On Thu, Feb 01, 2018 at 06:14:27PM +0100, Peter Zijlstra wrote: > On Thu, Feb 01, 2018 at 04:51:35PM +0000, David Woodhouse wrote: > > > Ideally we'd have a way to mark the module 'unsafe' or something. > > > > No, we just need to set IBRS before doing it. > > That would work, assuming IBRS is available to begin with of course. Do > we WARN if we hit this code and don't have IBRS available?
Perhaps it should just be reported in the spectre_v2 sysfs file. So "Mitigation: Full generic retpoline" would instead be something like "Vulnerable: Retpoline without IBRS" ? > > The same applies to any > > EFI runtime calls, APM and all kinds of other random crap that calls > > into firmware. I'm not sure why those aren't showing up. > > arch/x86/platform/efi/Makefile:OBJECT_FILES_NON_STANDARD_efi_thunk_$(BITS).o > := y > arch/x86/platform/efi/Makefile:OBJECT_FILES_NON_STANDARD_efi_stub_$(BITS).o > := y > > And similar things tell objtool to please not look.. Right, some of the corner cases like efi, vdso, and bpf tend to be ignored by objtool right now. -- Josh
