From: Nikolay Borisov <nik.borisov@suse.com>
To: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>
Cc: x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Josh Poimboeuf <jpoimboe@kernel.org>,
David Kaplan <david.kaplan@amd.com>,
Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
Asit Mallick <asit.k.mallick@intel.com>,
Tao Zhang <tao1.zhang@intel.com>
Subject: Re: [PATCH v3 2/3] x86/vmscape: Replace IBPB with branch history clear on exit to userspace
Date: Wed, 19 Nov 2025 12:33:05 +0200 [thread overview]
Message-ID: <6a7ad323-657d-4cda-83e2-58492394f44c@suse.com> (raw)
In-Reply-To: <20251106234055.ftahbvqxrfzjwr6t@desk>
On 11/7/25 01:40, Pawan Gupta wrote:
> [ I drafted the reply this this email earlier, but forgot to send it, sorry. ]
>
> On Mon, Nov 03, 2025 at 12:31:09PM -0800, Dave Hansen wrote:
>> On 10/27/25 16:43, Pawan Gupta wrote:
>>> IBPB mitigation for VMSCAPE is an overkill for CPUs that are only affected
>>> by the BHI variant of VMSCAPE. On such CPUs, eIBRS already provides
>>> indirect branch isolation between guest and host userspace. But, a guest
>>> could still poison the branch history.
>>
>> This is missing a wee bit of background about how branch history and
>> indirect branch prediction are involved in VMSCAPE.
>
> Adding more background to this.
>
>>> To mitigate that, use the recently added clear_bhb_long_loop() to isolate
>>> the branch history between guest and userspace. Add cmdline option
>>> 'vmscape=on' that automatically selects the appropriate mitigation based
>>> on the CPU.
>>
>> Is "=on" the right thing here as opposed to "=auto"?
>
> v1 had it as =auto, David Kaplan made a point that for attack vector controls
> "auto" means "defer to attack vector controls":
>
> https://lore.kernel.org/all/LV3PR12MB9265B1C6D9D36408539B68B9941EA@LV3PR12MB9265.namprd12.prod.outlook.com/
>
> "Maybe a better solution instead is to add a new option 'vmscape=on'.
>
> If we look at the other most recently added bugs like TSA and ITS, neither
> have an explicit 'auto' cmdline option. But they do have 'on' cmdline
> options.
>
> The difference between 'auto' and 'on' is that 'auto' defers to the attack
> vector controls while 'on' means 'enable this mitigation if the CPU is
> vulnerable' (as opposed to 'force' which will enable it even if not
> vulnerable).
>
> An explicit 'vmscape=on' could give users an option to ensure the
> mitigation is used (regardless of attack vectors) and could choose the best
> mitigation (BHB clear if available, otherwise IBPB).
I thought the whole idea of attack vectors was because the gazillion
options for gazillion mitigation became untenable over time. Now, what
you are saying is - on top of the simplification, let's add yet more
options to override the attack vectors o_O. IMO, having 'force' is
sufficient to cover scenarios where people really want this mitigation -
either because they know better, or because they want to test something.
Force also covers the "on" case, so let's leave it at "on" for attack
vector support, and 'force' for everything else
<snip>
next prev parent reply other threads:[~2025-11-19 10:33 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 23:43 [PATCH v3 0/3] VMSCAPE optimization for BHI variant Pawan Gupta
2025-10-27 23:43 ` [PATCH v3 1/3] x86/bhi: Add BHB clearing for CPUs with larger branch history Pawan Gupta
2025-11-03 20:04 ` Dave Hansen
2025-11-03 22:45 ` Pawan Gupta
2025-10-27 23:43 ` [PATCH v3 2/3] x86/vmscape: Replace IBPB with branch history clear on exit to userspace Pawan Gupta
2025-10-29 22:47 ` Sean Christopherson
2025-10-30 0:08 ` Pawan Gupta
2025-11-03 20:31 ` Dave Hansen
2025-11-06 23:40 ` Pawan Gupta
2025-11-19 10:33 ` Nikolay Borisov [this message]
2025-11-19 18:26 ` Pawan Gupta
2025-10-27 23:43 ` [PATCH v3 3/3] x86/vmscape: Remove LFENCE from BHB clearing long loop Pawan Gupta
2025-11-03 20:45 ` Dave Hansen
2025-11-04 22:01 ` Pawan Gupta
2025-11-04 22:35 ` Dave Hansen
2025-11-04 23:36 ` Pawan Gupta
2025-11-03 20:07 ` [PATCH v3 0/3] VMSCAPE optimization for BHI variant Dave Hansen
2025-11-03 23:03 ` Pawan Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a7ad323-657d-4cda-83e2-58492394f44c@suse.com \
--to=nik.borisov@suse.com \
--cc=asit.k.mallick@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=david.kaplan@amd.com \
--cc=hpa@zytor.com \
--cc=jpoimboe@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=tao1.zhang@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox