Linus Torvalds has stuck to his “no swearing” resolution with his regular Sunday night Linux kernel release candidate announcement.
Probably the most important aspect of the weekend’s release candidate is that it, in a way, improves the performance of STIBP, which is a mitigation that stops malware exploiting a Spectre security vulnerability variant in Intel processors.
In November, it emerged that STIBP (Single Thread Indirect Branch Predictors), which counters Spectre Variant 2 attacks, caused nightmare slowdowns in some cases. The mitigation didn’t play well with simultaneous multi-threading (SMT) aka Intel’s Hyper Threading, and software would take up to a 50 per cent performance hit when the security measure was enabled.
Linux 4.20-rc5, emitted on Sunday, addresses this performance issue by making the security defense optional: processes can decide to use it via a system call, and all SECCOMP processes get it. Thus, if an application needs the side-channel mitigation and doesn’t suffer a slowdown hit, it can enable STIBP.
In other words, apps can decide to take their chances and not apply the STIBP defenses for Spectre. There is, to our knowledge, no known malware in the wild actively leveraging the Spectre CPU holes to potentially steal secrets and other information from running processes.
Submitted by: Arnfried Walbrecht