Hi, Ata, John (US) wrote,
Hi all,
With Spectre variant 2 (CVE-2017-5715), gcc has been updated to avoid branch prediction problems via the retpoline patch. Specifically, by using either – mindirect-branch=thunk-inline or –mindirect-branch=thunk or –mindirect-branch- thunk-external, the compiler will convert indirect branches and function returns to call and return thunks thus avoiding speculative execution in those cases. Of course, there is a performance penalty depending on the exact argument used. Has anyone compiled uclibc with one of those switches?
I didn't tried it, yet. You might be the first :)
Any issues seen with that?
best regards Waldemar
HI;
On Mi, 2018-04-04 at 19:49 +0200, Waldemar Brodkorb wrote:
Hi, Ata, John (US) wrote,
Hi all,
With Spectre variant 2 (CVE-2017-5715), gcc has been updated to avoid branch prediction problems via the retpoline patch. Specifically, by using either – mindirect-branch=thunk-inline or –mindirect-branch=thunk or –mindirect-branch- thunk-external, the compiler will convert indirect branches and function returns to call and return thunks thus avoiding speculative execution in those cases. Of course, there is a performance penalty depending on the exact argument used. Has anyone compiled uclibc with one of those switches?
I didn't tried it, yet. You might be the first :)
I did with standard compiler settings (gcc 7.3.0 and gcc 5.5 with patches) and got
Mitigation: Full AMD retpoline
on a PC Engines APU2 compared without gcc 5 patch:
Vulnerable: Minimal AMD ASM retpoline
Any issues seen with that?
Running it for a few weeks. Observed some hickups after a few running the uclibc-ng machine with gcc5-based toolchain for WIFI, but not shure if it's related to the Spectre2 mitgation.
regards kp
best regards Waldemar _______________________________________________ devel mailing list devel@uclibc-ng.org https://mailman.uclibc-ng.org/cgi-bin/mailman/listinfo/devel
Thanks! I built both 32 bit and 64 bit uclibc with –mindirect-branch=thunk placed in the UCLIBC_EXTRA_CFLAGS field so far I haven't noticed any problems. As this gets more use/exposure, I'll update...
Take care, ---- John Ata, CISSP Senior Principal Software Engineer Electronics Systems STOP Operating System Software Development
T 703-563-8115 | F 703-668-4359 | john.ata@baesystems.com http://www.baesystems.com/csp
-----Original Message----- From: devel [mailto:devel-bounces@uclibc-ng.org] On Behalf Of kapeka Sent: Wednesday, April 04, 2018 2:56 PM To: devel@uclibc-ng.org Subject: Re: [uclibc-ng-devel] compile uclibc with retpoline switch
*** WARNING *** EXTERNAL EMAIL -- This message originates from outside our organization.
HI;
On Mi, 2018-04-04 at 19:49 +0200, Waldemar Brodkorb wrote:
Hi, Ata, John (US) wrote,
Hi all,
With Spectre variant 2 (CVE-2017-5715), gcc has been updated to avoid branch prediction problems via the retpoline patch. Specifically, by using either – mindirect-branch=thunk-inline or –mindirect-branch=thunk or –mindirect-branch- thunk-external, the compiler will convert indirect branches and function returns to call and return thunks thus avoiding speculative execution in those cases. Of course, there is a performance penalty depending on the exact argument used. Has anyone compiled uclibc with one of those switches?
I didn't tried it, yet. You might be the first :)
I did with standard compiler settings (gcc 7.3.0 and gcc 5.5 with patches) and got
Mitigation: Full AMD retpoline
on a PC Engines APU2 compared without gcc 5 patch:
Vulnerable: Minimal AMD ASM retpoline
Any issues seen with that?
Running it for a few weeks. Observed some hickups after a few running the uclibc-ng machine with gcc5-based toolchain for WIFI, but not shure if it's related to the Spectre2 mitgation.
regards kp
best regards Waldemar _______________________________________________ devel mailing list devel@uclibc-ng.org https://mailman.uclibc-ng.org/cgi-bin/mailman/listinfo/devel
_______________________________________________ devel mailing list devel@uclibc-ng.org https://mailman.uclibc-ng.org/cgi-bin/mailman/listinfo/devel
-
Ata, John (US) -
kapeka -
Waldemar Brodkorb