Re: [PATCH v4] x86/speculation, KVM: remove IBPB on vCPU load

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 12, 2022 at 5:50 PM Jon Kohler <jon@xxxxxxxxxxx> wrote:

> You mentioned if someone was concerned about performance, are you
> saying they also critically care about performance, such that they are
> willing to *not* use IBPB at all, and instead just use taskset and hope
> nothing ever gets scheduled on there, and then hope that the hypervisor
> does the job for them?

I am saying that IBPB is not the only viable mitigation for
cross-process indirect branch steering. Proper scheduling can also
solve the problem, without the overhead of IBPB. Say that you have two
security domains: trusted and untrusted. If you have a two-socket
system, and you always run trusted workloads on socket#0 and untrusted
workloads on socket#1, IBPB is completely superfluous. However, if the
hypervisor chooses to schedule a vCPU thread from virtual socket#0
after a vCPU thread from virtual socket#1 on the same logical
processor, then it *must* execute an IBPB between those two vCPU
threads. Otherwise, it has introduced a non-architectural
vulnerability that the guest can't possibly be aware of.

If you can't trust your OS to schedule tasks where you tell it to
schedule them, can you really trust it to provide you with any kind of
inter-process security?

> Would this be the expectation of just KVM? Or all hypervisors on the
> market?

Any hypervisor that doesn't do this is broken, but that won't keep it
off the market. :-)



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux