@@ -131,6 +131,19 @@ steer its indirect branch speculations to gadget code, and measure the
131131speculative execution's side effects left in level 1 cache to infer the
132132victim's data.
133133
134+ Yet another variant 2 attack vector is for the attacker to poison the
135+ Branch History Buffer (BHB) to speculatively steer an indirect branch
136+ to a specific Branch Target Buffer (BTB) entry, even if the entry isn't
137+ associated with the source address of the indirect branch. Specifically,
138+ the BHB might be shared across privilege levels even in the presence of
139+ Enhanced IBRS.
140+
141+ Currently the only known real-world BHB attack vector is via
142+ unprivileged eBPF. Therefore, it's highly recommended to not enable
143+ unprivileged eBPF, especially when eIBRS is used (without retpolines).
144+ For a full mitigation against BHB attacks, it's recommended to use
145+ retpolines (or eIBRS combined with retpolines).
146+
134147Attack scenarios
135148----------------
136149
@@ -364,13 +377,15 @@ The possible values in this file are:
364377
365378 - Kernel status:
366379
367- ==================================== =================================
368- 'Not affected' The processor is not vulnerable
369- 'Vulnerable' Vulnerable, no mitigation
370- 'Mitigation: Full generic retpoline' Software-focused mitigation
371- 'Mitigation: Full AMD retpoline' AMD-specific software mitigation
372- 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
373- ==================================== =================================
380+ ======================================== =================================
381+ 'Not affected' The processor is not vulnerable
382+ 'Mitigation: None' Vulnerable, no mitigation
383+ 'Mitigation: Retpolines' Use Retpoline thunks
384+ 'Mitigation: LFENCE' Use LFENCE instructions
385+ 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
386+ 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines
387+ 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE
388+ ======================================== =================================
374389
375390 - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
376391 used to protect against Spectre variant 2 attacks when calling firmware (x86 only).
@@ -583,12 +598,13 @@ kernel command line.
583598
584599 Specific mitigations can also be selected manually:
585600
586- retpoline
587- replace indirect branches
588- retpoline,generic
589- google's original retpoline
590- retpoline,amd
591- AMD-specific minimal thunk
601+ retpoline auto pick between generic,lfence
602+ retpoline,generic Retpolines
603+ retpoline,lfence LFENCE; indirect branch
604+ retpoline,amd alias for retpoline,lfence
605+ eibrs enhanced IBRS
606+ eibrs,retpoline enhanced IBRS + Retpolines
607+ eibrs,lfence enhanced IBRS + LFENCE
592608
593609 Not specifying this option is equivalent to
594610 spectre_v2=auto.
@@ -599,7 +615,7 @@ kernel command line.
599615 spectre_v2=off. Spectre variant 1 mitigations
600616 cannot be disabled.
601617
602- For spectre_v2_user see :doc: ` /admin-guide/kernel-parameters `.
618+ For spectre_v2_user see Documentation /admin-guide/kernel-parameters.txt
603619
604620Mitigation selection guide
605621--------------------------
0 commit comments