#OpenBSD/amd64 now optimizes out retpolines in the kernel if the CPU supports either eIBRS ("enhanced Indirect Branch Restricted Speculation") or IBT ("Indirect Branch Tracking") by using -mretpoline-external-thunk and codepatching.
guenther@ modified sys/sys/arch/amd64/*: On CPUs with eIBRS ("enhanced Indirect Branch Restricted Speculation") or IBT enabled the kernel, the hardware should [stop] the attacks which retpolines were created to prevent. In those cases, retpolines should be a net negative for security as they are an indirect branch gadget. They're also slower.
* use -mretpoline-external-thunk to give us control of the code used for indirect branches
* default to using a retpoline as before, but marks it and the other ASM kernel retpolines for code patching
* if the CPU has eIBRS, then enable it
* if the CPU has eIBRS *or* IBT, then codepatch the three different retpolines to just indirect jumps
make clean && make config required after this
ok kettenis@
Retpolines are now disabled by default in #OpenBSD -current, in favour of a kernel based mitigation using IBPB (indirect branch predictor barrier).
kettenis@ modified src/gnu/llvm/lld/ELF/Driver.cpp: Revert the change that enables retpoline PLTs by default. While these provide a mitigation against branch speculation attacks, they also make IBT control flow integrity less effective. Our kernel now uses IBPB to as a mitigation against branch speculation attacks, so we can disable retpoline PLTs again.
ok deraadt@
guenther@ modified src/sys/arch/amd64/amd64/*: Retpolines are an anti-pattern for IBT, so we need to shift protecting userspace from cross-process BTI to the kernel. Have each CPU track the last pmap run on in userspace and the last vmm VCPU in guest-mode and use the IBPB msr to flush predictors right before running in userspace on a different pmap or entering guest-mode on a different VCPU.
Codepatch-nop the userspace bits and conditionalize the vmm bits to keep working if IBPB isn't supported.ok deraadt@ kettenis@
IBT was enabled by default in the kernel/userland in #OpenBSD 7,4, and is supported on Intel Tiger Lake (Core gen 11) CPUs and later.
https://bsd.network/users/brynet/statuses/110687785303109457
