Re: [PATCH v2 2/2] x86/bugs: Don't fill RSB on context switch with eIBRS
From: Josh Poimboeuf
Date: Thu Dec 05 2024 - 19:53:11 EST
On Thu, Dec 05, 2024 at 03:32:47PM -0800, Josh Poimboeuf wrote:
> On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote:
> > User->user Spectre v2 attacks (including RSB) across context switches
> > are already mitigated by IBPB in cond_mitigation(), if enabled globally
> > or if either the prev or the next task has opted in to protection. RSB
> > filling without IBPB serves no purpose for protecting user space, as
> > indirect branches are still vulnerable.
>
> Question for Intel/AMD folks: where is it documented that IBPB clears
> the RSB? I thought I'd seen this somewhere but I can't seem to find it.
For Intel, I found this:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html
"Software that executed before the IBPB command cannot control the
predicted targets of indirect branches executed after the command on
the same logical processor. The term indirect branch in this context
includes near return instructions, so these predicted targets may come
from the RSB.
This article uses the term RSB-barrier to refer to either an IBPB
command event, or (on processors which support enhanced IBRS) either a
VM exit with IBRS set to 1 or setting IBRS to 1 after a VM exit."
I haven't seen anything that explicit for AMD.
--
Josh