Lines Matching +full:guest +full:- +full:side
1 .. SPDX-License-Identifier: GPL-2.0
3 Spectre Side Channels
6 Spectre is a class of side channel attacks that exploit branch prediction
8 bypassing access controls. Speculative execution side channel exploits
14 -------------------
16 Speculative execution side channel methods affect a wide range of modern
22 - Intel Core, Atom, Pentium, and Xeon processors
24 - AMD Phenom, EPYC, and Zen processors
26 - IBM POWER and zSeries processors
28 - Higher end ARM processors
30 - Apple CPUs
32 - Higher end MIPS CPUs
34 - Likely most other high performance CPUs. Contact your CPU vendor for details.
40 ------------
45 CVE-2017-5753 Bounds check bypass Spectre variant 1
46 CVE-2017-5715 Branch target injection Spectre variant 2
47 CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs)
51 -------
56 influence the speculative execution paths, and then use the side effects
67 ---------------------------------------
73 memory accesses to invalid memory (with out-of-bound index) that are
75 memory accesses can leave side effects, creating side channels which
83 only about user-controlled array bounds checks. It can affect any
90 -------------------------------------------
97 the victim. The side effects left in the CPU's caches during speculative
112 The most useful gadgets take an attacker-controlled input parameter (such
126 On systems with simultaneous multi-threading (SMT), attacks are possible
131 speculative execution's side effects left in level 1 cache to infer the
141 Previously the only known real-world BHB attack vector was via unprivileged
147 ----------------
175 the GS register to a user-space value, if the swapgs is speculatively
176 skipped, subsequent GS-related percpu accesses in the speculation
177 window will be done with the attacker-controlled GS value. This
194 become visible via an L1 side channel attack.
212 the gadget has executed, he can measure the side effect.
235 multi-threading (SMT) system.
271 3. A virtualized guest attacking the host
275 kernel. The kernel is entered via hyper-calls or other virtualization
279 (e.g. in registers) via hyper-calls to derive invalid pointers to
297 4. A virtualized guest attacking other guest
300 A rogue guest may attack another guest to get data accessible by the
301 other guest.
306 pointers to privileged data in guest. The privileged data could be
309 Spectre variant 2 attacks can be launched from a rogue guest by
312 speculation execution paths in the victim guest.
316 and clearing the branch target buffer before switching to a new guest.
318 If SMT is used, Spectre variant 2 attacks from an untrusted guest
320 by turning off the unsafe guest's indirect branch speculation via
321 prctl(). A guest can also protect itself by turning on microcode
322 based mitigations (such as IBPB or STIBP on x86) within the guest.
327 --------------------------
339 .. list-table::
341 * - 'Not affected'
342 - The processor is not vulnerable.
343 * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
344 - The swapgs protections are disabled; otherwise it has
347 * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
348 - Protection in the kernel on a case by case base with explicit
358 CPU has support for additional process-specific mitigation.
369 per process on a case-by-case base.
377 - Kernel status:
384 'Mitigation: Enhanced IBRS' Hardware-focused mitigation
385 'Mitigation: Enhanced IBRS + Retpolines' Hardware-focused + Retpolines
386 'Mitigation: Enhanced IBRS + LFENCE' Hardware-focused + LFENCE
389 - Firmware status: Show if Indirect Branch Restricted Speculation (IBRS) is
396 - Indirect branch prediction barrier (IBPB) status for protection between
403 'IBPB: always-on' Use IBPB on all tasks
407 - Single threaded indirect branch prediction (STIBP) status for protection
418 - Return stack buffer (RSB) protection status:
424 - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
427 'PBRSB-eIBRS: SW sequence' CPU is affected and protection of RSB on VMEXIT enabled
428 'PBRSB-eIBRS: Vulnerable' CPU is vulnerable
429 'PBRSB-eIBRS: Not affected' CPU is not affected by PBRSB
432 - Branch History Injection (BHI) protection status:
434 .. list-table::
436 * - BHI: Not affected
437 - System is not affected
438 * - BHI: Retpoline
439 - System is protected by retpoline
440 * - BHI: BHI_DIS_S
441 - System is protected by BHI_DIS_S
442 * - BHI: SW loop, KVM SW loop
443 - System is protected by software clearing sequence
444 * - BHI: Vulnerable
445 - System is vulnerable to BHI
446 * - BHI: Vulnerable, KVM: SW loop
447 - System is vulnerable; KVM is protected by software clearing sequence
454 -----------------------------------------------------------------
468 Copy-from-user code has an LFENCE barrier to prevent the access_ok()
469 check from being mis-speculated. The barrier is done by the
489 -mindirect-branch=thunk-extern -mindirect-branch-register options.
491 to support -mretpoline-external-thunk option. The kernel config
495 On Intel Skylake-era systems the mitigation covers most, but not all,
509 On Intel's enhanced IBRS systems, this includes cross-thread branch target
543 :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
577 To mitigate guest-to-guest attacks in the same CPU hardware thread,
579 to a new guest on a CPU.
583 To mitigate guest-to-guest attacks from sibling thread when SMT is
584 in use, an untrusted guest running in the sibling thread can have
593 ---------------------------------------------
601 - nospectre_v1
602 - nospectre_v2
603 - spectre_v2={option}
604 - spectre_v2_user={option}
605 - spectre_bhi={option}
607 For more details on the available options, refer to Documentation/admin-guide/kernel-parameters.txt
610 --------------------------
622 For security-sensitive programs that have secrets (e.g. crypto
625 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
632 (See :ref:`Documentation/userspace-api/spec_ctrl.rst <set_spec_ctrl>`).
661 ---------------------
667 …tive execution side channels <https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Intel…
671 …s check bypass <https://software.intel.com/security-software-guidance/software-guidance/bounds-che…
675 …ion <https://software.intel.com/security-software-guidance/insights/deep-dive-retpoline-branch-tar…
679 …ctors <https://software.intel.com/security-software-guidance/insights/deep-dive-single-thread-indi…
685 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
689 …ation on AMD processors <https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AM…
695 …ache speculation side-channels <https://developer.arm.com/support/arm-security-updates/speculative…
699 …developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/latest-updates/…
705 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…
711 …ative execution and side channel vulnerabilities <https://www.mips.com/blog/mips-response-on-specu…
725 …rn Stack Buffer <https://www.usenix.org/system/files/conference/woot18/woot18-paper-koruyeh.pdf>`_.