Re: [PATCH v2 2/2] x86/bugs: Don't fill RSB on context switch with eIBRS

From: Shah, Amit
Date: Mon Dec 30 2024 - 09:54:54 EST

Next message: Konrad Dybcio: "Re: [PATCH v2 3/3] arm64: dts: qcom: sc8280xp: Add Huawei Matebook E Go (sc8280xp)"
Previous message: Chun-Kuang Hu: "Re: [PATCH] drm/mediatek: mtk_dsi: Add registers to pdata to fix MT8186/MT8188"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2024-12-06 at 15:02 -0800, Josh Poimboeuf wrote:
> On Thu, Dec 05, 2024 at 04:53:03PM -0800, Josh Poimboeuf wrote:
> > On Thu, Dec 05, 2024 at 03:32:47PM -0800, Josh Poimboeuf wrote:
> > > On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote:
> > > > User->user Spectre v2 attacks (including RSB) across context
> > > > switches
> > > > are already mitigated by IBPB in cond_mitigation(), if enabled
> > > > globally
> > > > or if either the prev or the next task has opted in to
> > > > protection. RSB
> > > > filling without IBPB serves no purpose for protecting user
> > > > space, as
> > > > indirect branches are still vulnerable.
> > >
> > > Question for Intel/AMD folks: where is it documented that IBPB
> > > clears
> > > the RSB? I thought I'd seen this somewhere but I can't seem to
> > > find it.
> >
> > For Intel, I found this:
> >
> >
> > https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html
> >
> > "Software that executed before the IBPB command cannot control
> > the
> > predicted targets of indirect branches executed after the command
> > on
> > the same logical processor. The term indirect branch in this
> > context
> > includes near return instructions, so these predicted targets may
> > come
> > from the RSB.
> >
> > This article uses the term RSB-barrier to refer to either an IBPB
> > command event, or (on processors which support enhanced IBRS)
> > either a
> > VM exit with IBRS set to 1 or setting IBRS to 1 after a VM exit."
> >
> > I haven't seen anything that explicit for AMD.
>
> Found it. As Andrew mentioned earlier, AMD IBPB only clears RSB if
> the
> IBPB_RET CPUID bit is set. From APM vol 3:
>
> CPUID Fn8000_0008_EBX Extended Feature Identifiers:
>
> 30 IBPB_RET The processor clears the return address
> predictor when MSR PRED_CMD.IBPB is written
> to 1.
>
> We check that already for the IBPB entry mitigation, but now we'll
> also
> need to do so for the context switch IBPB.
>
> Question for AMD, does SBPB behave the same way, i.e. does it clear
> RSB
> if IBPB_RET?

I'm not sure about this. I'll ask around internally.

Amit

Next message: Konrad Dybcio: "Re: [PATCH v2 3/3] arm64: dts: qcom: sc8280xp: Add Huawei Matebook E Go (sc8280xp)"
Previous message: Chun-Kuang Hu: "Re: [PATCH] drm/mediatek: mtk_dsi: Add registers to pdata to fix MT8186/MT8188"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]