Lines Matching +full:com +full:- +full:mode
1 .. SPDX-License-Identifier: GPL-2.0
4 RSB-related mitigations
8 Please keep this document up-to-date, otherwise you will be
17 amongst a myriad of microarchitecture-specific documents.
20 once place and clarify the reasoning behind the current RSB-related
22 the current kernel mitigations: what are the RSB-related attack vectors
39 ----
47 RSB poisoning is a technique used by SpectreRSB [#spectre-rsb]_ where
49 to speculate to an attacker-controlled address. This can happen when
54 [#intel-rsb-filling]_ [#amd-rsb-filling]_ when transitioning between
64 * On context switch, the user->user mitigation requires ensuring the
65 RSB gets filled or cleared whenever IBPB gets written [#cond-ibpb]_
69 On Zen 4+, IBPB (or SBPB [#amd-sbpb]_ if used) clears the RSB.
70 This is indicated by IBPB_RET in CPUID [#amd-ibpb-rsb]_.
72 On Zen < 4, the RSB filling sequence [#amd-rsb-filling]_ must be
73 always be done in addition to IBPB [#amd-ibpb-no-rsb]_. This is
83 predicted targets may come from the RSB." [#intel-ibpb-rsb]_
85 * On context switch, user->kernel attacks are prevented by SMEP. User
87 non-canonical addresses can't be inserted due to the page gap at the
96 V2-3 in [2]) and/or Supervisor Mode Execution Protection (SMEP)
99 Protection"." [#amd-smep-rsb]_
105 mode. Software can prevent this by enabling SMEP (for
106 transitions from user mode to supervisor mode) and by having
107 IA32_SPEC_CTRL.IBRS set during VM exits." [#intel-smep-rsb]_
109 * On VMEXIT, guest->host attacks are mitigated by eIBRS (and PBRSB
115 [#amd-eibrs-vmexit]_
121 mode. Software can prevent this by enabling SMEP (for
122 transitions from user mode to supervisor mode) and by having
128 at the time of the VM exit." [#intel-eibrs-vmexit]_
130 Note that some Intel CPUs are susceptible to Post-barrier Return
131 Stack Buffer Predictions (PBRSB) [#intel-pbrsb]_, where the last
139 variant [#retbleed-paper]_ [#amd-btc]_ or by Speculative Return Stack
140 Overflow [#amd-srso]_ (Inception [#inception-paper]_). The kernel
144 ----
152 Some Intel Skylake-generation CPUs are susceptible to the Intel variant
153 of RETBleed [#retbleed-paper]_ (Return Stack Buffer Underflow
154 [#intel-rsbu]_). If a RET is executed when the RSB buffer is empty due
158 user-controlled address.
164 * On context switch, user->user underflow attacks are mitigated by the
165 conditional IBPB [#cond-ibpb]_ on context switch which effectively
172 logical processor." [#intel-ibpb-btb]_
174 * On context switch and VMEXIT, user->kernel and guest->host RSB
181 [#intel-rsbu]_
183 However, note that eIBRS and IBRS do not mitigate intra-mode attacks.
204 [#intel-eibrs-rrsba]_
207 [#bhi-paper]_ [#intel-bhi]_, an RSB underflow could be used for an
208 intra-mode BTI attack. This is mitigated by clearing the BHB on
215 intra-mode BTI, and the processor both enumerates RRSBA and
217 [#intel-retpoline-rrsba]_
219 ----
224 .. [#spectre-rsb] `Spectre Returns! Speculation Attacks using the Return Stack Buffer <https://arxi…
226 …-rsb-filling] "Empty RSB Mitigation on Skylake-generation" in `Retpoline: A Branch Target Injectio…
228 …-rsb-filling] "Mitigation V2-3" in `Software Techniques for Managing Speculation <https://www.amd.…
230 …-ibpb] Whether IBPB is written depends on whether the prev and/or next task is protected from Spec…
232 .. [#amd-sbpb] IBPB without flushing of branch type predictions. Only exists for AMD.
234 …-ibpb-rsb] "Function 8000_0008h -- Processor Capacity Parameters and Extended Feature Identificati…
236 .. [#amd-ibpb-no-rsb] `Spectre Attacks: Exploiting Speculative Execution <https://comsec.ethz.ch/wp…
238 …-ibpb-rsb] "Introduction" in `Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTE…
240 …-smep-rsb] "Existing Mitigations" in `Technical Guidance for Mitigating Branch Type Confusion <htt…
242 …-smep-rsb] "Enhanced IBRS" in `Indirect Branch Restricted Speculation <https://www.intel.com/conte…
244 …-eibrs-vmexit] "Extended Feature Enable Register (EFER)" in `AMD64 Architecture Programmer's Manua…
246 …-eibrs-vmexit] "Enhanced IBRS" in `Indirect Branch Restricted Speculation <https://www.intel.com/c…
248 …-pbrsb] `Post-barrier Return Stack Buffer Predictions / CVE-2022-26373 / INTEL-SA-00706 <https://w…
250 .. [#retbleed-paper] `RETBleed: Arbitrary Speculative Code Execution with Return Instruction <https…
252 …-btc] `Technical Guidance for Mitigating Branch Type Confusion <https://www.amd.com/content/dam/am…
254 …-srso] `Technical Update Regarding Speculative Return Stack Overflow <https://www.amd.com/content/…
256 .. [#inception-paper] `Inception: Exposing New Attack Surfaces with Training in Transient Execution…
258 …-rsbu] `Return Stack Buffer Underflow / Return Stack Buffer Underflow / CVE-2022-29901, CVE-2022-2…
260 …-ibpb-btb] `Indirect Branch Predictor Barrier' <https://www.intel.com/content/www/us/en/developer/…
262 …-eibrs-rrsba] "Guidance for RSBU" in `Return Stack Buffer Underflow / Return Stack Buffer Underflo…
264 …-paper] `Branch History Injection: On the Effectiveness of Hardware Mitigations Against Cross-Priv…
266 …-bhi] `Branch History Injection and Intra-mode Branch Target Injection / CVE-2022-0001, CVE-2022-0…
268 …-retpoline-rrsba] "Retpoline" in `Branch History Injection and Intra-mode Branch Target Injection …