Lines Matching +full:auto +full:- +full:switching
1 .. SPDX-License-Identifier: GPL-2.0
14 -------------------
22 - Intel Core, Atom, Pentium, and Xeon processors
24 - AMD Phenom, EPYC, and Zen processors
26 - IBM POWER and zSeries processors
28 - Higher end ARM processors
30 - Apple CPUs
32 - Higher end MIPS CPUs
34 - Likely most other high performance CPUs. Contact your CPU vendor for details.
40 ------------
45 CVE-2017-5753 Bounds check bypass Spectre variant 1
46 CVE-2017-5715 Branch target injection Spectre variant 2
47 CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs)
51 -------
67 ---------------------------------------
73 memory accesses to invalid memory (with out-of-bound index) that are
83 only about user-controlled array bounds checks. It can affect any
90 -------------------------------------------
112 The most useful gadgets take an attacker-controlled input parameter (such
126 On systems with simultaneous multi-threading (SMT), attacks are possible
141 Previously the only known real-world BHB attack vector was via unprivileged
147 ----------------
175 the GS register to a user-space value, if the swapgs is speculatively
176 skipped, subsequent GS-related percpu accesses in the speculation
177 window will be done with the attacker-controlled GS value. This
235 multi-threading (SMT) system.
260 branch target buffer when context switching to and from such process.
264 prediction when the return stack buffer underflows while switching to
275 kernel. The kernel is entered via hyper-calls or other virtualization
279 (e.g. in registers) via hyper-calls to derive invalid pointers to
295 buffer is cleared before context switching to such processes.
316 and clearing the branch target buffer before switching to a new guest.
327 --------------------------
339 .. list-table::
341 * - 'Not affected'
342 - The processor is not vulnerable.
343 * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
344 - The swapgs protections are disabled; otherwise it has
347 * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
348 - Protection in the kernel on a case by case base with explicit
358 CPU has support for additional process-specific mitigation.
369 per process on a case-by-case base.
377 - Kernel status:
384 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
385 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines
386 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE
389 - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
396 - Indirect branch prediction barrier (IBPB) status for protection between
403 'IBPB: always-on' Use IBPB on all tasks
407 - Single threaded indirect branch prediction (STIBP) status for protection
418 - Return stack buffer (RSB) protection status:
424 - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
427 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
428 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
429 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
432 - Branch History Injection (BHI) protection status:
434 .. list-table::
436 * - BHI: Not affected
437 - System is not affected
438 * - BHI: Retpoline
439 - System is protected by retpoline
440 * - BHI: BHI_DIS_S
441 - System is protected by BHI_DIS_S
442 * - BHI: SW loop, KVM SW loop
443 - System is protected by software clearing sequence
444 * - BHI: Vulnerable
445 - System is vulnerable to BHI
446 * - BHI: Vulnerable, KVM: SW loop
447 - System is vulnerable; KVM is protected by software clearing sequence
454 -----------------------------------------------------------------
468 Copy-from-user code has an LFENCE barrier to prevent the access_ok()
469 check from being mis-speculated. The barrier is done by the
489 -mindirect-branch=thunk-extern -mindirect-branch-register options.
491 to support -mretpoline-external-thunk option. The kernel config
495 On Intel Skylake-era systems the mitigation covers most, but not all,
509 On Intel's enhanced IBRS systems, this includes cross-thread branch target
543 :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
546 flush the branch target buffer when switching to/from the program.
577 To mitigate guest-to-guest attacks in the same CPU hardware thread,
578 the branch target buffer is sanitized by flushing before switching
583 To mitigate guest-to-guest attacks from sibling thread when SMT is
593 ---------------------------------------------
625 auto
629 Selecting 'on' will, and 'auto' may, choose a
643 retpoline auto pick between generic,lfence
647 eibrs Enhanced/Auto IBRS
648 eibrs,retpoline Enhanced/Auto IBRS + Retpolines
649 eibrs,lfence Enhanced/Auto IBRS + LFENCE
653 spectre_v2=auto.
673 For spectre_v2_user see Documentation/admin-guide/kernel-parameters.txt
676 --------------------------
688 For security-sensitive programs that have secrets (e.g. crypto
691 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
698 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
713 On x86, branch target buffer will be flushed with IBPB when switching
720 while IBPB is still used all the time when switching to a new
727 ---------------------
733 …annels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analysis-of-Speculati…
737 …s check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-che…
741 …ion <https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-tar…
745 …ctors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indi…
751 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
755 …ation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AM…
761 …he speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative-p…
765 …developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/…
771 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…
777 …el vulnerabilities <https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-chan…
791 …rn Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_.