Implement x86 security mitigations
Here's the list based on the x86 CPU vulnerabilities that Linux's lscpu prints. IIRC some of these only require updated microcode (but Redox doesn't currently support microcode updates).
- Spec store bypass (add IA32_SPEC_CTRL to context state)
-
Spectre v1
- usercopy lfence barriers
- swapgs lfence barriers
- race condition induced Spectre (Ghostrace)
- etc...
-
Spectre v2
- Retpolines
- IBRS?
- IBPB?
- Branch History Injection
- RSB filling on context switches
- Retbleed - https://lwn.net/Articles/901834/, https://lwn.net/Articles/907054/
- etc...
- Meltdown (PTI - unfinished)
- Mmio stale data
- Mds
- L1tf (VMM) - does not affect the Redox kernel... yet (no hypervisor support).
-
L1tf (OS) -
Frames are statically enforced not to be 0x0, and RMM is clearing page entries to zero (though it could be enforced better: rmm#3) - Itlb multihit - does not yet affect the Redox kernel... but once hypervisor support is added, ensure that large/huge pages are not executable on vulnerable CPU models.
- Srbds - requires microcode update (mitigation can be disabled via MSRs)
- Tsx async abort - requires microcode update, Linux defaults to disabling TSX entirely in that case
- Gather data sampling ("DOWNFALL") - requires microcode update. TODO: anything else?
- RAS overflow ("INCEPTION") - requires microcode update too, alternatively "safe ret". TODO: anything else?
- Register File Data Sampling (only affects Intel Atom though)
Some other useful security-enhancing x86 features that sometimes improve security against the above bugs:
- UMIP
- SMEP - in general forces spectre_v2 attacks to use kernel gadgets rather than attacked-controller text
- SMAP
- Protection keys - #160
- Shadow stacks - #163
It would most likely be wise to prioritize vulnerabilities affecting newer CPUs first, most notably Spec Store Bypass and Spectre V1/V2, then continuing with Retbleed, Meltdown, and lastly, the Intel-specific mostly-patched bugs (MDS, L1TF, TSX, MMIO stale data, SRBDS).
Redox also needs to implement microcode loading, which can probably be done from userspace.