indirect-target-selection.rst - OpenGrok cross reference for /Documentation/admin-guide/hw-vuln/indirect-target-selection.rst

Lines Matching +full:half +full:- +full:bit
1 .. SPDX-License-Identifier: GPL-2.0
8 of indirect branches and RETs located in the lower half of a cacheline.
10 ITS is assigned CVE-2024-28956 with a CVSS score of 4.7 (Medium).
13 ---------------
14 - **eIBRS Guest/Host Isolation**: Indirect branches in KVM/kernel may still be
17 - **Intra-Mode BTI**: In-kernel training such as through cBPF or other native
20 - **Indirect Branch Prediction Barrier (IBPB)**: After an IBPB, indirect
27 -------------
31    Common name               Family_Model  eIBRS                 Intra-mode BTI
47 - All affected CPUs enumerate Enhanced IBRS feature.
48 - IBPB isolation is affected on all ITS affected CPUs, and need a microcode
50 - None of the affected CPUs enumerate BHI_CTRL which was introduced in Golden
53 - Intel Atom CPUs are not affected by ITS.
56 ----------
58 in the lower half of the cacheline are vulnerable to ITS, the basic idea behind
59 the mitigation is to not allow indirect branches in the lower half.
62 compilers. ITS-vulnerable retpoline sites are runtime patched to point to newly
63 added ITS-safe thunks. These safe thunks consists of indirect branch in the
64 second half of the cacheline. Not all retpoline sites are patched to thunks, if
65 a retpoline site is evaluated to be ITS-safe, it is replaced with an inline
70 From a dynamically allocated pool of safe-thunks, each vulnerable site is
72 improve the branch prediction accuracy. Also, it is a defense-in-depth measure
88 Retpoline sequence also mitigates ITS-unsafe indirect branches. For this
90 safe thunks. Unless user requested the RSB-stuffing mitigation.
94 RSB-stuffing via Call Depth Tracking is a mitigation for Retbleed RSB-underflow
105 platforms, Intel has defined ITS_NO bit(62) in MSR IA32_ARCH_CAPABILITIES. When
106 a guest sees this bit set, it should not enumerate the ITS bug. Note, this bit
117 	    If spectre_v2 mitigation enables retpoline, aligned-thunks are only
128    stuff    Deploy RSB-fill mitigation when retpoline is also deployed.
130 	    is enabled, RSB-stuffing via Call-Depth-Tracking also mitigates
137 ---------------
147 .. list-table::
149    * - Not affected
150      - The processor is not vulnerable.
151    * - Vulnerable
152      - System is vulnerable and no mitigation has been applied.
153    * - Vulnerable, KVM: Not affected
154      - System is vulnerable to intra-mode BTI, but not affected by eIBRS
156    * - Mitigation: Aligned branch/return thunks
157      - The mitigation is enabled, affected indirect branches and RETs are
159    * - Mitigation: Retpolines, Stuffing RSB
160      - The mitigation is enabled using retpoline and RSB stuffing.
163 ----------
164 .. [#f1] Microcode repository - https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
166 … list - https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guida…
168 …[#f3] Affected Processors list (machine readable) - https://github.com/intel/Intel-affected-proces…