The last few days have seen some scary CPU security issues. One is Spectre <https://spectreattack.com/>, which takes advantage of branch prediction and cache timings to read memory that should be inaccessible.
The main (only?) mitigation that I have seen is to use "retpolines" - a portmanteau of 'return trampoline' - instead of indirect jump instructions. The technique is described in detail in a blog post <https://support.google.com/faqs/answer/7625886>, and patches have been written for LLVM <https://reviews.llvm.org/D41723> and Linux <https://lkml.org/lkml/2018/1/4/174> already. It replaces a single instruction with about seven and blocks branch prediction, so it is expected to have a significant performance impact, but the security is worth it in some contexts. Will the Go compiler be writing retpoline instructions instead of indirect jumps? I am particularly worried about the performance implications for code that calls lots of interface - will it use retpolines only under a configuration flag? -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
