admin-guide/hw-vuln/srso.rst

1 .. SPDX-License-Identifier: GPL-2.0
8 known scenario of poisoning CPU functional units - the Branch Target
9 Buffer (BTB) and Return Address Predictor (RAP) in this case - and then
10 tricking the elevated privilege domain (the kernel) into leaking
14 Return Address Stack/Return Stack Buffer). In some cases, a non-architectural
20 but the concern is that an attacker can mis-train the CPU BTB to predict
21 non-architectural CALL instructions in kernel space and use this to
23 leading to information disclosure via a speculative side-channel.
25 The issue is tracked under CVE-2023-20569.
28 -------------------
30 AMD Zen, generations 1-4. That is, all families 0x17 and 0x19. Older
34 ------------------------------
61    kernel, but the IBPB-extending microcode has not been applied.  User
67    not address User->Kernel and Guest->Host transitions protection but it
68    does address User->User and VM->VM attack vectors.
70    Note that User->User mitigation is controlled by how the IBPB aspect in
80       i.e., always on - by supplying spectre_v2_user=on on the kernel
89    User->Kernel and Guest->Host transitions protection.
91    Selected by default or by spec_rstack_overflow=safe-ret
95    Similar protection as "safe RET" above but employs an IBPB barrier on
96    privilege domain crossings (User->Kernel, Guest->Host).
102    Mitigation addressing the cloud provider scenario - the Guest->Host
105    (spec_rstack_overflow=ibpb-vmexit)
111  - gain local access on the machine
113  - break kASLR
115  - find gadgets in the running kernel in order to use them in the exploit
117  - potentially create and pin an additional workload on the sibling
120  - run the exploit
124 attack vectors, including the local User->Kernel one.
126 As always, the user is advised to keep her/his system up-to-date by
143 --------------------
163 -----------------------------------------------
168 * PMC_0xc8 - Count of RET/RET lw retired
169 * PMC_0xc9 - Count of RET/RET lw retired mispredicted
177         List of pre-defined events (to be used in -e or -M):
187         # perf stat -e ex_ret_near_ret:k -e ex_ret_near_ret_mispred:k sleep 10s
191         # perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,umask=0/k sleep 10s
196 …[root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,…
213 …[root@brent: ~/kernel/linux/tools/perf> ./perf stat -e cpu/event=0xc8,umask=0/k -e cpu/event=0xc9,…