection mitigation <https://software.intel.com/security-software-gui…
674 …ntel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors>`_.
680 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
700 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…

Last Index update Sat Jun 03 09:59:21 CST 2023