Re: [PATCH 5/6] KVM: nVMX: Always use IBPB to properly virtualize IBRS

From: Jim Mattson
Date: Wed Feb 19 2025 - 18:10:09 EST

Next message: patchwork-bot+netdevbpf: "Re: [PATCH] selftests/bpf: DENYLIST.aarch64: enable kprobe_multi tests for ARM64"
Previous message: Google: "Re: [PATCH 1/2] hung_task: Show the blocker task if the task is hung on mutex"
In reply to: Yosry Ahmed: "[PATCH 5/6] KVM: nVMX: Always use IBPB to properly virtualize IBRS"
Next in thread: Yosry Ahmed: "[PATCH 3/6] x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 19, 2025 at 2:11 PM Yosry Ahmed <yosry.ahmed@xxxxxxxxx> wrote:
>
> On synthesized nested VM-exits in VMX, an IBPB is performed if IBRS is
> advertised to the guest to properly provide separate prediction domains
> for L1 and L2. However, this is currently conditional on
> X86_FEATURE_USE_IBPB, which depends on the host spectre_v2_user
> mitigation.
>
> In short, if spectre_v2_user=no, IBRS is not virtualized correctly and
> L1 becomes suspectible to attacks from L2. Fix this by performing the

Nit: susceptible.

> IBPB regardless of X86_FEATURE_USE_IBPB.
>
> Fixes: 2e7eab81425a ("KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS")
> Signed-off-by: Yosry Ahmed <yosry.ahmed@xxxxxxxxx>

Argh! No doubt, I was burned once again by assuming that a function
name (indirect_branch_prediction_barrier) was actually descriptive.

Reviewed-by: Jim Mattson <jmattson@xxxxxxxxxx>

Next message: patchwork-bot+netdevbpf: "Re: [PATCH] selftests/bpf: DENYLIST.aarch64: enable kprobe_multi tests for ARM64"
Previous message: Google: "Re: [PATCH 1/2] hung_task: Show the blocker task if the task is hung on mutex"
In reply to: Yosry Ahmed: "[PATCH 5/6] KVM: nVMX: Always use IBPB to properly virtualize IBRS"
Next in thread: Yosry Ahmed: "[PATCH 3/6] x86/bugs: Remove the X86_FEATURE_USE_IBPB check in ib_prctl_set()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]