Patches For The Better Spectre STIBP Approach Revised – Version 7 Under Review


LINUX KERNEL --

Version 7 of the task property based options to enable Spectre V2 userspace-userspace protection patches, a.k.a. the work offering improved / less regressing approach for STIBP, is now available for testing and code review.

Tim Chen of Intel sent out the seventh revision to these patches on Tuesday night. Besides the Spectre V2 app-to-app protection modes, these patches include the work for disabling STIBP (Single Thread Indirect Branch Predictors) when enhanced IBRS (Indirect Branch Restricted Speculation) is supported/used, and allowing for STIBP to be enabled manually and just by default for non-dumpable tasks.

The STIBP patches will no longer take the “big hammer” approach for cross-hyperthread Spectre Variant Two mitigation so the performance hit isn’t across the board but restricting it to non-dumpable tasks like OpenSSH rather than for every process as is currently done with Linux 4.20 Git and back-ported series like Linux 4.19.2+.

With the new V7 patches there is protection for SECCOMP tasks, bug fixes, updated the boot options to align with the other speculation mitigations, disabling the SMT code paths when irrelevant for the current system configuration, and other code changes. All the details can be found via this patch series.

While Linus Torvalds a few days ago criticized the current STIBP approach, he stopped short of calling for it to be reverted right away but is certainly wanting the default behavior to change, which will be by this patch series. However, until this patch series is ready for merging, Tim Chen is calling for the current STIBP code to be reverted. He noted, “Since Jiri’s patchset to always turn on STIBP has big performance impact, I think that it should be reverted from 4.20 and stable kernels for now, till this patchset to mitigate its performance impact can be merged with it.

Greg KH did release Linux 4.19.3 this morning and other stable point releases, but the STIBP code hasn’t been touched with today’s updates. Hopefully it won’t be much longer though until these cleaned up patches are mainlined as the current performance overhead is significant.