Re: [PATCH 5/6] KVM: nVMX: Always use IBPB to properly virtualize IBRS

From: Jim Mattson
Date: Wed Feb 19 2025 - 18:10:09 EST


On Wed, Feb 19, 2025 at 2:11 PM Yosry Ahmed <yosry.ahmed@xxxxxxxxx> wrote:
>
> On synthesized nested VM-exits in VMX, an IBPB is performed if IBRS is
> advertised to the guest to properly provide separate prediction domains
> for L1 and L2. However, this is currently conditional on
> X86_FEATURE_USE_IBPB, which depends on the host spectre_v2_user
> mitigation.
>
> In short, if spectre_v2_user=no, IBRS is not virtualized correctly and
> L1 becomes suspectible to attacks from L2. Fix this by performing the

Nit: susceptible.

> IBPB regardless of X86_FEATURE_USE_IBPB.
>
> Fixes: 2e7eab81425a ("KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS")
> Signed-off-by: Yosry Ahmed <yosry.ahmed@xxxxxxxxx>

Argh! No doubt, I was burned once again by assuming that a function
name (indirect_branch_prediction_barrier) was actually descriptive.

Reviewed-by: Jim Mattson <jmattson@xxxxxxxxxx>