Re: [PATCH] x86/bhi: avoid hardware mitigation for 'spectre_bhi=vmexit'

[Pawan Gupta <pawan.kumar.gupta@linux.intel.com>]

On Fri, Sep 13, 2024 at 04:04:56PM -0700, Jim Mattson wrote:
> > The IA32_SPEC_CTRL mask and shadow fields should be perfect for this.
> 
> In fact, this is the guidance given in
> https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html:
> 
> The VMM should use the “virtualize IA32_SPEC_CTRL” VM-execution
> control to cause BHI_DIS_S to be set (see the VMM Support for
> BHB-clearing Software Sequences section) whenever:
> o The VMM is running on a processor for which the short software
> sequence may not be effective:
>   - Specifically, it does not enumerate BHI_NO, but does enumerate
> BHI_DIS_S, and is not an Atom-only processor.
> 
> In other words, the VMM should set bit 10 in the IA32_SPEC_CTRL mask
> on SPR. As long as the *effective* guest IA32_SPEC_CTRL value matches
> the host value, there is no need to write the MSR on VM-{entry,exit}.

With host setting the effective BHI_DIS_S for guest using virtual
SPEC_CTRL, there will be no way for guest to opt-out of BHI mitigation.
Or if the guest is mitigating BHI with the software sequence, it will
still get the hardware mitigation also.

To overcome this, the guest and KVM need to implement
MSR_VIRTUAL_MITIGATION_CTRL to allow guest to opt-out of hardware
mitigation.

> There is no need to disable BHI_DIS_S on the host and use the TSX
> abort sequence in its place.

Exactly.