[Python-Dev] SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register

Nathaniel Smith njs at pobox.com
Mon Sep 17 16:13:37 EDT 2018

Hi Wes,

It's great you're passionate about python security, but this is the wrong
way to go about it. Spectre is inherently super subtle and confusing, so if
there's something that people need to do, then we need a clear,
comprehensive write-up of what the threat is and how to address it. Perhaps
you could find some collaborators with expertise in these things and work
with them off-list to put something like that together – that could be
quite helpful.

What isn't helpful is what you've been doing instead: sending incoherent
jumbles of vaguely-related text, to multiple highly-subscribed mailing
lists, multiple times a day, for a week now. This is worse than useless.
Please stop.


On Mon, Sep 17, 2018, 12:44 Wes Turner <wes.turner at gmail.com> wrote:

> On Mon, Sep 17, 2018 at 2:58 PM Wes Turner <wes.turner at gmail.com> wrote:
>> I thought I read that RH has a kernel flag for userspace?
> "Controlling the Performance Impact of Microcode and Security Patches for
> CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise
> Linux Tunables"
> https://access.redhat.com/articles/3311301
> > Indirect Branch Restricted Speculation (ibrs)
> > [...] When ibrs_enabled is set to 1 (spectre_v2=ibrs) the kernel runs
> with indirect branch restricted speculation, which protects the kernel
> space from attacks (even from hyperthreading/simultaneous multi-threading
> attacks). When IBRS is set to 2 (spectre_v2=ibrs_always), both userland and
> kernel runs with indirect branch restricted speculation. This protects
> userspace from hyperthreading/simultaneous multi-threading attacks as well,
> and is also the default on certain old AMD processors (family 10h, 12h and
> 16h). This feature addresses CVE-2017-5715, variant #2.
> > [...]
> > echo 2 > /sys/kernel/debug/x86/ibrs_enabled
> https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/MitigationControls
> > echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both
> userspace and kernel
> ...
> On Mon, Sep 17, 2018 at 5:26 AM Antoine Pitrou <solipsis at pitrou.net>
> wrote:
>> If you want to push this forward, I suggest you measure performance of
>> Python compiled with and without the Spectre mitigation options, and
>> report the results here.  That will help vendors and packagers decide
>> whether they want to pursue the route of enabling those options.
> "Speculative Execution Exploit Performance Impacts - Describing the
> performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and
> CVE-2017-5715"
> https://access.redhat.com/articles/3307751
> - Revised worst-case peformance impact: 4-8%
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/njs%40pobox.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20180917/4025b94d/attachment-0001.html>

More information about the Python-Dev mailing list