Re: [PATCH v2 2/2] x86/bugs: Don't fill RSB on context switch with eIBRS

From: Shah, Amit
Date: Fri Dec 06 2024 - 05:10:44 EST


On Thu, 2024-12-05 at 15:32 -0800, Josh Poimboeuf wrote:
> On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote:
> > User->user Spectre v2 attacks (including RSB) across context
> > switches
> > are already mitigated by IBPB in cond_mitigation(), if enabled
> > globally
> > or if either the prev or the next task has opted in to protection. 
> > RSB
> > filling without IBPB serves no purpose for protecting user space,
> > as
> > indirect branches are still vulnerable.
>
> Question for Intel/AMD folks: where is it documented that IBPB clears
> the RSB?  I thought I'd seen this somewhere but I can't seem to find
> it.

"AMD64 TECHNOLOGY INDIRECT BRANCH CONTROL EXTENSION"
https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/white-papers/111006-architecture-guidelines-update-amd64-technology-indirect-branch-control-extension.pdf

has:

Indirect branch prediction barrier (IBPB) exists at MSR 0x49 (PRED_CMD)
it 0. This is a write only MSR that both GP faults when software reads
it or if software tries to write any of the bits in 63:1. When bit zero
is written, the processor guarantees that older indirect branches
cannot influence predictions of indirect branches in the future. This
applies to jmp indirects, call indirects and returns. As this restricts
the processor from using all previous indirect branch information, it
is intended to only be used by software when switching from one user
context to another user context that requires protection, or from one
guest to another guest.

Amit