On Thu, 2024-12-05 at 15:32 -0800, Josh Poimboeuf wrote: > On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote: > > User->user Spectre v2 attacks (including RSB) across context > > switches > > are already mitigated by IBPB in cond_mitigation(), if enabled > > globally > > or if either the prev or the next task has opted in to protection. > > RSB > > filling without IBPB serves no purpose for protecting user space, > > as > > indirect branches are still vulnerable. > > Question for Intel/AMD folks: where is it documented that IBPB clears > the RSB? I thought I'd seen this somewhere but I can't seem to find > it. "AMD64 TECHNOLOGY INDIRECT BRANCH CONTROL EXTENSION" https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/white-papers/111006-architecture-guidelines-update-amd64-technology-indirect-branch-control-extension.pdf has: Indirect branch prediction barrier (IBPB) exists at MSR 0x49 (PRED_CMD) it 0. This is a write only MSR that both GP faults when software reads it or if software tries to write any of the bits in 63:1. When bit zero is written, the processor guarantees that older indirect branches cannot influence predictions of indirect branches in the future. This applies to jmp indirects, call indirects and returns. As this restricts the processor from using all previous indirect branch information, it is intended to only be used by software when switching from one user context to another user context that requires protection, or from one guest to another guest. Amit
