Linux Inadvertently Has Been Leaving IBRS-Mitigated Systems Without STIBP

The Linux kernel since last year has mistakenly left systems relying on the original Indirect Branch Restricted Speculation (IBRS) for Spectre V2 mitigation without Single Threaded Indirect Branch Predictor (STIBP) coverage for cross-HyperThread dealing with this Spectre vulnerability. There is a patch underway that is resolving this issue for Intel Skylake era systems.

Since a change merged last June and being mainlined in Linux 5.19-rc2, there is no STIBP support when IBRS (the original, not to be confused with Intel eIBRS) is engaged. The patch fixing this issue explains:

"When plain IBRS is enabled (not enhanced IBRS), the logic in spectre_v2_user_select_mitigation() determines that STIBP is not needed.

The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit is cleared on returning to userspace for performance reasons which leaves userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.

Exclude IBRS from the spectre_v2_in_ibrs_mode() check to allow for enabling STIBP (through seccomp/prctl() by default or always-on, if selected by spectre_v2_user kernel cmdline parameter)."

So in order to protect user-space threads with STIBP, this patch by Google engineer KP Singh is under review to allow having STIBP enabled with the "legacy" IBRS. Again, this just affects older processors relying on plain IBRS like those from Skylake/Skylake-derived designs. The patch is marked already for back-porting to stable Linux kernel series as well once its mainlined.

For those on plain IBRS systems, with Linux 6.2 is also where there is the new Call Depth Tracking feature that is less costly than IBRS for mitigating Spectre V2. But still the accumulated performance costs for all these different mitigations particularly on older Skylake era systems remains quite high.