From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx2.suse.de ([195.135.220.15]) by Galois.linutronix.de with esmtps (TLS1.0:DHE_RSA_CAMELLIA_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1f9ZRn-0001IM-Tj for speck@linutronix.de; Fri, 20 Apr 2018 19:03:46 +0200 Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 5FFFEAE7A for ; Fri, 20 Apr 2018 17:03:38 +0000 (UTC) Date: Fri, 20 Apr 2018 19:03:31 +0200 From: Borislav Petkov Subject: [MODERATED] Re: [patch 04/11] [PATCH v2 04/10] Linux Patch #4 Message-ID: <20180420170331.GL13977@pd.tnic> References: <20180420022613.057637144@localhost.localdomain> <20180420161533.GK13977@pd.tnic> <20180420163936.GA4615@localhost.localdomain> MIME-Version: 1.0 In-Reply-To: <20180420163936.GA4615@localhost.localdomain> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable To: speck@linutronix.de List-ID: On Fri, Apr 20, 2018 at 12:39:40PM -0400, speck for Konrad Rzeszutek Wilk wro= te: > Wouldn't we leak our MD state to the guest? That is the guest > may have cleared everything (svm->spec_ctrl is zero when we VMEXIT), > and now we would be running it with MD bit set? No, you pass the requested bits: x86_enable_ibrs(svm->spec_ctrl); and that function then picks apart which bits the host supports and sets them accordingly and filters out the reserved bits. You might call the function then: x86_set_spec_ctrl(); and its counterpart x86_restore_spec_ctrl(); or whatever. The restore side would simply clear the IBRS bit as we don't enable it on the host. It will restore the MD setting for the host too. --=20 Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix Imend=C3=B6rffer, Jane Smithard, Graham Norton, HR= B 21284 (AG N=C3=BCrnberg) --=20