Retpoline support


Just wondering if the nvidia kernel modules should be built with the cflags -mindirect-branch=thunk-extern and -mindirect-branch-register for retpoline support to mitigate against indirect branch speculation, or if this is not relevant?

The proper flags are inherited from the config of the kernel you build for. For el7 with all updates applied, you change to

%{!?kversion: %define kversion 3.10.0-693.21.1.el7.%{_target_cpu}}

at the top of the elrepo spec file and rebuild the kmod. This makes the warning

Spectre V2 : WARNING: module 'nvidia' built without retpoline-enabled compiler, may affect Spectre v2 mitigation

go away. Just checked. :)

Thanks. Yes, I was aware the warning message goes away but wasn’t able to confirm the cflags that were used.

I’ve later confirmed -mindirect-branch=thunk-extern is correctly used by examining the kernel symbols.

Thanks again