On Wed, 26 Jun 2019, Paolo Bonzini wrote: > On 25/06/19 20:22, Thomas Gleixner wrote: > >> I think that even with that approach there is still an unsolved problem, as I > >> believe guests are allowed to write directly to SPEC_CTRL MSR without causing > >> a VMEXIT, which bypasses the host masking entirely. e.g. a guest using IBRS > >> writes frequently to SPEC_CTRL, and could turn off SSBD on the VPCU while is > >> running after the first non-zero write to the MSR. Do you agree? > > Indeed. Of course that was a decision we made _before_ all the other fancy > > things came around. Looks like we have to reopen that discussion. > > It's not just that, it's a decision that was made because otherwise > performance is absolutely horrible (like 4-5x slower syscalls if the > guest is using IBRS). > > I think it's better to leave the guest in control of SSBD even if it's > globally disabled. The harm cannot escape the guest and in particular > it cannot escape to the sibling hyperthread. SSB allows guest to guest attacks IIRC Thanks, tglx
