Lines Matching +full:auto +full:- +full:switching
1 .. SPDX-License-Identifier: GPL-2.0
14 -------------------
22 - Intel Core, Atom, Pentium, and Xeon processors
24 - AMD Phenom, EPYC, and Zen processors
26 - IBM POWER and zSeries processors
28 - Higher end ARM processors
30 - Apple CPUs
32 - Higher end MIPS CPUs
34 - Likely most other high performance CPUs. Contact your CPU vendor for details.
40 ------------
45 CVE-2017-5753 Bounds check bypass Spectre variant 1
46 CVE-2017-5715 Branch target injection Spectre variant 2
47 CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs)
51 -------
67 ---------------------------------------
73 memory accesses to invalid memory (with out-of-bound index) that are
83 only about user-controlled array bounds checks. It can affect any
90 -------------------------------------------
112 The most useful gadgets take an attacker-controlled input parameter (such
126 On systems with simultaneous multi-threading (SMT), attacks are possible
141 Currently the only known real-world BHB attack vector is via
148 ----------------
176 the GS register to a user-space value, if the swapgs is speculatively
177 skipped, subsequent GS-related percpu accesses in the speculation
178 window will be done with the attacker-controlled GS value. This
236 multi-threading (SMT) system.
261 branch target buffer when context switching to and from such process.
265 prediction when the return stack buffer underflows while switching to
276 kernel. The kernel is entered via hyper-calls or other virtualization
280 (e.g. in registers) via hyper-calls to derive invalid pointers to
296 buffer is cleared before context switching to such processes.
317 and clearing the branch target buffer before switching to a new guest.
328 --------------------------
340 .. list-table::
342 * - 'Not affected'
343 - The processor is not vulnerable.
344 * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
345 - The swapgs protections are disabled; otherwise it has
348 * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
349 - Protection in the kernel on a case by case base with explicit
359 CPU has support for additional process-specific mitigation.
370 per process on a case-by-case base.
378 - Kernel status:
385 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
386 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines
387 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE
390 - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
397 - Indirect branch prediction barrier (IBPB) status for protection between
404 'IBPB: always-on' Use IBPB on all tasks
408 - Single threaded indirect branch prediction (STIBP) status for protection
419 - Return stack buffer (RSB) protection status:
425 - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
428 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
429 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
430 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
438 -----------------------------------------------------------------
452 Copy-from-user code has an LFENCE barrier to prevent the access_ok()
453 check from being mis-speculated. The barrier is done by the
473 -mindirect-branch=thunk-extern -mindirect-branch-register options.
475 to support -mretpoline-external-thunk option. The kernel config
479 On Intel Skylake-era systems the mitigation covers most, but not all,
489 On Intel's enhanced IBRS systems, this includes cross-thread branch target
523 :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
526 flush the branch target buffer when switching to/from the program.
557 To mitigate guest-to-guest attacks in the same CPU hardware thread,
558 the branch target buffer is sanitized by flushing before switching
563 To mitigate guest-to-guest attacks from sibling thread when SMT is
573 ---------------------------------------------
605 auto
609 Selecting 'on' will, and 'auto' may, choose a
623 retpoline auto pick between generic,lfence
627 eibrs Enhanced/Auto IBRS
628 eibrs,retpoline Enhanced/Auto IBRS + Retpolines
629 eibrs,lfence Enhanced/Auto IBRS + LFENCE
633 spectre_v2=auto.
641 For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
644 --------------------------
656 For security-sensitive programs that have secrets (e.g. crypto
659 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
666 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
681 On x86, branch target buffer will be flushed with IBPB when switching
688 while IBPB is still used all the time when switching to a new
695 ---------------------
701 …annels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculati…
705 …s check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-che…
709 …ion <https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-tar…
713 …ctors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indi…
719 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
723 …ation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AM…
729 …he speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative-p…
733 …developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/…
739 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…
745 …el vulnerabilities <https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-chan…
759 …rn Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_.