From: Sean Christopherson <seanjc@google.com>
To: Jim Mattson <jmattson@google.com>
Cc: kvm@vger.kernel.org, pbonzini@redhat.com
Subject: Re: [PATCH v2 2/2] KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
Date: Tue, 1 Nov 2022 19:23:23 +0000 [thread overview]
Message-ID: <Y2FyK6WrT1tcWAPp@google.com> (raw)
In-Reply-To: <20221019213620.1953281-3-jmattson@google.com>
On Wed, Oct 19, 2022, Jim Mattson wrote:
> According to Intel's document on Indirect Branch Restricted
> Speculation, "Enabling IBRS does not prevent software from controlling
> the predicted targets of indirect branches of unrelated software
> executed later at the same predictor mode (for example, between two
> different user applications, or two different virtual machines). Such
> isolation can be ensured through use of the Indirect Branch Predictor
> Barrier (IBPB) command." This applies to both basic and enhanced IBRS.
>
> Since L1 and L2 VMs share hardware predictor modes (guest-user and
> guest-kernel), hardware IBRS is not sufficient to virtualize
> IBRS. (The way that basic IBRS is implemented on pre-eIBRS parts,
> hardware IBRS is actually sufficient in practice, even though it isn't
> sufficient architecturally.)
>
> For virtual CPUs that support IBRS, add an indirect branch prediction
> barrier on emulated VM-exit, to ensure that the predicted targets of
> indirect branches executed in L1 cannot be controlled by software that
> was executed in L2.
>
> Since we typically don't intercept guest writes to IA32_SPEC_CTRL,
> perform the IBPB at emulated VM-exit regardless of the current
> IA32_SPEC_CTRL.IBRS value, even though the IBPB could technically be
> deferred until L1 sets IA32_SPEC_CTRL.IBRS, if IA32_SPEC_CTRL.IBRS is
> clear at emulated VM-exit.
>
> This is CVE-2022-2196.
>
> Fixes: 5c911beff20a ("KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02")
> Cc: Sean Christopherson <seanjc@google.com>
> Signed-off-by: Jim Mattson <jmattson@google.com>
> ---
Reviewed-by: Sean Christopherson <seanjc@google.com>
next prev parent reply other threads:[~2022-11-01 19:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-19 21:36 [PATCH v2 0/2] KVM: nVMX: Add IBPB between L2 and L1 to Jim Mattson
2022-10-19 21:36 ` [PATCH v2 1/2] KVM: VMX: Guest usage of IA32_SPEC_CTRL is likely Jim Mattson
2022-11-01 19:23 ` Sean Christopherson
2022-10-19 21:36 ` [PATCH v2 2/2] KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS Jim Mattson
2022-11-01 19:23 ` Sean Christopherson [this message]
2022-11-01 18:50 ` [PATCH v2 0/2] KVM: nVMX: Add IBPB between L2 and L1 to Jim Mattson
2022-12-02 19:21 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y2FyK6WrT1tcWAPp@google.com \
--to=seanjc@google.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.