On 25/06/19 20:22, Thomas Gleixner wrote: >> I think that even with that approach there is still an unsolved problem, as I >> believe guests are allowed to write directly to SPEC_CTRL MSR without causing >> a VMEXIT, which bypasses the host masking entirely. e.g. a guest using IBRS >> writes frequently to SPEC_CTRL, and could turn off SSBD on the VPCU while is >> running after the first non-zero write to the MSR. Do you agree? > Indeed. Of course that was a decision we made _before_ all the other fancy > things came around. Looks like we have to reopen that discussion. It's not just that, it's a decision that was made because otherwise performance is absolutely horrible (like 4-5x slower syscalls if the guest is using IBRS). I think it's better to leave the guest in control of SSBD even if it's globally disabled. The harm cannot escape the guest and in particular it cannot escape to the sibling hyperthread. Paolo
