OUTDATED: Removal of IBRS mitigation for Spectre Variant2

OUTDATED / UPDATED in 2022: See below section on RETBLEED.

As the Meltdown and Spectre attacks were published begin of January 2018, several mitigations were planned and implemented for Spectre Variant 2.

What is Spectre Variant2?

Spectre Variant 2 describes an issue where the CPUs branch prediction can be poisoned, so the CPU speculatively executes code it usually would never try to.

For instance userspace (attacker controlled) code could make the kernel code speculatively execute spectre code gadgets that disclose secret kernel information, via Flush+Reload disclosure methods.

Mitigations

Two major mitigations were proposed:

• A CPU feature called “Indirect Branch Restricted Speculation” (IBRS) that would not use branch predictions from lower privilege levels on higher ones.
• Software workarounds called “retpolines” and “RSB stuffing”. These can fully replace the IBRS mitigation. On Intel Skylake there is the theoretical possibility that these software mitigations are not sufficient, but so far research has not shown any holes.

History

SUSE backported the IBRS patches to our kernels for the initial release of mitigations and enabled them, as the “retpoline” mitigations were not yet ready.

SUSE pushed the “retpoline” mitigation some months later after support in the compiler and kernel became available, but left in the IBRS mitigation.

As of today, the “retpoline” and “RSB stuffing” software workarounds provide the same level of mitigations that IBRS provides.

While IBRS support continued in the SUSE kernel, it was not accepted by the Linux upstream kernel community, and it was also shown to cause performance degredation.

Conclusion

As “retpoline” and “RSB stuffing” completely mitigate the Spectre Variant 2 issue for the Linux Kernel, SUSE decided with guidance from Intel, to remove the IBRS patches from our kernel releases.

While on Intel Skylake there exists a theoretical possibility that the software mitigations are not complete, so far no research has shown exploitable scenarios. Should research show any exploitable scenarios there, SUSE will reenable the IBRS mitigation on these chipsets.

2022 update
Due to the newly discovered RETBLEED vulnerabilities, the IBRS mitigation has to be used again on Intel Skylake processors. Please see the SUSE TID for RETBLEED. Note that on modern Intel CPUs a performance wise cheaper method called eIBRS is in use.