Latest Foreshadow vulnerability vs. PureOS

Do we need to worry? In particular, is the kernel compiled with “nospectre_v2”? This build switch is useful because it enables faster performance when running with previously-sufficient hardware Spectre mitigations.

Side note: there might be a way to enable it without also enabling this latest in the long list of Spectre exploits. In particular, it sounds as though it relies on the kernel inheriting the register state of a userspace process, then the former experiencing an involuntary (hardware) prefectch based on the alleged addresses implied by that register state. If so, then randomizing or otherwise trashing the register state immediately after saving it to memory might thwart or perhaps eliminate the threat, while allowing for the speed gains of nospectre_v2. (This would need to occur at every point of entry to the kernel, which could be easy if it’s one common place, or just a few. It would seem to be far less computationally expensive than implementing retpolines all over the place, which is controlled by that switch.)