[Python-ideas] SEC: Spectre variant 2: GCC: -mindirect-branch=thunk -mindirect-branch-register
Wes Turner
wes.turner at gmail.com
Sun Sep 16 10:07:09 EDT 2018
Should Python builds add `-mindirect-branch=thunk
-mindirect-branch-register` to CFLAGS?
Where would this be to be added in the build scripts with which
architectures?
/QSpectre is the MSVC build flag for Spectre Variant 1:
> The /Qspectre option is available in Visual Studio 2017 version 15.7 and
later.
https://docs.microsoft.com/en-us/cpp/build/reference/qspectre?view=vs-2017
security@ directed me to the issue tracker / lists,
so I'm forwarding this to python-dev and python-ideas, as well.
# Forwarded message
From: *Wes Turner* <wes.turner at gmail.com>
Date: Wednesday, September 12, 2018
Subject: SEC: Spectre variant 2: GCC: -mindirect-branch=thunk
-mindirect-branch-register
To: distutils-sig <distutils-sig at python.org>
Should C extensions that compile all add
`-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate the
risk of Spectre variant 2 (which does indeed affect user space applications
as well as kernels)?
[1] https://github.com/speed47/spectre-meltdown-checker/
issues/119#issuecomment-361432244
[2] https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
[3] https://en.wikipedia.org/wiki/Speculative_Store_Bypass#
Speculative_execution_exploit_variants
On Wednesday, September 12, 2018, Wes Turner <wes.turner at gmail.com> wrote:
>
>> On Wednesday, September 12, 2018, Joni Orponen <j.orponen at 4teamwork.ch>
>> wrote:
>>
>>> On Wed, Sep 12, 2018 at 8:48 PM Wes Turner <wes.turner at gmail.com> wrote:
>>>
>>>> Should C extensions that compile all add
>>>> `-mindirect-branch=thunk -mindirect-branch-register` [1] to mitigate
>>>> the risk of Spectre variant 2 (which does indeed affect user space
>>>> applications as well as kernels)?
>>>>
>>>
>>> Are those available on GCC <= 4.2.0 as per PEP 513?
>>>
>>
>> AFAIU, only
>> GCC 7.3 and 8 have the retpoline (indirect-branch=thunk) support enabled
>> by the `-mindirect-branch=thunk -mindirect-branch-register` CFLAGS.
>>
>
On Wednesday, September 12, 2018, Wes Turner <wes.turner at gmail.com> wrote:
> "What is a retpoline and how does it work?"
> https://stackoverflow.com/questions/48089426/what-is-a-
> retpoline-and-how-does-it-work
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20180916/dd2e5e73/attachment.html>
More information about the Python-ideas
mailing list