Re: [PATCH] KVM: x86: AMD's IBPB is not equivalent to Intel's IBPB

[Sean Christopherson <seanjc@google.com>]

On Fri, Aug 16, 2024, Jim Mattson wrote:
> On Fri, Aug 16, 2024 at 7:25 AM Sean Christopherson <seanjc@google.com> wrote:
> >
> > On Thu, Apr 11, 2024, Jim Mattson wrote:
> > > On Thu, Apr 11, 2024 at 6:32 PM Venkatesh Srinivas
> > > <venkateshs@chromium.org> wrote:
> > > >
> > > > On Thu, Apr 11, 2024 at 1:59 PM Jim Mattson <jmattson@google.com> wrote:
> > > > >
> > > > > From Intel's documention [1], "CPUID.(EAX=07H,ECX=0):EDX[26]
> > > > > enumerates support for indirect branch restricted speculation (IBRS)
> > > > > and the indirect branch predictor barrier (IBPB)." Further, from [2],
> > > > > "Software that executed before the IBPB command cannot control the
> > > > > predicted targets of indirect branches (4) executed after the command
> > > > > on the same logical processor," where footnote 4 reads, "Note that
> > > > > indirect branches include near call indirect, near jump indirect and
> > > > > near return instructions. Because it includes near returns, it follows
> > > > > that **RSB entries created before an IBPB command cannot control the
> > > > > predicted targets of returns executed after the command on the same
> > > > > logical processor.**" [emphasis mine]
> > > > >
> > > > > On the other hand, AMD's "IBPB may not prevent return branch
> > > > > predictions from being specified by pre-IBPB branch targets" [3].
> > > > >
> > > > > Since Linux sets the synthetic feature bit, X86_FEATURE_IBPB, on AMD
> > > > > CPUs that implement the weaker version of IBPB, it is incorrect to
> > > > > infer from this and X86_FEATURE_IBRS that the CPU supports the
> > > > > stronger version of IBPB indicated by CPUID.(EAX=07H,ECX=0):EDX[26].
> > > >
> > > > AMD's IBPB does apply to RET predictions if Fn8000_0008_EBX[IBPB_RET] = 1.
> > > > Spot checking, Zen4 sets that bit; and the bulletin doesn't apply there.
> > >
> > > So, with a definition of X86_FEATURE_AMD_IBPB_RET, this could be:
> > >
> > >        if (boot_cpu_has(X86_FEATURE_AMD_IBPB_RET) &&
> > > boot_cpu_has(X86_FEATURE_IBRS))
> > >                kvm_cpu_cap_set(X86_FEATURE_SPEC_CTRL);
> > >
> > > And, in the other direction,
> > >
> > >     if (boot_cpu_has(X86_FEATURE_SPEC_CTRL))
> > >         kvm_cpu_cap_set(X86_FEATURE_AMD_IBPB_RET);
> >
> > Jim, are you planning on sending a v2 with Venkatesh's suggested solution?
> 
> I really like the idea of moving all of the cross-vendor capability
> settings into userspace, but if we want to keep this in the kernel,
> then I'll send V2.

Unfortunately, that ship has likely sailed for the existing code, because I
suspect userspace has come to rely on KVM's behavior.  I do think it makes sense
to punt all future cross-vendor stuff to userspace, with exceptions for cases like
this where we're fixing existing KVM support.