Lines Matching +full:processor +full:- +full:a +full:- +full:side
1 .. SPDX-License-Identifier: GPL-2.0
3 Spectre Side Channels
6 Spectre is a class of side channel attacks that exploit branch prediction
8 bypassing access controls. Speculative execution side channel exploits
14 -------------------
16 Speculative execution side channel methods affect a wide range of modern
22 - Intel Core, Atom, Pentium, and Xeon processors
24 - AMD Phenom, EPYC, and Zen processors
26 - IBM POWER and zSeries processors
28 - Higher end ARM processors
30 - Apple CPUs
32 - Higher end MIPS CPUs
34 - Likely most other high performance CPUs. Contact your CPU vendor for details.
36 Whether a processor is affected or not can be read out from the Spectre
40 ------------
45 CVE-2017-5753 Bounds check bypass Spectre variant 1
46 CVE-2017-5715 Branch target injection Spectre variant 2
47 CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs)
51 -------
54 traces of memory accesses or computations in the processor's caches,
56 influence the speculative execution paths, and then use the side effects
67 ---------------------------------------
72 array results in memory access within a valid range). This results in
73 memory accesses to invalid memory (with out-of-bound index) that are
75 memory accesses can leave side effects, creating side channels which
83 only about user-controlled array bounds checks. It can affect any
87 a user GS.
90 -------------------------------------------
94 branch predictors inside the processor used to guess the target of
97 the victim. The side effects left in the CPU's caches during speculative
104 buffer of a CPU used for predicting indirect branch addresses. Such
109 this could cause privileged code's indirect branch to jump to a gadget
112 The most useful gadgets take an attacker-controlled input parameter (such
113 as a register value) so that the memory read can be controlled. Gadgets
120 subroutine return instruction execution to go to a gadget. An attacker's
122 return stack buffer which are later consumed by a victim's subroutine
126 On systems with simultaneous multi-threading (SMT), attacks are possible
128 (BTB) may be shared between hardware threads in a CPU core. A malicious
131 speculative execution's side effects left in level 1 cache to infer the
136 to a specific Branch Target Buffer (BTB) entry, even if the entry isn't
141 Currently the only known real-world BHB attack vector is via
144 For a full mitigation against BHB attacks, it's recommended to use
148 ----------------
153 1. A user process attacking the kernel
159 The attacker passes a parameter to the kernel via a register or
160 via a known address in memory during a syscall. Such parameter may
162 a pointer for a Spectre variant 1 attack. The index or pointer
176 the GS register to a user-space value, if the swapgs is speculatively
177 skipped, subsequent GS-related percpu accesses in the speculation
178 window will be done with the attacker-controlled GS value. This
191 swapgs, and then do a speculative percpu load using the user GS
192 value. So the user can speculatively force a read of any kernel
193 value. If a gadget exists which uses the percpu value as an address
195 become visible via an L1 side channel attack.
197 A similar attack exists when coming from kernel space. The CPU can
204 A spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
211 speculative execution, he would also need to pass a parameter to the
212 gadget, either through a register or a known address in memory. After
213 the gadget has executed, he can measure the side effect.
226 Spectre variant 2 attack by a rogue user process. To mitigate such
230 2. A user process attacking another user process
233 A malicious user process can try to attack another user process,
234 either via a context switch on the same hardware thread, or from the
235 sibling hyperthread sharing a physical processor core on simultaneous
236 multi-threading (SMT) system.
239 between the processes, which needs a data passing relationship, such
244 Spectre variant 2 attacks can be launched from a rogue process by
246 influence the indirect branch targets for a victim process that either
248 a sibling hardware thread sharing the same physical core.
250 A user process can protect itself against Spectre variant 2 attacks
254 indirect branch speculation. This comes with a performance cost
256 target buffer. When SMT is enabled on x86, for a process that has
266 a deeper call stack. Any poisoned entries in the return stack buffer
272 3. A virtualized guest attacking the host
276 kernel. The kernel is entered via hyper-calls or other virtualization
280 (e.g. in registers) via hyper-calls to derive invalid pointers to
298 4. A virtualized guest attacking other guest
301 A rogue guest may attack another guest to get data accessible by the
310 Spectre variant 2 attacks can be launched from a rogue guest by
317 and clearing the branch target buffer before switching to a new guest.
322 prctl(). A guest can also protect itself by turning on microcode
328 --------------------------
330 The Linux kernel provides a sysfs interface to enumerate the current
340 .. list-table::
342 * - 'Not affected'
343 - The processor is not vulnerable.
344 * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
345 - The swapgs protections are disabled; otherwise it has
346 protection in the kernel on a case by case base with explicit
348 * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
349 - Protection in the kernel on a case by case base with explicit
353 However, the protections are put in place on a case by case basis,
359 CPU has support for additional process-specific mitigation.
370 per process on a case-by-case base.
378 - Kernel status:
381 'Not affected' The processor is not vulnerable
385 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
386 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines
387 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE
390 - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
397 - Indirect branch prediction barrier (IBPB) status for protection between
404 'IBPB: always-on' Use IBPB on all tasks
408 - Single threaded indirect branch prediction (STIBP) status for protection
419 - Return stack buffer (RSB) protection status:
425 - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
428 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
429 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
430 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
433 Full mitigation might require a microcode update from the CPU
438 -----------------------------------------------------------------
447 by code audit or scanning tools) is annotated on a case by case
452 Copy-from-user code has an LFENCE barrier to prevent the access_ok()
453 check from being mis-speculated. The barrier is done by the
469 a gadget.
471 To turn on retpoline mitigation on a vulnerable CPU, the kernel
472 needs to be compiled with a gcc compiler that supports the
473 -mindirect-branch=thunk-extern -mindirect-branch-register options.
474 If the kernel is compiled with a Clang compiler, the compiler needs
475 to support -mretpoline-external-thunk option. The kernel config
479 On Intel Skylake-era systems the mitigation covers most, but not all,
489 On Intel's enhanced IBRS systems, this includes cross-thread branch target
523 :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
528 Restricting indirect branch speculation on a user program will
529 also prevent the program from launching a variant 2 attack
545 mitigated on a case by case basis in VM exit paths. Vulnerable code
553 flushes the return stack buffer on every VM exit to prevent a return
557 To mitigate guest-to-guest attacks in the same CPU hardware thread,
559 to a new guest on a CPU.
563 To mitigate guest-to-guest attacks from sibling thread when SMT is
573 ---------------------------------------------
609 Selecting 'on' will, and 'auto' may, choose a
641 For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
644 --------------------------
656 For security-sensitive programs that have secrets (e.g. crypto
659 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
664 Untrusted programs that could be a source of attacks can be cordoned
666 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
682 to a new program. STIBP is left on all the time to protect programs
688 while IBPB is still used all the time when switching to a new
695 ---------------------
701 …tive execution side channels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel…
705 …s check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-che…
709 …ne: A branch target injection mitigation <https://software.intel.com/security-software-guidance/in…
713 …ctors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indi…
719 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
723 …ation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AM…
729 …ache speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative…
733 …developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/…
739 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…
745 …ative execution and side channel vulnerabilities <https://www.mips.com/blog/mips-response-on-specu…
759 …rn Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_.