Mitigation for Speculative Return Stack Overflow (SRSO)

[czhang03]

SRSO is a vulnerability for AMD processor from Zen 1-4 (basically all modern AMD processor). And there are several kargs that can mitigate this vulnerablity: spec_rstack_overflow=microcode, spec_rstack_overflow=safe-ret, spec_rstack_overflow=ibpb, or spec_rstack_overflow=ibpb-vmexit

On my framework AMD, which uses current gen AMD cpu, with all the kargs_hardening applied, the output of lscpu shows Spec rstack overflow: Vulnerable: Safe RET, no microcode and

$ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
Vulnerable: Safe RET, no microcode

Kernel Doc: https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
Discussion On KickSecure: Kicksecure/security-misc#177

[qoijjj]

The discussion on kicksecure actually indicates that no change should be made. The string you posted indicates that safe-ret (the kernel default) is already being applied. however, it's not a full mitigation. From the document you linked:

'Vulnerable: Safe RET, no microcode':

The "Safe RET" mitigation (see below) has been applied to protect the kernel, but the IBPB-extending microcode has not been applied. User space tasks may still be vulnerable.

If you have evidence that there's a better configuration than this, please reopen the ticket.