Open Source Summit North America 2025

Since the discovery of the Spectre vulnerability in 2017, many technologies have been developed to mitigate the risks of its variants. Full mitigation could require changes from CPU vendors, but there are various branch target injection (Spectre v2) mitigations for Linux users that are implemented from within the kernel. What are these kernel mitigation options and how are they enabled? What is the kernel actually doing when these features are enabled and how does that prevent a Spectre v2 attack? In this talk we will discuss the approach of a Spectre v2 attack, provide an in-depth explanation of mitigations for such an attack implemented in the kernel, and cover differences between them. For example, what are processor requirements and performance tradeoffs for the different mitigation options? We will compare the two main mitigation options, return trampolines (retpolines) and Enhanced Indirect Branch Restricted Speculation (Enhanced IBRS), as well as touch on other related Spectre v2 mitigation features, such as return stack buffer protection, branch history injection protection, and indirect branch prediction barriers.