On 13/02/2018 11:36, David Woodhouse wrote: >>> - if the VM has IBRS_ALL, pass through the MSR when it is zero and >>> intercept writes when it is one (no writes should happen) >>> >>> - if the VM doesn't have IBRS_ALL, do as we are doing now, independent >>> of what the host spectre_v2_ibrs_all() setting is. >> We end up having to turn IBRS on again on vmexit then, taking care that >> no conditional branch can go round it. So that becomes an >> *unconditional* wrmsr or lfence in the vmexit path. We really don't >> want that. > > Note that being able to keep it simple in KVM was basically what made > the difference between me tolerating IBRS_ALL as Intel currently define > it, and throwing my toys out of the pram (as I had done in the first > iterations of this patch). You have my vote. :) Really, IBRS_ALL makes no sense and it would be nice to know _why_ Intel is pushing something that makes no sense. Paolo
