On 11/4/24 08:13, Shah, Amit wrote: > I want to justify that not setting X86_FEATURE_RSB_CTXSW is still doing > the right thing, albeit in hardware. Let's back up a bit. In the kernel, we have security concerns if RSB contents remain across context switches. If process A's RSB entries are left and then process B uses them, there's a problem. Today, we mitigate that issue with manual kernel RSB state zapping on context switches (X86_FEATURE_RSB_CTXSW). You're saying that this fancy new ERAPS feature includes a new mechanism to zap RSB state. But that only triggers "each time a TLB flush happens". So what you're saying above is that you are concerned about RSB contents sticking around across context switches. But instead of using X86_FEATURE_RSB_CTXSW, you believe that the new TLB-flush-triggered ERAPS flush can be used instead. Are we all on the same page so far? I think you're wrong. We can't depend on ERAPS for this. Linux doesn't flush the TLB on context switches when PCIDs are in play. Thus, ERAPS won't flush the RSB and will leave bad state in there and will leave the system vulnerable. Or what am I missing?
