On Fri, Sep 02, 2022 at 04:53:35PM -0700, Jim Mattson wrote: > On the Intel side, restoration of the guest's IA32_SPEC_CTRL is done > as late as possible, with the comment: > > * IMPORTANT: To avoid RSB underflow attacks and any other nastiness, > * there must not be any returns or indirect branches between this code > * and vmentry. > > In light of CVE-2022-23825 ("Branch Type Confusion"), don't we also > need to avoid returns or indirect branches between the wrmsr and > VM-entry on AMD hosts without X86_FEATURE_V_SPEC_CTRL? I don't think so, because for AMD we don't use the SPEC_CTRL mitigations like Intel does. i.e., no IBRS/eIBRS. The AMD rethunk mitigation protects against retbleed regardless [*] of the value of SPEC_CTRL. [*] Not 100% true - if STIBP gets disabled by the guest, there's a small window of opportunity where the SMT sibling can help force a retbleed attack on a RET between the MSR write and the vmrun. But that's really unrealistic IMO. -- Josh