lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c31716da-a3d1-35e9-7671-8b8b80a5879e@redhat.com>
Date:   Wed, 10 Jan 2018 14:20:13 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Nadav Amit <nadav.amit@...il.com>
Cc:     Liran Alon <liran.alon@...cle.com>, jmattson@...gle.com,
        x86@...nel.org, dwmw@...zon.co.uk, bp@...en8.de,
        aliguori@...zon.com, thomas.lendacky@....com, rkrcmar@...hat.com,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
        Arjan van de Ven <arjan@...ux.intel.com>
Subject: Re: [PATCH 3/8] kvm: vmx: pass MSR_IA32_SPEC_CTRL and
 MSR_IA32_PRED_CMD down to the guest

On 10/01/2018 06:03, Nadav Amit wrote:
>>
>> Of course the code will become something like
>>
>> 	if (using_ibrs || vmx->spec_ctrl != 0)
>> 		wrmsrl(MSR_IA32_SPEC_CTRL, host_ibrs);
>>
>> optimizing the case where the host is using retpolines.
> Excuse my ignorance: Can you point me to the specifications that mention “we
> should set IBRS bit even if it was already set on every #VMExit” ?

All I have is some PowerPoint slides from Intel. :(  They say:

---
A near indirect jump/call/return may be affected by code in a less
privileged prediction mode that executed AFTER IBRS mode was last
written with a value of 1. There is no need to clear IBRS before writing
it with a value of 1. Unconditionally writing it with a value of 1 after
the prediction mode change is sufficient.

VMX non-root is considered a less privileged prediction mode than VM
root.  CPL 3 is considered a less privileged prediction mode than CPL0,
1, 2.

Some processors may enhance IBRS such that it isolates prediction modes
effectively and at higher performance if left set instead of being set
when enter OS and VMM and cleared when entering applications.  [This is]
enumerated by IA32_ARCH_CAPABILITIES[1].
---

(Yes, it literally says VM root, not VMX root).

But I think this is an awful specification.  For two reasons:

* a simple specification that does "IBRS=1 blocks indirect branch
prediction altogether" would actually satisfy the specification just as
well, and it would be nice to know if that's what the processor actually
does.

* the future case with enhanced IBRS still requires the expensive IBPB
when switching between applications or between guests, where the
PCID/VPID (and PCID/VPID invalidation) could be used to remove that need.

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ