Lines Matching +full:vm +full:- +full:active +full:- +full:channels
1 .. SPDX-License-Identifier: GPL-2.0
3 Spectre Side Channels
14 -------------------
22 - Intel Core, Atom, Pentium, and Xeon processors
24 - AMD Phenom, EPYC, and Zen processors
26 - IBM POWER and zSeries processors
28 - Higher end ARM processors
30 - Apple CPUs
32 - Higher end MIPS CPUs
34 - Likely most other high performance CPUs. Contact your CPU vendor for details.
40 ------------
45 CVE-2017-5753 Bounds check bypass Spectre variant 1
46 CVE-2017-5715 Branch target injection Spectre variant 2
47 CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs)
51 -------
67 ---------------------------------------
73 memory accesses to invalid memory (with out-of-bound index) that are
75 memory accesses can leave side effects, creating side channels which
83 only about user-controlled array bounds checks. It can affect any
90 -------------------------------------------
112 The most useful gadgets take an attacker-controlled input parameter (such
124 stack buffer on context switch, or virtual machine (VM) exit.
126 On systems with simultaneous multi-threading (SMT), attacks are possible
141 Previously the only known real-world BHB attack vector was via unprivileged
147 ----------------
175 the GS register to a user-space value, if the swapgs is speculatively
176 skipped, subsequent GS-related percpu accesses in the speculation
177 window will be done with the attacker-controlled GS value. This
235 multi-threading (SMT) system.
275 kernel. The kernel is entered via hyper-calls or other virtualization
279 (e.g. in registers) via hyper-calls to derive invalid pointers to
290 and flushing the return stack buffer on VM exit. This prevents rogue
315 CPU hardware thread by flushing the return stack buffer on VM exit,
327 --------------------------
331 vulnerable, and which mitigations are active.
339 .. list-table::
341 * - 'Not affected'
342 - The processor is not vulnerable.
343 * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
344 - The swapgs protections are disabled; otherwise it has
347 * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
348 - Protection in the kernel on a case by case base with explicit
358 CPU has support for additional process-specific mitigation.
369 per process on a case-by-case base.
377 - Kernel status:
384 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
385 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines
386 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE
389 - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
396 - Indirect branch prediction barrier (IBPB) status for protection between
403 'IBPB: always-on' Use IBPB on all tasks
407 - Single threaded indirect branch prediction (STIBP) status for protection
418 - Return stack buffer (RSB) protection status:
424 - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
427 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
428 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
429 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
432 - Branch History Injection (BHI) protection status:
434 .. list-table::
436 * - BHI: Not affected
437 - System is not affected
438 * - BHI: Retpoline
439 - System is protected by retpoline
440 * - BHI: BHI_DIS_S
441 - System is protected by BHI_DIS_S
442 * - BHI: SW loop, KVM SW loop
443 - System is protected by software clearing sequence
444 * - BHI: Vulnerable
445 - System is vulnerable to BHI
446 * - BHI: Vulnerable, KVM: SW loop
447 - System is vulnerable; KVM is protected by software clearing sequence
454 -----------------------------------------------------------------
468 Copy-from-user code has an LFENCE barrier to prevent the access_ok()
469 check from being mis-speculated. The barrier is done by the
489 -mindirect-branch=thunk-extern -mindirect-branch-register options.
491 to support -mretpoline-external-thunk option. The kernel config
495 On Intel Skylake-era systems the mitigation covers most, but not all,
509 On Intel's enhanced IBRS systems, this includes cross-thread branch target
543 :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
561 3. VM mitigation
565 mitigated on a case by case basis in VM exit paths. Vulnerable code
573 flushes the return stack buffer on every VM exit to prevent a return
577 To mitigate guest-to-guest attacks in the same CPU hardware thread,
583 To mitigate guest-to-guest attacks from sibling thread when SMT is
593 ---------------------------------------------
601 - nospectre_v1
602 - nospectre_v2
603 - spectre_v2={option}
604 - spectre_v2_user={option}
605 - spectre_bhi={option}
607 For more details on the available options, refer to Documentation/admin-guide/kernel-parameters.txt
610 --------------------------
622 For security-sensitive programs that have secrets (e.g. crypto
625 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
632 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
661 ---------------------
667 …ecution side channels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel-Analys…
671 …s check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-che…
675 …ion <https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-tar…
679 …ctors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indi…
685 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
689 …ation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AM…
695 …he speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative-p…
699 …developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/…
705 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…
711 …el vulnerabilities <https://www.mips.com/blog/mips-response-on-speculative-execution-and-side-chan…
725 …rn Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_.