On Fri, Dec 06, 2024 at 10:10:31AM +0000, Shah, Amit wrote: > On Thu, 2024-12-05 at 15:32 -0800, Josh Poimboeuf wrote: > > On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote: > > > User->user Spectre v2 attacks (including RSB) across context > > > switches > > > are already mitigated by IBPB in cond_mitigation(), if enabled > > > globally > > > or if either the prev or the next task has opted in to protection. > > > RSB > > > filling without IBPB serves no purpose for protecting user space, > > > as > > > indirect branches are still vulnerable. > > > > Question for Intel/AMD folks: where is it documented that IBPB clears > > the RSB? I thought I'd seen this somewhere but I can't seem to find > > it. > > "AMD64 TECHNOLOGY INDIRECT BRANCH CONTROL EXTENSION" > https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/white-papers/111006-architecture-guidelines-update-amd64-technology-indirect-branch-control-extension.pdf > > has: > > Indirect branch prediction barrier (IBPB) exists at MSR 0x49 (PRED_CMD) > it 0. This is a write only MSR that both GP faults when software reads > it or if software tries to write any of the bits in 63:1. When bit zero > is written, the processor guarantees that older indirect branches > cannot influence predictions of indirect branches in the future. This > applies to jmp indirects, call indirects and returns. As this restricts > the processor from using all previous indirect branch information, it > is intended to only be used by software when switching from one user > context to another user context that requires protection, or from one > guest to another guest. Sounds like that needs to be updated to mention the IBPB_RET bit. -- Josh
