Should Python builds add `-mindirect-branch=thunk -mindirect-branch-register` to CFLAGS?<div><br></div><div>Where would this be to be added in the build scripts with which architectures?</div><div><br></div><div>/QSpectre is the MSVC build flag for Spectre Variant 1:</div><div><br></div><div>> The /Qspectre option is available in Visual Studio 2017 version 15.7 and later. </div><div><br></div><div><a href="https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017">https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017</a><br><br><div>security@ directed me to the issue tracker / lists,</div><div>so I'm forwarding this to python-dev and python-ideas, as well.</div><br># Forwarded message<br>From: <b>Wes Turner</b> <<a href="mailto:wes.turner@gmail.com">wes.turner@gmail.com</a>><br>Date: Wednesday, September 12, 2018<br>Subject: SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register<br>To: distutils-sig <<a href="mailto:distutils-sig@python.org">distutils-sig@python.org</a>><br><br><br><div>Should C extensions that compile all add</div><div>`-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the risk of Spectre variant 2 (which does indeed affect user space applications as well as kernels)?</div><div><br></div><div>[1] <a href="https://github.com/speed47/spectre-meltdown-checker/issues/119#issuecomment-361432244" target="_blank">https://github.com/speed47/<wbr>spectre-meltdown-checker/<wbr>issues/119#issuecomment-<wbr>361432244</a></div><div>[2] <a href="https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)" target="_blank">https://en.wikipedia.org/wiki/<wbr>Spectre_(security_<wbr>vulnerability)</a></div><div>[3] <a href="https://en.wikipedia.org/wiki/Speculative_Store_Bypass#Speculative_execution_exploit_variants" target="_blank">https://en.wikipedia.org/wiki/<wbr>Speculative_Store_Bypass#<wbr>Speculative_execution_exploit_<wbr>variants</a></div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wednesday, September 12, 2018, Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wednesday, September 12, 2018, Joni Orponen <<a href="mailto:j.orponen@4teamwork.ch" target="_blank">j.orponen@4teamwork.ch</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Wed, Sep 12, 2018 at 8:48 PM Wes Turner <<a href="mailto:wes.turner@gmail.com" target="_blank">wes.turner@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Should C extensions that compile all add</div><div>`-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the risk of Spectre variant 2 (which does indeed affect user space applications as well as kernels)?</div></blockquote><div><br></div><div>Are those available on GCC <= 4.2.0 as per PEP 513?</div></div></div></div></blockquote><div><br></div><div>AFAIU, only</div><div>GCC 7.3 and 8 have the retpoline (indirect-branch=thunk) support enabled by the `-mindirect-branch=thunk -mindirect-branch-register` CFLAGS.</div></blockquote></blockquote><div><br></div><div> On Wednesday, September 12, 2018, Wes Turner <<a href="mailto:wes.turner@gmail.com">wes.turner@gmail.com</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">"What is a retpoline and how does it work?"<div><a href="https://stackoverflow.com/questions/48089426/what-is-a-retpoline-and-how-does-it-work" target="_blank">https://stackoverflow.com/<wbr>questions/48089426/what-is-a-<wbr>retpoline-and-how-does-it-work</a></div><div><br></div></blockquote></div>
<br></div>