admin-guide/hw-vuln/spectre.rst

62 execution of indirect branches to leak privileged memory.
93 execution of indirect branches :ref:`[3] <spec_ref3>`.  The indirect
95 indirect branches can be influenced by an attacker, causing gadget code
102 In Spectre variant 2 attacks, the attacker can steer speculative indirect
104 buffer of a CPU used for predicting indirect branch addresses. Such
105 poisoning could be done by indirect branching into existing code,
106 with the address offset of the indirect branch under the attacker's
109 this could cause privileged code's indirect branch to jump to a gadget
130 steer its indirect branch speculations to gadget code, and measure the
135 Branch History Buffer (BHB) to speculatively steer an indirect branch
137 associated with the source address of the indirect branch. Specifically,
207    target buffer on indirect jump and jump to gadget code in speculative
218    indirect branches. Return trampolines trap speculative execution paths
246    influence the indirect branch targets for a victim process that either
251    by using the prctl() syscall to disable indirect branch speculation
254    indirect branch speculation. This comes with a performance cost
255    from not using indirect branch speculation and clearing the branch
257    indirect branch speculation disabled, Single Threaded Indirect Branch
290    for indirect branches to bypass the poisoned branch target buffer,
292    guests from affecting indirect branching in the host kernel.
295    indirect branch speculation disabled via prctl().  The branch target
321    by turning off the unsafe guest's indirect branch speculation via
405   'IBPB: conditional'   Use IBPB on SECCOMP or indirect branch restricted tasks
408   - Single threaded indirect branch prediction (STIBP) status for protection
416   'STIBP: conditional'  Use STIBP on SECCOMP or indirect branch restricted tasks
464    For Spectre variant 2 mitigation, the compiler turns indirect calls or
490    On x86, indirect branch restricted speculation is turned on by default
505    can be compiled with return trampolines for indirect branches.
508    programs can disable their indirect branch speculation via prctl()
514    Restricting indirect branch speculation on a user program will
516    on x86.  All sand-boxed SECCOMP programs have indirect branch
521    Programs that disable their indirect branch speculation will have
552    its indirect branch speculation disabled by administrator via prctl().
574 		(indirect branch prediction) vulnerability. System may
582 		(indirect branch speculation) vulnerability.
612                 retpoline,lfence        LFENCE; indirect branch
626 		(indirect branch speculation) vulnerability between
691    disabling indirect branch speculation when the program is running
698    off by disabling their indirect branch speculation when they are run
701    buffer.  All programs running in SECCOMP sandboxes have indirect
712    overhead as indirect branch speculations for all programs will be
721    whose indirect branch speculation is explicitly disabled,
747 …e.intel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors…
753 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…