admin-guide/hw-vuln/spectre.rst

62 execution of indirect branches to leak privileged memory.
93 execution of indirect branches :ref:`[3] <spec_ref3>`.  The indirect
95 indirect branches can be influenced by an attacker, causing gadget code
102 In Spectre variant 2 attacks, the attacker can steer speculative indirect
104 buffer of a CPU used for predicting indirect branch addresses. Such
105 poisoning could be done by indirect branching into existing code,
106 with the address offset of the indirect branch under the attacker's
109 this could cause privileged code's indirect branch to jump to a gadget
130 steer its indirect branch speculations to gadget code, and measure the
135 Branch History Buffer (BHB) to speculatively steer an indirect branch
137 associated with the source address of the indirect branch. Specifically,
206    target buffer on indirect jump and jump to gadget code in speculative
217    indirect branches. Return trampolines trap speculative execution paths
245    influence the indirect branch targets for a victim process that either
250    by using the prctl() syscall to disable indirect branch speculation
253    indirect branch speculation. This comes with a performance cost
254    from not using indirect branch speculation and clearing the branch
256    indirect branch speculation disabled, Single Threaded Indirect Branch
289    for indirect branches to bypass the poisoned branch target buffer,
291    guests from affecting indirect branching in the host kernel.
294    indirect branch speculation disabled via prctl().  The branch target
320    by turning off the unsafe guest's indirect branch speculation via
404   'IBPB: conditional'   Use IBPB on SECCOMP or indirect branch restricted tasks
407   - Single threaded indirect branch prediction (STIBP) status for protection
415   'STIBP: conditional'  Use STIBP on SECCOMP or indirect branch restricted tasks
480    For Spectre variant 2 mitigation, the compiler turns indirect calls or
504    indirect branch predictor entry, and although branch predictor entries are
521    On x86, indirect branch restricted speculation is turned on by default
536    can be compiled with return trampolines for indirect branches.
542    can disable indirect branch speculation via prctl() (See
548    Restricting indirect branch speculation on a user program will
554    Programs that disable their indirect branch speculation will have
585    its indirect branch speculation disabled by administrator via prctl().
607 		(indirect branch prediction) vulnerability. System may
615 		(indirect branch speculation) vulnerability.
645                 retpoline,lfence        LFENCE; indirect branch
690    disabling indirect branch speculation when the program is running
697    off by disabling their indirect branch speculation when they are run
710    overhead as indirect branch speculations for all programs will be
719    whose indirect branch speculation is explicitly disabled,
745 …e.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors…
751 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…