enh: detect IPBP return predictor bypass in Inception/SRSO ("PB-Inception") (#500)

AMD Zen 1-3 CPUs don't flush return predictions on IBPB, allowing cross-process Spectre attacks even with IBPB-on-entry active. The kernel fix (v6.12+, backported) adds RSB fill after IBPB on affected CPUs. Detect this gap by checking CPUID IBPB_RET bit and kernel ibpb_no_ret bug flag, and flag systems relying on IBPB without the RSB fill fix.
2026-04-07 09:13:20 +02:00 · 2026-04-06 00:45:09 +02:00
parent bf6289adfb
commit 0e440cbac6
2 changed files with 53 additions and 3 deletions
--- a/src/libs/400_hw_check.sh
+++ b/src/libs/400_hw_check.sh
@@ -467,6 +467,26 @@ check_cpu() {
        fi
    fi

+    # IBPB_RET: CPUID EAX=0x80000008, ECX=0x00 return EBX[30] indicates IBPB also flushes
+    # return predictions (Zen4+). Without this bit, IBPB alone does not clear the return
+    # predictor, requiring an additional RSB fill (kernel X86_BUG_IBPB_NO_RET fix).
+    cap_ibpb_ret=''
+    if is_amd || is_hygon; then
+        pr_info_nol "    * CPU indicates IBPB flushes return predictions: "
+        read_cpuid 0x80000008 0x0 $EBX 30 1 1
+        ret=$?
+        if [ $ret = $READ_CPUID_RET_OK ]; then
+            cap_ibpb_ret=1
+            pstatus green YES "IBPB_RET feature bit"
+        elif [ $ret = $READ_CPUID_RET_KO ]; then
+            cap_ibpb_ret=0
+            pstatus yellow NO
+        else
+            cap_ibpb_ret=-1
+            pstatus yellow UNKNOWN "$ret_read_cpuid_msg"
+        fi
+    fi
+
    # STIBP
    pr_info "  * Single Thread Indirect Branch Predictors (STIBP)"
    pr_info_nol "    * SPEC_CTRL MSR is available: "