Concerns about enabling retpolines by default

Florian Weimer fweimer at redhat.com
Mon Oct 15 19:37:05 AEDT 2018


* Darren Tucker:

> On Wed, 26 Sep 2018 at 19:32, Florian Weimer <fweimer at redhat.com> wrote:
>> We recently discovered that our OpenSSH distribution binaries contain
>> retpoline thunks.  It's due to this
>>
>>             OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc
>>             OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc
>
> I was the one who added those.  It was shortly after the disclosure of
> Spectre, and the concern was that ssh, sshd and particularly ssh-agent
> hold secrets where the disclosure of those across trust boundaries
> would be various levels of bad.
> 
> The documentation at the time was pretty sparse and it's not much
> clearer now.  What should a userspace program do for Spectre?

Our internal recommendation is: do nothing.  Userspace appears unfixable
without hardware support.

You can try processing data from different trust domains in different
processes, then the kernel mitigations should deliver some protection.
Kind of what ssh-agent does, I guess, or privilege separation.

>> There have been other retpoline bugs in GCC which do not affect the
>> kernel (or affect only rarely used kernel features), but are potentially
>> visible in user space, so few distributions will backport those fixes to
>> their distribution compilers.
>
> Can we determine which versions are affected?

I'm afraid not easily.  A lot of distribution compilers have seen some
backports for building the kernel, but the amount of fixes beyond the
initial backport is unclear.

> If there's one known to work we can disable the check for versions
> prior to that.

There is no released GCC version with the fix.

Thanks,
Florian


More information about the openssh-unix-dev mailing list