On the Intel side, restoration of the guest's IA32_SPEC_CTRL is done
as late as possible, with the comment:
* IMPORTANT: To avoid RSB underflow attacks and any other nastiness,
* there must not be any returns or indirect branches between this code
* and vmentry.
In light of CVE-2022-23825 ("Branch Type Confusion"), don't we also
need to avoid returns or indirect branches between the wrmsr and
VM-entry on AMD hosts without X86_FEATURE_V_SPEC_CTRL?
Yet, we still restore the guest's IA32_SPEC_CTRL quite early, with the comment:
* If this vCPU has touched SPEC_CTRL, restore the guest's value if
* it's non-zero. Since vmentry is serialising on affected CPUs, there
* is no need to worry about the conditional branch over the wrmsr
* being speculatively taken.
This entire comment seems quite stale, and not relevant today.
