Concerns about enabling retpolines by default
Florian Weimer
fweimer at redhat.com
Mon Oct 15 19:37:05 AEDT 2018
* Darren Tucker:
> On Wed, 26 Sep 2018 at 19:32, Florian Weimer <fweimer at redhat.com> wrote:
>> We recently discovered that our OpenSSH distribution binaries contain
>> retpoline thunks. It's due to this
>>
>> OSSH_CHECK_CFLAG_COMPILE([-mfunction-return=thunk]) # gcc
>> OSSH_CHECK_CFLAG_COMPILE([-mindirect-branch=thunk]) # gcc
>
> I was the one who added those. It was shortly after the disclosure of
> Spectre, and the concern was that ssh, sshd and particularly ssh-agent
> hold secrets where the disclosure of those across trust boundaries
> would be various levels of bad.
>
> The documentation at the time was pretty sparse and it's not much
> clearer now. What should a userspace program do for Spectre?
Our internal recommendation is: do nothing. Userspace appears unfixable
without hardware support.
You can try processing data from different trust domains in different
processes, then the kernel mitigations should deliver some protection.
Kind of what ssh-agent does, I guess, or privilege separation.
>> There have been other retpoline bugs in GCC which do not affect the
>> kernel (or affect only rarely used kernel features), but are potentially
>> visible in user space, so few distributions will backport those fixes to
>> their distribution compilers.
>
> Can we determine which versions are affected?
I'm afraid not easily. A lot of distribution compilers have seen some
backports for building the kernel, but the amount of fixes beyond the
initial backport is unclear.
> If there's one known to work we can disable the check for versions
> prior to that.
There is no released GCC version with the fix.
Thanks,
Florian
More information about the openssh-unix-dev
mailing list