Re: Does srso safe RET mitigation require microcode update?

[Rainer Fiebig]

Am 14.08.23 um 11:10 schrieb Borislav Petkov:
> On Mon, Aug 14, 2023 at 05:00:12PM +0800, Xi Ruoyao wrote:
>> So we are puzzled now: is this system vulnerable or mitigated?
> 
> Read the whole options text here:
> 
> https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
> 
> Does it explain it better?
Not really, IMO.  The text says:

"First of all, it is required that the latest microcode be loaded for
mitigations to be effective.
[...]"

According to that: no latest microcode - system is vulnerable.

Later:
"* 'Mitigation: safe RET':

   Software-only mitigation. It complements the extended IBPB microcode
   patch functionality by addressing User->Kernel and Guest->Host
   transitions protection."

Now, what does that mean: partial mitigation or also no mitigation
without microcode?

And if the latest microcode is indeed needed for "Safe RET": why do
users of AMD's "consumer" Zens have to wait weeks or even longer for an
AGESA instead of being able to simply compile the microcode into the
kernel and get rid of the problem in a few minutes?

Thanks.

Rainer