On Sat, Apr 30, 2022, Jon Kohler wrote: > > > On Apr 30, 2022, at 5:50 AM, Borislav Petkov <bp@xxxxxxxxx> wrote: > > So let me try to understand this use case: you have a guest and a bunch > > of vCPUs which belong to it. And that guest gets switched between those > > vCPUs and KVM does IBPB flushes between those vCPUs. > > > > So either I'm missing something - which is possible - but if not, that > > "protection" doesn't make any sense - it is all within the same guest! > > So that existing behavior was silly to begin with so we might just as > > well kill it. > > Close, its not 1 guest with a bunch of vCPU, its a bunch of guests with > a small amount of vCPUs, thats the small nuance here, which is one of > the reasons why this was hard to see from the beginning. > > AFAIK, the KVM IBPB is avoided when switching in between vCPUs > belonging to the same vmcs/vmcb (i.e. the same guest), e.g. you could > have one VM highly oversubscribed to the host and you wouldn’t see > either the KVM IBPB or the switch_mm IBPB. All good. No, KVM does not avoid IBPB when switching between vCPUs in a single VM. Every vCPU has a separate VMCS/VMCB, and so the scenario described above where a single VM has a bunch of vCPUs running on a limited set of logical CPUs will emit IBPB on every single switch.
