[Python-Dev] SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register

Wes Turner wes.turner at gmail.com
Mon Sep 17 15:41:55 EDT 2018

On Mon, Sep 17, 2018 at 2:58 PM Wes Turner <wes.turner at gmail.com> wrote:

> I thought I read that RH has a kernel flag for userspace?

"Controlling the Performance Impact of Microcode and Security Patches for
CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise
Linux Tunables"

> Indirect Branch Restricted Speculation (ibrs)
> [...] When ibrs_enabled is set to 1 (spectre_v2=ibrs) the kernel runs
with indirect branch restricted speculation, which protects the kernel
space from attacks (even from hyperthreading/simultaneous multi-threading
attacks). When IBRS is set to 2 (spectre_v2=ibrs_always), both userland and
kernel runs with indirect branch restricted speculation. This protects
userspace from hyperthreading/simultaneous multi-threading attacks as well,
and is also the default on certain old AMD processors (family 10h, 12h and
16h). This feature addresses CVE-2017-5715, variant #2.
> [...]
> echo 2 > /sys/kernel/debug/x86/ibrs_enabled

> echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both
userspace and kernel

On Mon, Sep 17, 2018 at 5:26 AM Antoine Pitrou <solipsis at pitrou.net> wrote:

> If you want to push this forward, I suggest you measure performance of
> Python compiled with and without the Spectre mitigation options, and
> report the results here.  That will help vendors and packagers decide
> whether they want to pursue the route of enabling those options.

"Speculative Execution Exploit Performance Impacts - Describing the
performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and

- Revised worst-case peformance impact: 4-8%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180917/3d346c0b/attachment.html>

More information about the Python-Dev mailing list