5

I run Debian as my OS and Guix as my package manager. I also run (approximately) latest kernel built using Guix. According to spectre-meltdown-checker, my kernel has mitigation for v1, v2 and v3.

However, latest stable GCC (7.3) has implemented three new flags, namely -mindirect-branch=choice, -mfunction-return=choice and -mindirect-branch-register. Is it a good idea to rebuild the world with all these flags enabled? If so, which choice should I pick? There are four choices to choose from, keep and thunk-extern are clearly not applicable since the former is a no-op and the later requires a user-provided thunk. Can anyone explain the difference between thunk and thunk-inline?

Finally, it seems gold from Binutils has also introduced a new flag -z retpolineplt. Should it be enabled as well?

Alex Vong
  • 182
  • 6

1 Answers1

5

Should you recompile your software with these flags enabled? In general, no.

Most software used by the average person is not seriously threatened by Spectre. It's a very difficult attack to pull off, and requires that the attacker already be able to run arbitrary code on your computer. Additionally, Phoronix's benchmarking shows there can be a substantial performance hit (sometimes as high as 40%), and that hit often shows up in things like video games that are performance-sensitive but don't handle secret information. If you're feeling paranoid, you might consider recompiling your kernel, web browser, and password manager with these flags, but other than that, the security gain isn't worth the drawbacks.

If, on the other hand, you're running a shared-hosting service, or are running a moderately valuable site (eg. e-commerce) on a shared-hosting service, you should consider recompiling your software with Spectre mitigations enabled. In this situation, arbitrary code from unknown users is running on your computer all the time. Additionally, you may be handling information that's valuable enough to justify the time needed to pull off a Spectre attack.

The difference between "thunk", "thunk-external", and "thunk-inline" is basically a performance-versus-size tradeoff: "thunk" creates one thunk section per input file, "thunk-inline" creates one per indirect branch or function return, and "thunk-external" uses one thunk section for an entire program. Thunk-inline is usually the fastest, but if it causes code to grow large enough to overflow the available cache space, it can cause significant slowdowns.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • Thanks for your comprehensive answer! Especially for explaining how different options work. I cannot find this information anywhere else! One final question. How about for distro developers? Should they follow the "paranoid" approach? You know, their users include both desktop and server users. – Alex Vong Feb 15 '18 at 15:37
  • Distro developers should take the time to consider which packages do or do not need to be built with mitigations, and this consideration needs to take into account the expected userbase (eg. TAILS should go with maximum paranoia, while Ubuntu should probably only add mitigations to things related to the web browser). – Mark Feb 15 '18 at 23:09