Should Python builds add `-mindirect-branch=thunk -mindirect-branch-register` to CFLAGS? Where would this be to be added in the build scripts with which architectures? /QSpectre is the MSVC build flag for Spectre Variant 1:
The /Qspectre option is available in Visual Studio 2017 version 15.7 and later.
https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017 security@ directed me to the issue tracker / lists, so I'm forwarding this to python-dev and python-ideas, as well. # Forwarded message From: *Wes Turner* <wes.turner@gmail.com> Date: Wednesday, September 12, 2018 Subject: SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register To: distutils-sig <distutils-sig@python.org> Should C extensions that compile all add `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the risk of Spectre variant 2 (which does indeed affect user space applications as well as kernels)? [1] https://github.com/speed47/spectre-meltdown-checker/ issues/119#issuecomment-361432244 [2] https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) [3] https://en.wikipedia.org/wiki/Speculative_Store_Bypass# Speculative_execution_exploit_variants On Wednesday, September 12, 2018, Wes Turner <wes.turner@gmail.com> wrote:
On Wednesday, September 12, 2018, Joni Orponen <j.orponen@4teamwork.ch> wrote:
On Wed, Sep 12, 2018 at 8:48 PM Wes Turner <wes.turner@gmail.com> wrote:
Should C extensions that compile all add `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the risk of Spectre variant 2 (which does indeed affect user space applications as well as kernels)?
Are those available on GCC <= 4.2.0 as per PEP 513?
AFAIU, only GCC 7.3 and 8 have the retpoline (indirect-branch=thunk) support enabled by the `-mindirect-branch=thunk -mindirect-branch-register` CFLAGS.
On Wednesday, September 12, 2018, Wes Turner <wes.turner@gmail.com> wrote:
"What is a retpoline and how does it work?" https://stackoverflow.com/questions/48089426/what-is-a- retpoline-and-how-does-it-work