On Thu, 2018-01-04 at 12:42 +0100, Pavel Machek wrote: > > > No, really. The full mitigation with the microcode update and IBRS > > support is *slow*. Horribly slow. > > What is IBRS? Invalidate BRanch prediction bufferS?
That isn't the precise acronym, but yes. The branch predictor flush that, without retpoline, we have to do on every entry to the kernel. Requires new microcode, and the patches that I believe Intel are *about* to post... The first variant (all they can do on current CPUs with a microcode update) is really slow, and thus retpoline is *very* much the preferred option to protect the kernel on current CPUs. Later CPUs will apparently have a better version of IBRS which is preferred, so we'll ALTERNATIVE out the retpoline if we discover we're running on one of those. Public docs will, presumably, be forthcoming Real Soon Now™.
smime.p7s
Description: S/MIME cryptographic signature
