On Fri, Sep 02, 2022 at 04:53:35PM -0700, Jim Mattson wrote:
> On the Intel side, restoration of the guest's IA32_SPEC_CTRL is done
> as late as possible, with the comment:
>
> * IMPORTANT: To avoid RSB underflow attacks and any other nastiness,
> * there must not be any returns or indirect branches between this code
> * and vmentry.
>
> In light of CVE-2022-23825 ("Branch Type Confusion"), don't we also
> need to avoid returns or indirect branches between the wrmsr and
> VM-entry on AMD hosts without X86_FEATURE_V_SPEC_CTRL?
I don't think so, because for AMD we don't use the SPEC_CTRL mitigations
like Intel does. i.e., no IBRS/eIBRS.
The AMD rethunk mitigation protects against retbleed regardless [*] of
the value of SPEC_CTRL.
[*] Not 100% true - if STIBP gets disabled by the guest, there's a small
window of opportunity where the SMT sibling can help force a
retbleed attack on a RET between the MSR write and the vmrun. But
that's really unrealistic IMO.
--
Josh
