Re: [PATCH 3/8] kvm: vmx: pass MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD down to the guest

["Woodhouse, David" <dwmw@amazon.co.uk>]

[-- Attachment #1: Type: text/plain, Size: 1255 bytes --]

On Wed, 2018-01-10 at 10:41 -0500, Konrad Rzeszutek Wilk wrote:
> On Wed, Jan 10, 2018 at 03:28:43PM +0100, Paolo Bonzini wrote:
> > On 10/01/2018 15:06, Arjan van de Ven wrote:
> > > On 1/10/2018 5:20 AM, Paolo Bonzini wrote:
> > >> * a simple specification that does "IBRS=1 blocks indirect
> branch
> > >> prediction altogether" would actually satisfy the specification
> just as
> > >> well, and it would be nice to know if that's what the processor
> actually
> > >> does.
> > > 
> > > it doesn't exactly, not for all.
> > > 
> > > so you really do need to write ibrs again.
> > 
> > Okay, so "always set IBRS=1" does *not* protect against variant 2. 
> Thanks,
> 
> And what is the point of this "always set IBRS=1" then? Are there
> some other things lurking in the shadows?

Yes. *FUTURE* CPUs will have a mode where you can just set IBRS and
leave it set for ever and not worry about any of this, and the
performance won't even suck.

Quite why it's still an option you have to set in an MSR, and not just
a feature bit that they advertise and do it unconditionally, I have no
idea. But apparently that's the plan.

But no current hardware will do this; they've done the best they can do
with microcode already.

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5210 bytes --]