On Wed, Jan 10, 2018 at 12:51:13PM +0000, David Woodhouse wrote: > If it worked as Andrea suggests, then there would be absolutely no > point in the patches we've seen which add the IBRS-frobbing on syscall > entry and vmexit.
This is perhaps what you're missing I think, there is a huge point: performance. ibrs_enabled 1 ibpb_enabled 1 is much faster than ibrs_enabled 2 ibpb_enabled 1. The current IBRS is disabling IBP, it can't do the "finegrined" thing that leaves IBP speculation enabled. Kernel is not a 100% C++ virtual template, so for kernel IBRS enabled is not as a big deal as userland with IBRS enabled. Once the new CPUid bit will be set it'll tell us IBRS is really restricting speculation in a finegrined way with all privilege levels ordered, so it simply tells is ibrs_enabled 2 ibpb_enabled 1 will be faster than ibrs_enabled 1 ibpb_enabled 1, so the only thing we've to do with the new CPUID bit you're talking about from the future, is to change the default to ibrs_enabled 2 and it'll perform even better with zero overhead in kernel entry points. We already optimized for the future silicon, we've only to add a tweak to detect cpuid and set the default ibrs_enabled to 2. > The "IBRS all the time" feature is something we get on *future* > hardware, not current hardware. No, for current hardware it's the most secure option available and required in fact if you want to fix guest userland attack on host userland with math certainty which can matter for some customer.
