Re: [PATCH v4] x86/speculation, KVM: remove IBPB on vCPU load

From: Jon Kohler
Date: Thu May 12 2022 - 23:20:16 EST

Next message: Chao Yu: "Re: [PATCH] f2fs: separate NOCoW and pinfile semantics"
Previous message: Miaohe Lin: "Re: [PATCH v3 1/3] mm/swapfile: unuse_pte can map random data if swap read fails"
In reply to: Jim Mattson: "Re: [PATCH v4] x86/speculation, KVM: remove IBPB on vCPU load"
Next in thread: Jim Mattson: "Re: [PATCH v4] x86/speculation, KVM: remove IBPB on vCPU load"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On May 12, 2022, at 11:06 PM, Jim Mattson <jmattson@xxxxxxxxxx> wrote:
>
> On Thu, May 12, 2022 at 5:50 PM Jon Kohler <jon@xxxxxxxxxxx> wrote:
>
>> You mentioned if someone was concerned about performance, are you
>> saying they also critically care about performance, such that they are
>> willing to *not* use IBPB at all, and instead just use taskset and hope
>> nothing ever gets scheduled on there, and then hope that the hypervisor
>> does the job for them?
>
> I am saying that IBPB is not the only viable mitigation for
> cross-process indirect branch steering. Proper scheduling can also
> solve the problem, without the overhead of IBPB. Say that you have two
> security domains: trusted and untrusted. If you have a two-socket
> system, and you always run trusted workloads on socket#0 and untrusted
> workloads on socket#1, IBPB is completely superfluous. However, if the
> hypervisor chooses to schedule a vCPU thread from virtual socket#0
> after a vCPU thread from virtual socket#1 on the same logical
> processor, then it *must* execute an IBPB between those two vCPU
> threads. Otherwise, it has introduced a non-architectural
> vulnerability that the guest can't possibly be aware of.
>
> If you can't trust your OS to schedule tasks where you tell it to
> schedule them, can you really trust it to provide you with any kind of
> inter-process security?

Fair enough, so going forward:
Should this be mandatory in all cases? How this whole effort came
was that a user could configure their KVM host with conditional
IBPB, but this particular mitigation is now always on no matter what.

In our previous patch review threads, Sean and I mostly settled on making
this particular avenue active only when a user configures always_ibpb, such
that for cases like the one you describe (and others like it that come up in
the future) can be covered easily, but for cond_ibpb, we can document
that it doesn’t cover this case.

Would that be acceptable here?

>
>> Would this be the expectation of just KVM? Or all hypervisors on the
>> market?
>
> Any hypervisor that doesn't do this is broken, but that won't keep it
> off the market. :-)

Very true :)

Next message: Chao Yu: "Re: [PATCH] f2fs: separate NOCoW and pinfile semantics"
Previous message: Miaohe Lin: "Re: [PATCH v3 1/3] mm/swapfile: unuse_pte can map random data if swap read fails"
In reply to: Jim Mattson: "Re: [PATCH v4] x86/speculation, KVM: remove IBPB on vCPU load"
Next in thread: Jim Mattson: "Re: [PATCH v4] x86/speculation, KVM: remove IBPB on vCPU load"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]