Documentation/admin-guide/hw-vuln/indirect-target-selection.rst

Source file repositories/reference/linux-study-clean/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst

File Facts

System
Linux kernel
Corpus path
Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
Extension
.rst
Size
7760 bytes
Lines
169
Domain
Support Tooling And Documentation
Bucket
Documentation
Inferred role
Support Tooling And Documentation: documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

.. SPDX-License-Identifier: GPL-2.0

Indirect Target Selection (ITS)
===============================

ITS is a vulnerability in some Intel CPUs that support Enhanced IBRS and were
released before Alder Lake. ITS may allow an attacker to control the prediction
of indirect branches and RETs located in the lower half of a cacheline.

ITS is assigned CVE-2024-28956 with a CVSS score of 4.7 (Medium).

Scope of Impact
---------------
- **eIBRS Guest/Host Isolation**: Indirect branches in KVM/kernel may still be
  predicted with unintended target corresponding to a branch in the guest.

- **Intra-Mode BTI**: In-kernel training such as through cBPF or other native
  gadgets.

- **Indirect Branch Prediction Barrier (IBPB)**: After an IBPB, indirect
  branches may still be predicted with targets corresponding to direct branches
  executed prior to the IBPB. This is fixed by the IPU 2025.1 microcode, which
  should be available via distro updates. Alternatively microcode can be
  obtained from Intel's github repository [#f1]_.

Affected CPUs
-------------
Below is the list of ITS affected CPUs [#f2]_ [#f3]_:

   ========================  ============  ====================  ===============
   Common name               Family_Model  eIBRS                 Intra-mode BTI
                                           Guest/Host Isolation
   ========================  ============  ====================  ===============
   SKYLAKE_X (step >= 6)     06_55H        Affected              Affected
   ICELAKE_X                 06_6AH        Not affected          Affected
   ICELAKE_D                 06_6CH        Not affected          Affected
   ICELAKE_L                 06_7EH        Not affected          Affected
   TIGERLAKE_L               06_8CH        Not affected          Affected
   TIGERLAKE                 06_8DH        Not affected          Affected
   KABYLAKE_L (step >= 12)   06_8EH        Affected              Affected
   KABYLAKE (step >= 13)     06_9EH        Affected              Affected
   COMETLAKE                 06_A5H        Affected              Affected
   COMETLAKE_L               06_A6H        Affected              Affected
   ROCKETLAKE                06_A7H        Not affected          Affected
   ========================  ============  ====================  ===============

- All affected CPUs enumerate Enhanced IBRS feature.
- IBPB isolation is affected on all ITS affected CPUs, and need a microcode
  update for mitigation.
- None of the affected CPUs enumerate BHI_CTRL which was introduced in Golden
  Cove (Alder Lake and Sapphire Rapids). This can help guests to determine the
  host's affected status.
- Intel Atom CPUs are not affected by ITS.

Mitigation
----------
As only the indirect branches and RETs that have their last byte of instruction
in the lower half of the cacheline are vulnerable to ITS, the basic idea behind
the mitigation is to not allow indirect branches in the lower half.

This is achieved by relying on existing retpoline support in the kernel, and in
compilers. ITS-vulnerable retpoline sites are runtime patched to point to newly
added ITS-safe thunks. These safe thunks consists of indirect branch in the
second half of the cacheline. Not all retpoline sites are patched to thunks, if
a retpoline site is evaluated to be ITS-safe, it is replaced with an inline
indirect branch.

Dynamic thunks
~~~~~~~~~~~~~~
From a dynamically allocated pool of safe-thunks, each vulnerable site is

Annotation

Implementation Notes