On Mon, Nov 11, 2024 at 05:46:44PM -0800, Josh Poimboeuf wrote:
> + * 1) RSB underflow ("Intel Retbleed")
> *
> * Some Intel parts have "bottomless RSB". When the RSB is empty,
> * speculated return targets may come from the branch predictor,
> * which could have a user-poisoned BTB or BHB entry.
> *
> - * AMD has it even worse: *all* returns are speculated from the BTB,
> - * regardless of the state of the RSB.
> + * When IBRS or eIBRS is enabled, the "user -> kernel" attack is
> + * mitigated by the IBRS branch prediction isolation properties, so
> + * the RSB buffer filling wouldn't be necessary to protect against
> + * this type of attack.
> *
> - * When IBRS or eIBRS is enabled, the "user -> kernel" attack
> - * scenario is mitigated by the IBRS branch prediction isolation
> - * properties, so the RSB buffer filling wouldn't be necessary to
> - * protect against this type of attack.
> + * The "user -> user" attack is mitigated by RSB filling on context
> + * switch.
user->user SpectreRSB is also mitigated by IBPB, so RSB filling is
unnecessary when IBPB is issued. Also, when an appication does not opted-in
for IBPB at context switch, spectre-v2 for that app is not mitigated,
filling RSB is only a half measure in that case.
Is RSB filling really serving any purpose for userspace?
