On Wed, Jan 8, 2025 at 11:15 AM Borislav Petkov <bp@xxxxxxxxx> wrote: > > On Wed, Jan 08, 2025 at 10:37:57AM -0800, Jim Mattson wrote: > > Surely, IBPB-on-VMexit is worse for performance than safe-RET?!? > > We don't need safe-RET with SRSO_USER_KERNEL_NO=1. And there's no safe-RET for > virt only. So IBPB-on-VMEXIT is the next best thing. The good thing is, those > machines have BpSpecReduce too so you won't be doing IBPB-on-VMEXIT either but > what we're talking about here - BpSpecReduce. I'm suggesting that IBPB-on-VMexit is probably the *worst* thing. If it weren't for BpSpecReduce, I would want safe-RET for virt only. (Well, if it weren't for ASI, I would want that, anyway.) > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette
