Avoid speculative indirect branches in kernel

An XCCDF Rule

Details
Profiles
Prose

Description

Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks by avoiding speculative indirect branches. Requires a compiler with -mindirect-branch=thunk-extern support for full protection. The kernel may run slower. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_RETPOLINE, run the following command: grep CONFIG_RETPOLINE /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This is required to enable protection against Spectre v2.

ID: xccdf_org.ssgproject.content_rule_kernel_config_retpoline
Severity: Medium
References: BP28(R15)
Updated: about 1 year ago