Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code

[Andrea Arcangeli]

On Wed, Jan 10, 2018 at 12:51:13PM +0000, David Woodhouse wrote:
> If it worked as Andrea suggests, then there would be absolutely no
> point in the patches we've seen which add the IBRS-frobbing on syscall
> entry and vmexit.

This is perhaps what you're missing I think, there is a huge point:
performance.

ibrs_enabled 1 ibpb_enabled 1 is much faster than ibrs_enabled 2
ibpb_enabled 1.

The current IBRS is disabling IBP, it can't do the "finegrined" thing
that leaves IBP speculation enabled.

Kernel is not a 100% C++ virtual template, so for kernel IBRS enabled
is not as a big deal as userland with IBRS enabled.

Once the new CPUid bit will be set it'll tell us IBRS is really
restricting speculation in a finegrined way with all privilege levels
ordered, so it simply tells is ibrs_enabled 2 ibpb_enabled 1 will be
faster than ibrs_enabled 1 ibpb_enabled 1, so the only thing we've to
do with the new CPUID bit you're talking about from the future, is to
change the default to ibrs_enabled 2 and it'll perform even better
with zero overhead in kernel entry points.

We already optimized for the future silicon, we've only to add a tweak
to detect cpuid and set the default ibrs_enabled to 2.

> The "IBRS all the time" feature is something we get on *future*
> hardware, not current hardware.

No, for current hardware it's the most secure option available and
required in fact if you want to fix guest userland attack on host
userland with math certainty which can matter for some customer.