• Borislav Petkov (AMD)'s avatar
    x86/srso: Add a Speculative RAS Overflow mitigation · fb3bd914
    Borislav Petkov (AMD) authored
    Add a mitigation for the speculative return address stack overflow
    vulnerability found on AMD processors.
    
    The mitigation works by ensuring all RET instructions speculate to
    a controlled location, similar to how speculation is controlled in the
    retpoline sequence.  To accomplish this, the __x86_return_thunk forces
    the CPU to mispredict every function return using a 'safe return'
    sequence.
    
    To ensure the safety of this mitigation, the kernel must ensure that the
    safe return sequence is itself free from attacker interference.  In Zen3
    and Zen4, this is accomplished by creating a BTB alias between the
    untraining function srso_untrain_ret_alias() and the safe return
    function srso_safe_ret_alias() which results in evicting a potentially
    poisoned BTB entry and using that safe one for all function returns.
    
    In older Zen1 and Zen2, this is accomplished using a reinterpretation
    technique similar to Retbleed one: srso_untrain_ret() and
    srso_safe_ret().
    Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
    fb3bd914
nospec-branch.h 16.1 KB