Spectre V1 mitigations in the Linux kernel are coming for RISC-V with newer RISC-V core designs being vulnerable to Spectre Variant One style attacks.
Spectre V1 as a reminder is the variant for Bounds Check Bypass with CPU speculative execution in conditional branches. The Linux kernel RISC-V code hasn’t seen Spectre V1 protections since earlier more basic RISC-V core designs have been immune to Variant One and other Spectre vulnerabilities. But newer more complex RISC-V core designs are bringing some of the same challenges exhibited on x86_64 and AArch64 architectures.
Lukas Gerlach of Germany’s CISPA Helmholtz Center for Information Security posted the initial Linux kernel patches today for enabling Spectre V1 for RISC-V:
“This series adds Spectre v1 to RISC-V in line with x86 and arm64.
Modern RISC-V CPUs with deep pipelines (e.g., XuanTie C910, SiFive P550) are susceptible to Spectre v1 attacks where an attacker can speculatively bypass bounds checks and leak kernel memory via cache side channels.
The first patch adds pointer masking to uaccess routines. Similar to arm64’s uaccess_mask_ptr(), this clears the top bit of user pointers before access, ensuring that even under speculation, a user-controlled pointer cannot reach kernel memory.
The second patch sanitizes the syscall number using array_index_nospec() before indexing into the syscall table, preventing out-of-bounds speculative reads similar to what x86 does.”
Those interested can find these initial RISC-V Spectre V1 patches on the Linux kernel mailing list.
