[UNSTABLE][PATCH 0/5] Enforce RETPOLINE and SLS mitigrations
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Thu Dec 14 14:08:30 UTC 2023
Some more background information about retpoline check:
After like 2 years under embargo, Spectre Meltdown were a set of
vulnerabilities that were disclosed in January 2018 and have caused
quite a havoc. It has thrashed performance of multiple generations of
hardware, and even today causes issues of unable to security support
hardware that users and customers are still running despite these
vulnerabilities. More information on https://meltdownattack.com/ and
also this excellent FOSDEM talk
https://www.youtube.com/watch?v=vOHtDey8wqI and also
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
(especially for the Timeline as has been known to us).
As part of these mitigations, a retpoline toolchain & kernel code
support was added in the kernel to partially mitigate the attack.
Initially blindly, and eventually very nuanced.
In Ubuntu kernels, one can see that retpoline unsafe call site
validation was started to be tracked with ABI checker functionality.
This was added in 4.15.0-10.11 kernel or thereabouts see
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/debian.master/changelog?h=Ubuntu-4.15.0-10.11#n68
And for example the next upload did show over 300 unsafe call sites in
the 10.11 abi - as we can see in the 11.12 upload's vendored abi
files. https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/debian.master/abi/4.15.0-10.11/amd64/generic.retpoline?h=Ubuntu-4.15.0-11.12
Later, the upstream kernel in objtool added the ability to track
unsafe call sites, reduce the number of them, and mark remaining ones
as safe. See these commits in the 4.15.0-13.14 kernel
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/debian.master/changelog?h=Ubuntu-4.15.0-13.14#n348
This resulted in retpoline ABI file becoming empty, and it has
remained empty ever since.
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/debian.master/abi/4.15.0-13.14/amd64/generic.retpoline?h=Ubuntu-4.15.0-14.15
because kernel build and objtool enforce this.
It has remained empty ever since.
At the same time better ways to mitigate the attacks have become
available in hardware - with microcode updates, CPU improvements,
development of Intel CET technologies Indirect Branch Tracking &
Shadow Stack, encrypted memory, and now Confidential computing with
SEV and TDX.
If I fake a regression in toolchain (by commenting out) KBUILD_CFLAGS
+= $(RETPOLINE_CFLAGS), the build should fail even before getting to
the abi-checks, as kernel's objtool catches this.....
.... Hang on a minute, why did the build pass?! And that is the
motivation for these patch series.
More information about the kernel-team
mailing list