spectre.rst - OpenGrok cross reference for /kernel/linux/linux-6.6/Documentation/admin-guide/hw-vuln/spectre.rst

Lines Matching +full:vm +full:- +full:active +full:- +full:channels
1 .. SPDX-License-Identifier: GPL-2.0
3 Spectre Side Channels
14 -------------------
22     - Intel Core, Atom, Pentium, and Xeon processors
24     - AMD Phenom, EPYC, and Zen processors
26     - IBM POWER and zSeries processors
28     - Higher end ARM processors
30     - Apple CPUs
32     - Higher end MIPS CPUs
34     - Likely most other high performance CPUs. Contact your CPU vendor for details.
40 ------------
45    CVE-2017-5753   Bounds check bypass      Spectre variant 1
46    CVE-2017-5715   Branch target injection  Spectre variant 2
47    CVE-2019-1125   Spectre v1 swapgs        Spectre variant 1 (swapgs)
51 -------
67 ---------------------------------------
73 memory accesses to invalid memory (with out-of-bound index) that are
75 memory accesses can leave side effects, creating side channels which
83 only about user-controlled array bounds checks.  It can affect any
90 -------------------------------------------
112 The most useful gadgets take an attacker-controlled input parameter (such
124 stack buffer on context switch, or virtual machine (VM) exit.
126 On systems with simultaneous multi-threading (SMT), attacks are possible
141 Currently the only known real-world BHB attack vector is via
148 ----------------
176    the GS register to a user-space value, if the swapgs is speculatively
177    skipped, subsequent GS-related percpu accesses in the speculation
178    window will be done with the attacker-controlled GS value.  This
236    multi-threading (SMT) system.
276    kernel.  The kernel is entered via hyper-calls or other virtualization
280    (e.g. in registers) via hyper-calls to derive invalid pointers to
291    and flushing the return stack buffer on VM exit.  This prevents rogue
316    CPU hardware thread by flushing the return stack buffer on VM exit,
328 --------------------------
332 vulnerable, and which mitigations are active.
340   .. list-table::
342      * - 'Not affected'
343        - The processor is not vulnerable.
344      * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
345        - The swapgs protections are disabled; otherwise it has
348      * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
349        - Protection in the kernel on a case by case base with explicit
359 CPU has support for additional process-specific mitigation.
370 per process on a case-by-case base.
378   - Kernel status:
385   'Mitigation: Enhanced IBRS'               Hardware-focused mitigation
386   'Mitigation: Enhanced IBRS + Retpolines'  Hardware-focused + Retpolines
387   'Mitigation: Enhanced IBRS + LFENCE'      Hardware-focused + LFENCE
390   - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
397   - Indirect branch prediction barrier (IBPB) status for protection between
404   'IBPB: always-on'     Use IBPB on all tasks
408   - Single threaded indirect branch prediction (STIBP) status for protection
419   - Return stack buffer (RSB) protection status:
425   - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
428   'PBRSB-eIBRS: SW sequence'   CPU is affected and protection of RSB on VMEXIT enabled
429   'PBRSB-eIBRS: Vulnerable'    CPU is vulnerable
430   'PBRSB-eIBRS: Not affected'  CPU is not affected by PBRSB
438 -----------------------------------------------------------------
452    Copy-from-user code has an LFENCE barrier to prevent the access_ok()
453    check from being mis-speculated.  The barrier is done by the
473    -mindirect-branch=thunk-extern -mindirect-branch-register options.
475    to support -mretpoline-external-thunk option.  The kernel config
479    On Intel Skylake-era systems the mitigation covers most, but not all,
489    On Intel's enhanced IBRS systems, this includes cross-thread branch target
523    :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
541 3. VM mitigation
545    mitigated on a case by case basis in VM exit paths. Vulnerable code
553    flushes the return stack buffer on every VM exit to prevent a return
557    To mitigate guest-to-guest attacks in the same CPU hardware thread,
563    To mitigate guest-to-guest attacks from sibling thread when SMT is
573 ---------------------------------------------
641 For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
644 --------------------------
656    For security-sensitive programs that have secrets (e.g. crypto
659    (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
666    (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
695 ---------------------
701 …ecution side channels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analys…
705 …s check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-che…
709 …ion <https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-tar…
713 …ctors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indi…
719 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
723 …ation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AM…
729 …he speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative-p…
733 …developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/…
739 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…
745 …el vulnerabilities <https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-chan…
759 …rn Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_.