As part of our work on the Safeside project
(https://github.com/google/safeside), we've seen a few AArch64
platforms that don't have firmware support for mitigating Spectre V2
(branch target injection). In particular, on those systems, we believe
the speculated targets of indirect branches in kernel code could
potentially be controlled by userspace code.
We've also tested the behavior of return stack predictors -- on those
same platforms, and on other AArch64 CPUs -- and found that they seem
to work in a way that would enable a Retpoline-style construction
where we can depend on the return stack predictor to "win" over the
branch target predictor. Implementing something like this would allow
us to protect more code from Spectre V2 vulnerabilities.
We'd like to get a firmer idea about the feasibility of this approach
and gauge interest in working on the implementation.
Kristof: would anyone at ARM be interested in contributing Retpolines