How to check if Linux kernel is "Retpoline" enabled or not?

linux kernel linux-kernel

20,266

Solution 1

If you’re using mainline kernels, or most major distributions’ kernels, the best way to check for full retpoline support (i.e. the kernel was configured with CONFIG_RETPOLINE, and was built with a retpoline-capable compiler) is to look for “Full generic retpoline” in /sys/devices/system/cpu/vulnerabilities/spectre_v2. On my system:

$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline, IBPB, IBRS_FW

If you want more comprehensive tests, to detect retpolines on kernels without the spectre_v2 systree file, check out how spectre-meltdown-checker goes about things.

Solution 2

Stephen Kitt's answer is more comprehensive in this specific case, because the retpoline support also needs new compiler version.

But in general case, most distributions have the kernel configuration file available in one of the following locations:

/boot/config-4.xx.xx-...
/proc/config.gz

Then you can simply zgrep CONFIG_RETPOLINE /boot/config* /proc/config.gz

20,266

Weishan Yang

Updated on September 18, 2022

Comments

Weishan Yang over 1 year

As for the "Spectre" security vulnerability, "Retpoline" was introduced to be a solution to mitigate the risk. However, I've read a post that mentioned:

If you build the kernel without CONFIG_RETPOLINE, you can't build modules with retpoline and then expect them to load — because the thunk symbols aren't exported.

If you build the kernel with the retpoline though, you can successfully load modules which aren't built with retpoline. (Source)

Is there an easy and common/generic/unified way to check if kernel is "Retpoline" enabled or not? I want to do this so that my installer can use the proper build of kernel module to be installed.
- Admin almost 2 years
  
  Note that retpoline is no longer sufficient as a mitigation: comsec.ethz.ch/research/microarch/retbleed
pts about 6 years

I recommend against grepping in /boot/config*, because that may find CONFIG_RETPOLINE in a kernel image which is installed but not currently running, giving a false sense of security. Examining /proc/config.gz or /sys/... is safe, but many Linux distributions compile the kernel without /proc/config.gz.
Adam Luchjenbroers about 6 years

Could you make the logic a bit smarter and use uname (or the equivalent syscall) to get the currently running kernel and then examine that particular /boot/config file?
muru about 6 years

@pts /boot/config-$(uname -r), then?
Stephen Kitt about 6 years

Using /boot/config-$(uname -r) isn’t fool-proof either: it still doesn’t guarantee that the config matches the running kernel. Distro kernels keep the same uname -r across multiple versions, as long as the kernel ABI doesn’t change.
Alex Vong about 6 years

To check for other meltdown/spectre-related vulnerabilities as well, run $ grep . /sys/devices/system/cpu/vulnerabilities/*, which is suggested in Greg Kroah-Hartman's blog.
Stephen Kitt about 6 years

Thanks @Alex; I was answering the specific question, but that is useful — although I prefer head /sys/devices/system/cpu/vulnerabilities/* myself ;-). That currently covers Meltdown/Spectre vulnerabilities, but should also cover any future vulnerabilities of a similar nature (the namespace is purposefully generic).
Weishan Yang about 6 years

Thank you all for your reply. Your answer and message is helpful.
Alex Vong about 6 years

@StephenKitt Yeah, head gives a nicer formatted output.