spectre.rst - OpenGrok cross reference for /linux-5.19.10/Documentation/admin-guide/hw-vuln/spectre.rst

Lines Matching refs:branch
6 Spectre is a class of side channel attacks that exploit branch prediction
18 use branch prediction and speculative execution.
55 buffers, and branch predictors. Malicious software may be able to
70 of speculative execution that bypasses conditional branch instructions
92 The branch target injection attack takes advantage of speculative
94 branch predictors inside the processor used to guess the target of
103 branches in the victim to gadget code by poisoning the branch target
104 buffer of a CPU used for predicting indirect branch addresses. Such
106 with the address offset of the indirect branch under the attacker's
107 control. Since the branch prediction on impacted hardware does not
108 fully disambiguate branch address and uses the offset for prediction,
109 this could cause privileged code's indirect branch to jump to a gadget
127 from the sibling thread, as level 1 cache and branch target buffer
130 steer its indirect branch speculations to gadget code, and measure the
135 Branch History Buffer (BHB) to speculatively steer an indirect branch
137 associated with the source address of the indirect branch. Specifically,
163    is invalid, but bound checks are bypassed in the code branch taken
174    An attacker can train the branch predictor to speculatively skip the
204    A spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
206    After entering the kernel, the kernel could use the poisoned branch
215    The kernel can protect itself against consuming poisoned branch
245    :ref:`poisoning <poison_btb>` the branch target buffer.  This can
246    influence the indirect branch targets for a victim process that either
251    by using the prctl() syscall to disable indirect branch speculation
253    from polluting the branch target buffer by disabling the process's
254    indirect branch speculation. This comes with a performance cost
255    from not using indirect branch speculation and clearing the branch
257    indirect branch speculation disabled, Single Threaded Indirect Branch
259    sibling thread from controlling branch target buffer.  In addition,
261    branch target buffer when context switching to and from such process.
264    This prevents the branch target buffer from being used for branch
286    <poison_btb>` the branch target buffer or return stack buffer, causing
290    for indirect branches to bypass the poisoned branch target buffer,
295    indirect branch speculation disabled via prctl().  The branch target
311    :ref:`poisoning <poison_btb>` the branch target buffer or the return
317    and clearing the branch target buffer before switching to a new guest.
321    by turning off the unsafe guest's indirect branch speculation via
397   - Indirect branch prediction barrier (IBPB) status for protection between
405   'IBPB: conditional'   Use IBPB on SECCOMP or indirect branch restricted tasks
408   - Single threaded indirect branch prediction (STIBP) status for protection
416   'STIBP: conditional'  Use STIBP on SECCOMP or indirect branch restricted tasks
473    -mindirect-branch=thunk-extern -mindirect-branch-register options.
490    On x86, indirect branch restricted speculation is turned on by default
506    This protects them from consuming poisoned entries in the branch
508    programs can disable their indirect branch speculation via prctl()
512    flush the branch target buffer when switching to/from the program.
514    Restricting indirect branch speculation on a user program will
520    Programs that disable their indirect branch speculation will have
538    poisoned entries in branch target buffer left by rogue guests.  It also
540    stack buffer underflow so poisoned branch target buffer could be used,
544    the branch target buffer is sanitized by flushing before switching
551    its indirect branch speculation disabled by administrator via prctl().
573 		(indirect branch prediction) vulnerability. System may
581 		(indirect branch speculation) vulnerability.
611                 retpoline,lfence        LFENCE; indirect branch
643    disabling indirect branch speculation when the program is running
650    off by disabling their indirect branch speculation when they are run
652    This prevents untrusted programs from polluting the branch target
663    overhead as indirect branch speculations for all programs will be
666    On x86, branch target buffer will be flushed with IBPB when switching
672    whose indirect branch speculation is explicitly disabled,
674    program to clear the branch target buffer (See "ibpb" option in
694 … Retpoline: A branch target injection mitigation <https://software.intel.com/security-software-gui…
698 …ntel.com/security-software-guidance/insights/deep-dive-single-thread-indirect-branch-predictors>`_.
704 [5] `AMD64 technology indirect branch control extension <https://developer.amd.com/wp-content/resou…
724 [9] `Retpoline: a software construct for preventing branch-target-injection <https://support.google…