Call Depth Tracking For Less Costly Retbleed Mitigation Hopes To Land Soon

Longtime Linux kernel engineer Peter Zijlstra with Intel has sent out his latest "Call Depth Tracking" patches as a mitigation for Retbleed that aims to be less costly on system performance than the current mitigation approach. With this latest patch series, he indicates he hopes to soon get this code mainlined.

Call Depth Tracking for Retbleed mitigation aims to avoid the IBRS "performance horror show" currently impacting affected Intel CPUs. The developers previously acknowledged the "insane overhead" coming with the Indirect Branch Restricted Speculation (IBRS) usage in light of Retbleed. As for the Call Depth Tracking approach:

Call depth tracking is designed to break this speculation path by stuffing speculation trap calls into the RSB which are never getting a corresponding return executed. This stalls the prediction path until it gets resteered,

The assumption is that stuffing at the 12th return is sufficient to break the speculation before it hits the underflow and the fallback to the other predictors. Testing confirms that it works. Johannes, one of the retbleed researchers. tried to attack this approach and confirmed that it brings the signal to noise ratio down to the crystal ball level.

There is obviously no scientific proof that this will withstand future research progress, but all we can do right now is to speculate about that.

Call Depth Tracking was updated in early September and on Thursday marked a third iteration of the patches. This is good news particularly with the heavy performance hits being taken over the current IBRS-based Retbleed mitigation on Skylake era servers.

With the v3 patch series sent out on Thursday, Peter noted:

Changes since v2 are minimal; I reworked the alignment thing per Linus' request (patch #8) and collected a few tags.

Barring great objections I'm hoping to merge this soon so we can all get on with other things.

So if all goes well, it's possible we'll see this merged for the Linux 6.1 cycle coming up in early October. Since it's a security/mitigation item, it's possible it could try to land for the current 6.0 cycle still, but given that it's a set of 59 patches and there is already the existing Retbleed mitigation, presumably Linus Torvalds would want to wait until the v6.1 merge window that is opening soon.

For the processors affected by Retbleed and currently using IBRS, the Call Depth Tracking "stuff" (see option name below) leads to much less overhead while still keeping the system safe:

With these patches, on affected processors the Call Depth Tracking mitigation isn't used by default but for at least the time being is only activated using the "retbleed=stuff" kernel option.