On Fri, 2024-12-06 at 15:02 -0800, Josh Poimboeuf wrote: > On Thu, Dec 05, 2024 at 04:53:03PM -0800, Josh Poimboeuf wrote: > > On Thu, Dec 05, 2024 at 03:32:47PM -0800, Josh Poimboeuf wrote: > > > On Thu, Nov 21, 2024 at 12:07:19PM -0800, Josh Poimboeuf wrote: > > > > User->user Spectre v2 attacks (including RSB) across context > > > > switches > > > > are already mitigated by IBPB in cond_mitigation(), if enabled > > > > globally > > > > or if either the prev or the next task has opted in to > > > > protection. RSB > > > > filling without IBPB serves no purpose for protecting user > > > > space, as > > > > indirect branches are still vulnerable. > > > > > > Question for Intel/AMD folks: where is it documented that IBPB > > > clears > > > the RSB? I thought I'd seen this somewhere but I can't seem to > > > find it. > > > > For Intel, I found this: > > > > > > https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html > > > > "Software that executed before the IBPB command cannot control > > the > > predicted targets of indirect branches executed after the command > > on > > the same logical processor. The term indirect branch in this > > context > > includes near return instructions, so these predicted targets may > > come > > from the RSB. > > > > This article uses the term RSB-barrier to refer to either an IBPB > > command event, or (on processors which support enhanced IBRS) > > either a > > VM exit with IBRS set to 1 or setting IBRS to 1 after a VM exit." > > > > I haven't seen anything that explicit for AMD. > > Found it. As Andrew mentioned earlier, AMD IBPB only clears RSB if > the > IBPB_RET CPUID bit is set. From APM vol 3: > > CPUID Fn8000_0008_EBX Extended Feature Identifiers: > > 30 IBPB_RET The processor clears the return address > predictor when MSR PRED_CMD.IBPB is written > to 1. > > We check that already for the IBPB entry mitigation, but now we'll > also > need to do so for the context switch IBPB. > > Question for AMD, does SBPB behave the same way, i.e. does it clear > RSB > if IBPB_RET? That's correct - SBPB clears the RSB only when IBPB_RET is set. Amit
