[ad_1]
Last month, I reported on the activity around the straight-line speculation “SLS” mitigation for x86_64 processors, similar to the work Arm did last year on their SLS vulnerability. This work on the x86 side (x86_64 included) has now been merged with GCC 12 Git and a kernel patch is expected to arrive shortly which will turn it into the last CPU security protection.
Before a few weeks ago, much of the straight-line speculation talk referred to the mitigation on Arm with GCC and LLVM / Clang having already merged their mitigation. But now there has been an increase in x86_64 activity, culminating with the merger of support for the GNU compiler collection on Wednesday.
The merged change introduces the -mharden-sls = for x86_64 and includes the values ​​none, all, return, or indirect-branch. The behavior alleviates linear speculation about the speculative execution of instructions linearly in memory after an unconditional change in control flow. Attenuation is handled by adding an INT3 instruction after function returns and indirect branches.
There was already a proposed Linux kernel fix to use this SLS compiler hardening option when it was available. In the GCC bug comments it is mentioned that a new patch is expected to be released soon (now that the GCC patch is merged) with a proposal to use the option for all versions of the RETPOLINE kernel. In turn, this would effectively see the option enabled for most kernel versions when it comes to production OS vendor kernel versions, assuming the patch is accepted. We’ll see, however, if any further discussions about the real impact of x86_64 SLS or any new disclosures arise soon, given recent interest from developers in the industry.
GCC 12 adds straight-line speculation mitigation for Intel / AMD (x86 / x86_64) processors.
The stable version of the GCC 12.1 compiler with this new option “-mharden-sls =” should see its stable version around April if the trends of the GNU compiler are confirmed. I will be running performance tests soon to confirm any performance impact around this compiler option and the Linux kernel builds at least and potentially other relevant software.
[ad_2]
