https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85216
--- Comment #18 from Bill Schmidt <wschmidt at gcc dot gnu.org> --- I asked around a bit. On x86, user-user attacks are not mitigated by default. To enable user-user mitigation: echo 2 > /sys/kernel/debug/x86/ibrs_enabled My source tells me: ----8<------- Red Hat explains the above setting as follows in https://access.redhat.com/articles/3311301 - "When IBRS is set to 2 (spectre_v2=ibrs_always), both userland and kernel runs with indirect branch restricted speculation. This protects userspace from hyperthreading/simultaneous multi-threading attacks as well, and is also the default on certain old AMD processors (family 10h, 12h and 16h). This feature addresses CVE-2017-5715, variant #2." If a GCC compiler with support for "thunks" is available, one might also build their applications, for example, PHP with the following flags added to mitigate spectre variant #2- -mindirect-branch=thunk-inline -mfunction-return=thunk-inline -mindirect-branch-register However, it is possible that to properly mitigate spectre variant#2 in Skylake processors, setting ibrs_enabled to 2 AND using thunks may be necessary, although I am not sure about this.
