Re: Guest IA32_SPEC_CTRL on AMD hosts without X86_FEATURE_V_SPEC_CTRL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 02, 2022 at 04:53:35PM -0700, Jim Mattson wrote:
> On the Intel side, restoration of the guest's IA32_SPEC_CTRL is done
> as late as possible, with the comment:
> 
> * IMPORTANT: To avoid RSB underflow attacks and any other nastiness,
> * there must not be any returns or indirect branches between this code
> * and vmentry.
> 
> In light of CVE-2022-23825 ("Branch Type Confusion"), don't we also
> need to avoid returns or indirect branches between the wrmsr and
> VM-entry on AMD hosts without X86_FEATURE_V_SPEC_CTRL?

I don't think so, because for AMD we don't use the SPEC_CTRL mitigations
like Intel does.  i.e., no IBRS/eIBRS.

The AMD rethunk mitigation protects against retbleed regardless [*] of
the value of SPEC_CTRL.

[*] Not 100% true - if STIBP gets disabled by the guest, there's a small
    window of opportunity where the SMT sibling can help force a
    retbleed attack on a RET between the MSR write and the vmrun.  But
    that's really unrealistic IMO.

-- 
Josh



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux