Re: [PATCH 0/7] IBRS patch series

[David Woodhouse]

On Fri, 2018-01-05 at 17:42 +0100, Andrea Arcangeli wrote:
> On Fri, Jan 05, 2018 at 04:37:30PM +0000, David Woodhouse wrote:
> > You are completely ignoring pre-Skylake here.
> >Â
> > On pre-Skylake, retpoline is perfectly sufficient and it's a *lot*
> > faster than the IBRS option which is almost prohibitively slow.
> >Â
> > We didn't do it just for fun. And it's working fine; it isn't *that*
> > complex.
> 
> How do you enable IBRS when the CPU switches to SMM?

SMM is fine, as Arjan said. It's only for stuff like EFI runtime calls,
and then only if you're really paranoid.

> Do you already have this 2-way code emission from gcc and patching
> with a 3-way alternatives at boot between ibrs and 2 reptoline version
> emitted by gcc and alternatives between ibrs and ibpb where SPEC_CTRL
> is missing on some CPU but IBPB_SUPPORT is available?

This was implemented in Intel's patch sets that they've been sending
out. I don't really know why we've suddenly gone back to the drawing
board and turned things around to put retpoline first in the series,
etc.

I'm also mildly concerned that all the variant 1 patches have just
disappeared.

> Or are you talking about having done this on a non upstream Xen build
> only without the 2-way code emission for gcc?

Xen has it too, but no. I was talking about Linux.

Attachment: smime.p7s
Description: S/MIME cryptographic signature