On 09/01/2018 12:31, Liran Alon wrote: >> On current generation processors, as I understand it, IBRS simply >> disables the indirect branch predictor when set to 1. Therefore, >> as > This is not how I understood what IBRS does. > > Intel (not sure about AMD) states that if IBRS is set, indirect > branches will now allow their predicted target address to be > controlled by code that executed in a less privileged prediction-mode > before the IBRS was last written with a value of 1. (Intel also > states that thus an indirect branch may be affected by code in a less > privileged prediction-mode that executed AFTER IBRS mode was last > written with a value of 1). Difficult to say that, because AMD microcode for IBRS does not exist. Is it even documented whether VMX/SVM non-root mode is a different physical prediction mode. Generally I agree you'd go by what the spec say, but we don't really have a final spec from the vendors. The microarchitectural level matters much more than the spec in this case, I'm opinion: what current microcode patches do, and how future processors plan to close the leak once and for all. The above ("IBRS simply disables the indirect branch predictor") was my take-away message from private discussion with Intel. My guess is that the vendors are just handwaving a spec that doesn't match what they have implemented, because honestly a microcode update is unlikely to do much more than an old-fashioned chicken bit. Maybe on Skylake it does though, since the performance characteristics of IBRS are so different from previous processors. Let's ask Arjan who might have more information about it, and hope he actually can disclose it... Paolo > Therefore, L2 could also inject BTB/BHB entries that will be used by > L1: Consider the case that L2 injects values into BTB/BHB and then > issues a hypercall which will cause #VMExit which will be forwarded > to L1. Because L2 & L1 runs in the same prediction-mode (both Ring0 > SVM guest-mode) from physical CPU perspective, Ring0 L1 code could be > using BTB/BHB entries injected by Ring0 L2. (The fact that L0 have > set IBRS to 1 when exiting from L2 to L0 doesn't prevent those > entries from being used by L1 after L0 enters L1). > > This is different than what happens in non-nested case as L0 & L1 > runs in different physical prediction-modes and therefore setting > IBRS=1 on every #VMExit should suffice. > > Therefore, I don't understand how L1 setting IBRS to 1 will help him > in this case. Maybe this mechanism works differently on AMD? > >> Future processors might have a mode that says "just set IBRS=1 and >> I'll DTRT". If that's done by indexing the BTB using the full virtual >> address, the CPL _and_ the ASID/PCID/VPID, then IBPB is not needed >> here because the L2 VM uses a different ASID. If that's done by only >> augmenting the BTB index with the CPL, we'd need an IBPB. But in >> this new world we've been thrown into, that would be a processor bug...