On Thu, May 12, 2022 at 5:50 PM Jon Kohler <jon@xxxxxxxxxxx> wrote: > You mentioned if someone was concerned about performance, are you > saying they also critically care about performance, such that they are > willing to *not* use IBPB at all, and instead just use taskset and hope > nothing ever gets scheduled on there, and then hope that the hypervisor > does the job for them? I am saying that IBPB is not the only viable mitigation for cross-process indirect branch steering. Proper scheduling can also solve the problem, without the overhead of IBPB. Say that you have two security domains: trusted and untrusted. If you have a two-socket system, and you always run trusted workloads on socket#0 and untrusted workloads on socket#1, IBPB is completely superfluous. However, if the hypervisor chooses to schedule a vCPU thread from virtual socket#0 after a vCPU thread from virtual socket#1 on the same logical processor, then it *must* execute an IBPB between those two vCPU threads. Otherwise, it has introduced a non-architectural vulnerability that the guest can't possibly be aware of. If you can't trust your OS to schedule tasks where you tell it to schedule them, can you really trust it to provide you with any kind of inter-process security? > Would this be the expectation of just KVM? Or all hypervisors on the > market? Any hypervisor that doesn't do this is broken, but that won't keep it off the market. :-)
