On Thu, Dec 05, 2024 at 03:32:47PM -0800, Josh Poimboeuf wrote: > On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote: > > User->user Spectre v2 attacks (including RSB) across context switches > > are already mitigated by IBPB in cond_mitigation(), if enabled globally > > or if either the prev or the next task has opted in to protection. RSB > > filling without IBPB serves no purpose for protecting user space, as > > indirect branches are still vulnerable. > > Question for Intel/AMD folks: where is it documented that IBPB clears > the RSB? I thought I'd seen this somewhere but I can't seem to find it. For Intel, I found this: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html "Software that executed before the IBPB command cannot control the predicted targets of indirect branches executed after the command on the same logical processor. The term indirect branch in this context includes near return instructions, so these predicted targets may come from the RSB. This article uses the term RSB-barrier to refer to either an IBPB command event, or (on processors which support enhanced IBRS) either a VM exit with IBRS set to 1 or setting IBRS to 1 after a VM exit." I haven't seen anything that explicit for AMD. -- Josh
