Re: [PATCH] KVM: x86: AMD's IBPB is not equivalent to Intel's IBPB

[Sean Christopherson <seanjc@google.com>]

On Tue, May 07, 2024, Jim Mattson wrote:
> On Thu, Apr 11, 2024 at 7:57 PM Jim Mattson <jmattson@google.com> wrote:
> >
> > On Thu, Apr 11, 2024 at 6:32 PM Venkatesh Srinivas
> > <venkateshs@chromium.org> wrote:
> > >
> > > On Thu, Apr 11, 2024 at 1:59 PM Jim Mattson <jmattson@google.com> wrote:
> > > >
> > > > From Intel's documention [1], "CPUID.(EAX=07H,ECX=0):EDX[26]
> > > > enumerates support for indirect branch restricted speculation (IBRS)
> > > > and the indirect branch predictor barrier (IBPB)." Further, from [2],
> > > > "Software that executed before the IBPB command cannot control the
> > > > predicted targets of indirect branches (4) executed after the command
> > > > on the same logical processor," where footnote 4 reads, "Note that
> > > > indirect branches include near call indirect, near jump indirect and
> > > > near return instructions. Because it includes near returns, it follows
> > > > that **RSB entries created before an IBPB command cannot control the
> > > > predicted targets of returns executed after the command on the same
> > > > logical processor.**" [emphasis mine]
> > > >
> > > > On the other hand, AMD's "IBPB may not prevent return branch
> > > > predictions from being specified by pre-IBPB branch targets" [3].
> > > >
> > > > Since Linux sets the synthetic feature bit, X86_FEATURE_IBPB, on AMD
> > > > CPUs that implement the weaker version of IBPB, it is incorrect to
> > > > infer from this and X86_FEATURE_IBRS that the CPU supports the
> > > > stronger version of IBPB indicated by CPUID.(EAX=07H,ECX=0):EDX[26].
> > >
> > > AMD's IBPB does apply to RET predictions if Fn8000_0008_EBX[IBPB_RET] = 1.
> > > Spot checking, Zen4 sets that bit; and the bulletin doesn't apply there.
> >
> > So, with a definition of X86_FEATURE_AMD_IBPB_RET, this could be:
> >
> >        if (boot_cpu_has(X86_FEATURE_AMD_IBPB_RET) &&
> > boot_cpu_has(X86_FEATURE_IBRS))
> >                kvm_cpu_cap_set(X86_FEATURE_SPEC_CTRL);
> >
> > And, in the other direction,
> >
> >     if (boot_cpu_has(X86_FEATURE_SPEC_CTRL))
> >         kvm_cpu_cap_set(X86_FEATURE_AMD_IBPB_RET);
> >
> > But, perhaps all of this cross-vendor equivalence logic belongs in user space.
> 
> In case it wasn't clear, I contend that any cross-vendor equivalence
> logic *does* belong in userspace.
> 
> Thoughts?

Maybe?  I generally like punting these sorts of things to userspace, but as
evidenced by this patch, all of these mitigation "features" are such a godawful
mess that I don't have a problem with KVM doing the heavy lifting.

E.g. I suspect that having KVM enumerate both vendor's bits makes it much easier
for QEMU to support pre-defined uarch models while still retaining sanity checks
that the features being enumerated to the guest are indeed supported by the host.