On Thu, May 12, 2022, Jon Kohler wrote:
> Remove IBPB that is done on KVM vCPU load, as the guest-to-guest
> attack surface is already covered by switch_mm_irqs_off() ->
> cond_mitigation().
>
> The original commit 15d45071523d ("KVM/x86: Add IBPB support") was simply
> wrong in its guest-to-guest design intention. There are three scenarios
> at play here:
Jim pointed offline that there's a case we didn't consider. When switching between
vCPUs in the same VM, an IBPB may be warranted as the tasks in the VM may be in
different security domains. E.g. the guest will not get a notification that vCPU0 is
being swapped out for vCPU1 on a single pCPU.
So, sadly, after all that, I think the IBPB needs to stay. But the documentation
most definitely needs to be updated.
A per-VM capability to skip the IBPB may be warranted, e.g. for container-like
use cases where a single VM is running a single workload.
