admin-guide/hw-vuln/spectre.rst

144 For a full mitigation against BHB attacks, it's recommended to use
331 mitigation status of the system for Spectre: whether the system is
334 The sysfs file showing Spectre variant 1 mitigation status is:
348      * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
358 retpoline mitigation or if the CPU has hardware mitigation, and if the
359 CPU has support for additional process-specific mitigation.
372 The sysfs file showing Spectre variant 2 mitigation status is:
382   'Mitigation: None'                        Vulnerable, no mitigation
383   'Mitigation: Retpolines'                  Use Retpoline thunks
384   'Mitigation: LFENCE'                      Use LFENCE instructions
385   'Mitigation: Enhanced IBRS'               Hardware-focused mitigation
386   'Mitigation: Enhanced IBRS + Retpolines'  Hardware-focused + Retpolines
387   'Mitigation: Enhanced IBRS + LFENCE'      Hardware-focused + LFENCE
433 Full mitigation might require a microcode update from the CPU
437 Turning on mitigation for Spectre variant 1 and Spectre variant 2
440 1. Kernel mitigation
464    For Spectre variant 2 mitigation, the compiler turns indirect calls or
471    To turn on retpoline mitigation on a vulnerable CPU, the kernel
479    On Intel Skylake-era systems the mitigation covers most, but not all,
482    On CPUs with hardware mitigation for Spectre variant 2 (e.g. Enhanced
485    The retpoline mitigation is turned on by default on vulnerable
498 2. User program mitigation
504    For Spectre variant 2 mitigation, individual user programs
528 3. VM mitigation
554    The kernel also allows guests to use any microcode based mitigation
559 Mitigation control on the kernel command line
562 Spectre variant 2 mitigation can be disabled or force enabled at the
581 		[X86] Control mitigation of Spectre variant 2
597 		mitigation method at run time according to the
602 		Selecting 'on' will also enable the mitigation
621 For user space mitigation:
625 		[X86] Control mitigation of Spectre variant 2
639 			but mitigation can be enabled via prctl
640 			per thread. The mitigation control state
651 			threads will enable the mitigation unless
661 			Kernel selects the mitigation depending on
664 		Default mitigation:
676 Mitigation selection guide
743 …t injection mitigation <https://software.intel.com/security-software-guidance/insights/deep-dive-r…