Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp393489pxj; Fri, 7 May 2021 10:53:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw3Vyz323UR53GLTQjrZqeAvFidAEIZ3r0p2s4hUySlKT7TBlOhPvRXZf4Q5yvRGFYGzRY/ X-Received: by 2002:a17:906:b048:: with SMTP id bj8mr11426388ejb.236.1620409996318; Fri, 07 May 2021 10:53:16 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1620409996; cv=pass; d=google.com; s=arc-20160816; b=PdrB3oEBLS/igx+DMtEsdzJWVgfwOeowSdeTZTOIJPwY/ELH4qM2Mt/cE4c2Ftl4gG 1XNz7TL5yqLqiv0v8CbtgkFPwICpP9TSxkFI2p8AePl7Lduw78BQw4Ca0PA46eCrEhFW NWwcFSfQ1SnK6xexVHiXSQH9oNbme40VvZymsNfjKiBAMhTAHzmqqlAmQnoiOSxKuFnY 63iRNDciLwZG29Taqqi4FioBjlDffBO4D/jo0OXw5zOghRca3MLI4FQ0UrG+kBWHBMnx kBORRIu5B0S6rwBc5/KadfFqcb+S0ksZR68AnefjPD85xiLS394FRihhNNc/xv7LDOwS Mw2Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature; bh=2baEVHFTzQu/Fsmzwz/FJwqFeHtU5fWuYgKRMk3Elb0=; b=z+5R1xZ0vHxksBwqBNNMLVjU2hT2yNPglVZ1YrYTB4T26ze4OKo5/gFpWnCtAKtJtq Lpf2m9gybfxJwsus56eRohdCLjRYrPc6fVEcfZQMQEsswfR5n9bA7M13ztvTMQm4qXHM nNikB79F4WFsEH3eXX1Dt5vEv6enUa46+iuVVEEQok1QNiDJX2pTRtuglCASdvKT8iZA QVdjgXVeIhCX/+hZL158d4KMGar8gDoa/eLDeUPv6NUdHZJzcMAdZOrsWmS4r1grW+f8 QCDiqTp4cIjzFAWj9zo8YNu1weiDHcsGkN7mrXETs0jTEH60ivIYzW8Hx9vCxtVz27OV DpKw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@nutanix.com header.s=proofpoint20171006 header.b=XMDGq8ny; arc=pass (i=1 spf=pass spfdomain=nutanix.com dkim=pass dkdomain=nutanix.com dmarc=pass fromdomain=nutanix.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nutanix.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m5si5772338edq.392.2021.05.07.10.52.50; Fri, 07 May 2021 10:53:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@nutanix.com header.s=proofpoint20171006 header.b=XMDGq8ny; arc=pass (i=1 spf=pass spfdomain=nutanix.com dkim=pass dkdomain=nutanix.com dmarc=pass fromdomain=nutanix.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nutanix.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229482AbhEGRsj (ORCPT + 99 others); Fri, 7 May 2021 13:48:39 -0400 Received: from mx0b-002c1b01.pphosted.com ([148.163.155.12]:54644 "EHLO mx0b-002c1b01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbhEGRsi (ORCPT ); Fri, 7 May 2021 13:48:38 -0400 Received: from pps.filterd (m0127841.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 147HbZ06027166; Fri, 7 May 2021 10:46:49 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=2baEVHFTzQu/Fsmzwz/FJwqFeHtU5fWuYgKRMk3Elb0=; b=XMDGq8nyjc6Omj93dnq5V2iMnw9UcDuixeNGBV1wwQrBtOooug9DcHOf0AKlRb3hit1b UeEWKbZ3n8Douo464Hi04e3yhHOCuDNSzlsbpVwkSz5HQQdZoosYu55lFUAnfbKLgEG7 BJs963i4gxAnQqqhTKDmRpSgxWPhYLi0LPpyaBr34GrfzysYnCUqozGNo9sNkcqSGf3Q jnfqu4AU+kFQXPwEBRrCF1ILgS3smCzsO42kMmix3e6d4XRWaoO93sjmt5M1YTOcTr50 2vWCGSs6n1/okHuZd3eSukznwMrKC4M5bvOhSYZGdrTfABqL6dMXYnUxFfpYuUJRRmut iA== Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam07lp2043.outbound.protection.outlook.com [104.47.56.43]) by mx0b-002c1b01.pphosted.com with ESMTP id 38csqgstm8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 07 May 2021 10:46:49 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FZt1ESnrorVrwQT11mL42d3nuNExalZ/WpFK1Al03B6aXEY23TAo2dBoy2tPhiuAk9wpP59vL5O7QqjDppLswqTkCcS+YKPsEX42CMPC4FNFpYjkQSztUuFdPQ3B/r7ENGA1Ku/LC8+N9HcpfAnYu5x5qaYS7FgObyL0QQ+19hH4ak4UmAagNEmnXifFRCsqHW2nAFGJW1sktfN0J1daDMg+TJtZYNqALTE98h/UVosbfICSkCAw6HcLpQknDSvFE6f9ljAUeIx2PXgFzoW7ip9qwWR6B/7vjGz2bQ3U7aV4zXd5yLQ7UhqGWg7Bs6UQvS669vwxuzSLALfWHCNv5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2baEVHFTzQu/Fsmzwz/FJwqFeHtU5fWuYgKRMk3Elb0=; b=nPSP2k4S1u0IfQeI51yXGudjKo/tGo1C5+PAoevcAetsoZXbKQTMrZW64RIr+ARxKpCp88dZWJu9DxbWvaiw1ivBrxWogv6jEBrrMQP0W/9r/JUQ4ZHpksc3ERorN/HzOmDQ9U/rU1I7l531l2wIi2MlMwfipYLWkSfFIbq6LEuYDzraf3TCzBjbcquEQuEr0jJW53sFZgTp/J3TqCUegtkPw5USA4YmOFD9XbaqyFgtedfQfcFK6RoBE3MHRJASyMJW+25kfGqnhb5+i1b7+wimYUYEl9SxF0YfiHG2QQPH4scR8TZ6Mz8ZD1LIQjJ4eC4ZCs6jgVpz6lRap7lz5Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none Received: from BL0PR02MB4579.namprd02.prod.outlook.com (2603:10b6:208:4b::10) by BL0PR02MB5377.namprd02.prod.outlook.com (2603:10b6:208:37::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.30; Fri, 7 May 2021 17:46:47 +0000 Received: from BL0PR02MB4579.namprd02.prod.outlook.com ([fe80::75cf:5b99:f963:cc07]) by BL0PR02MB4579.namprd02.prod.outlook.com ([fe80::75cf:5b99:f963:cc07%5]) with mapi id 15.20.4108.029; Fri, 7 May 2021 17:46:47 +0000 From: Jon Kohler To: Venkatesh Srinivas CC: Jon Kohler , Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "x86@kernel.org" , "H. Peter Anvin" , "kvm@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] KVM: x86: use X86_FEATURE_RSB_CTXSW for RSB stuffing in vmexit Thread-Topic: [PATCH] KVM: x86: use X86_FEATURE_RSB_CTXSW for RSB stuffing in vmexit Thread-Index: AQHXQ1KpTcM7v9elUEKaZTZTLSZ4qarYRHKAgAAGz4A= Date: Fri, 7 May 2021 17:46:47 +0000 Message-ID: <1D930225-038A-41F7-B88F-137B798B9AEA@nutanix.com> References: <20210507150636.94389-1-jon@nutanix.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3654.60.0.2.21) authentication-results: chromium.org; dkim=none (message not signed) header.d=none;chromium.org; dmarc=none action=none header.from=nutanix.com; x-originating-ip: [2601:19b:c501:64d0:a9a2:6149:85cc:8a4] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1d1a852d-d106-4b2c-8afa-08d91180164d x-ms-traffictypediagnostic: BL0PR02MB5377: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-proofpoint-crosstenant: true x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: /BOFs5/X5+xnXs4j2RO2+8frUiuahc9l6wRP8vsDYNFVpk2JQjZ/7b46lRStBRxk79h9SxVZrRseqWahtsqT++QVWuoACV9+wYBg5HExLaShxWVLp2Ggku69yKxDHNBh3exeTJHTgPE4tVxtvRUVxkChD7ueZmIE/MPkWH9miMuhesexBoy9J/womzPq5Nofzt+IyAqHxU+Vwa0olQuI/GSxI51tNBgHK07uLnpheBGzDM2zwa6Dr8lhsRxfYddqJJGjVOgi+c5Re4bhcxwKg1WMsg3OGpLREoa0mVht3d6Uzcb/6rQU+votayKS6ebuYWOmPC2zU70aLQj1bPnCVUm/IyitdbeDAz1vGIlRYld97fxrMhmQLw5+VxZ5NlKyVhY26qE4LDC/nRAo6ypnz55Fk5Jp9BelY1g73+A1rGu1AlZHgVlpIScXx5tc/73FOzRwDF3ThS+C633TMALjkfV2ZBzBCL4M7Qr4y+i8FBLHUZs9QmSRM1BFV9CDrV2kHwdgCo91fMUR2K8/O6PTwopepVgi2UGGjpr/IxVR7PIqfS1XEifiLjdXjjqcLg/XStvBUvuqI7f3bkRjF2yryCVH20nrMLN19vX+xEYSXZeeL1NsXN852TvA5ZUSP187qzt9i8bGVVaL8+/ljvwk5ztb2ZnJ6CW1BYMQpQb7wxy6Pu9wZDA5sdr+YOrovGTwVBxvLO90mTAnZIaR0TYwWyXPs6jG8vtoHT9VjwC0rKpN95nZink5JfI+Z6Xz0g0q x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BL0PR02MB4579.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(376002)(366004)(396003)(346002)(2906002)(5660300002)(122000001)(8676002)(7416002)(38100700002)(4326008)(6486002)(316002)(54906003)(186003)(66446008)(66946007)(66556008)(76116006)(966005)(6916009)(64756008)(91956017)(83380400001)(2616005)(478600001)(33656002)(6506007)(71200400001)(53546011)(6512007)(86362001)(36756003)(8936002)(66476007)(45980500001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?l1Dov3jkPe99+A7UZHlkIP1FuPbk2X0XdbNvgSHQVr9gbu9US5mgNKDpNSno?= =?us-ascii?Q?PCV0nUu1wbdF6B/4r/9Ll7jgwEmokdX6DTkUeucZYWl7/Bjo8vV49y0N0m8E?= =?us-ascii?Q?GksnvrSCG78C2VsMzP3otqCJmncNX0xCTOUQOR3v1Tvy0YLf+Kf6Sh4oN6fM?= =?us-ascii?Q?WURY8kzvlxGnd8R7I/o69TFaBmLzaWBLpE7qjcgIH2SKzOqQ+56AGOWULoHL?= =?us-ascii?Q?XnmemICib8dtwKCWOq8skzUCDrwHeNkDgdRvUEIYZmhyH2YOwryrcDK+bxvI?= =?us-ascii?Q?Z7K1r186IFQYcBrew5i/i29DpQO6lNp8ZdNPf21PXlyBan8uoBPxthC0CKj7?= =?us-ascii?Q?SNp2tuFUhAu3O6vv4mS4MNISTMKyLOdfixnIT5FLdkXkbqy1uYyylof15bK/?= =?us-ascii?Q?zY4VI2mbiSPfQ270hGhoFnk1IzFErMlS3GEImcS0XannzKeOgU/ftqukV/Hs?= =?us-ascii?Q?v9z0nmPq3l0OHNAsS8HQYWsIchP6hEFtaLjCFuQd9RX1we9VhGXnpca1pj2D?= =?us-ascii?Q?1o42iyhkpwtYQ3DhOShy1XvcnH6xeSdYsy4XfjN96q8HoePblJ/OEomLREFr?= =?us-ascii?Q?0YMIrRnCnw3NUAAWSyBOxJ2Z1dbMcZ0a6Pq49/mH0W5hsgP2/soqencyzHPn?= =?us-ascii?Q?XYVSPG2GjN1s94z2j03+3wjLs9UYtOOI3N0G9ttOqopPsnRcdbsVQ+Wazhaa?= =?us-ascii?Q?CWMn+1TjuCuT5jHn8i1u0piPC0RiZEecFvcyMuZNLudawkH0mfmkgU7AzEUC?= =?us-ascii?Q?pccfBwhV2LEtNvbI6y/zDCRyc2QVqjDovNld48BijNcpRV9OTXhhQzeLB250?= =?us-ascii?Q?6XNWZ9iuMopWvorKE5sPwzaRRMu1rOWHHXhbbRWK/qY5B4tbCu7avFvW/u97?= =?us-ascii?Q?QEBD2J8+V7foLxDBiaE0vVnFDLA43LANrLHeLSwiiJF0fiexEHv8Sbg3kY5M?= =?us-ascii?Q?zn9e1G4KRH+ydRUvJLdchJ51rVPTf0cuWusJg3mEwSQ0PHxPtYfJeVp5ifsW?= =?us-ascii?Q?QnzOMpAGyjbIPQrnUL0MpzfKq4O85u/mjw0HkWQBapaMc+8RD8e3rUrmiBeN?= =?us-ascii?Q?kWCMrCErd2xSnOPnzikjORyILpD8sqjPPyIv5UvDJAt5UsHzVMG36kYxLScn?= =?us-ascii?Q?Ae9OpKVXCmjBnePEU/ZuBhFVhF0s373PnKOmfOiTZQFg0fJq5PmZqowdngiv?= =?us-ascii?Q?EQWRLr+DR3/sWFCaF7gYD9sOPrinPt5ehBUct9VQptj28Yona6M8tQbGV9dy?= =?us-ascii?Q?UZvORnxaI3wrisBcfl95jqHlCm2GKDEoS6wFztpfa46eAQrBd67j0QMQQrjD?= =?us-ascii?Q?Ced9U6x57Qe0pdlbYllDTIADdoFisB/CFc/qCoh8kv1di1bWnRzU7xwBq1fN?= =?us-ascii?Q?BfOQ8rmj/KBqswm+F/UuNdMzNfkon+X75ZWcj9wtjGFpsbTmLQ=3D=3D?= Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BL0PR02MB4579.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1d1a852d-d106-4b2c-8afa-08d91180164d X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2021 17:46:47.6163 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: hZwvQS4bJb8BprJmvKdcvz7JdxsK07RtMSwn8qNv7a9LXe9EAw5YNKlUmUxEY4oeeGLZnuz0kttdMAazOH3yXovil/83Kniy1tR3dCOKC5c= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR02MB5377 X-Proofpoint-ORIG-GUID: 6CMmhJpo73V2_l-JUWn3tzVd8VwUP2k_ X-Proofpoint-GUID: 6CMmhJpo73V2_l-JUWn3tzVd8VwUP2k_ X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-07_06:2021-05-06,2021-05-07 signatures=0 X-Proofpoint-Spam-Reason: safe Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On May 7, 2021, at 1:22 PM, Venkatesh Srinivas = wrote: >=20 > On Fri, May 7, 2021 at 8:08 AM Jon Kohler wrote: >>=20 >> cpufeatures.h defines X86_FEATURE_RSB_CTXSW as "Fill RSB on context >> switches" which seems more accurate than using X86_FEATURE_RETPOLINE >> in the vmxexit path for RSB stuffing. >>=20 >> X86_FEATURE_RSB_CTXSW is used for FILL_RETURN_BUFFER in >> arch/x86/entry/entry_{32|64}.S. This change makes KVM vmx and svm >> follow that same pattern. This pairs up nicely with the language in >> bugs.c, where this cpu_cap is enabled, which indicates that RSB >> stuffing should be unconditional with spectrev2 enabled. >> /* >> * If spectre v2 protection has been enabled, unconditionally fil= l >> * RSB during a context switch; this protects against two indepen= dent >> * issues: >> * >> * - RSB underflow (and switch to BTB) on Skylake+ >> * - SpectreRSB variant of spectre v2 on X86_BUG_SPECTRE_V2 = CPUs >> */ >> setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW); >>=20 >> Furthermore, on X86_FEATURE_IBRS_ENHANCED CPUs && SPECTRE_V2_CMD_AUTO, >> we're bypassing setting X86_FEATURE_RETPOLINE, where as far as I could >> find, we should still be doing RSB stuffing no matter what when >> CONFIG_RETPOLINE is enabled and spectrev2 is set to auto. >=20 > If I'm reading https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__sof= tware.intel.com_security-2Dsoftware-2Dguidance_deep-2Ddives_deep-2Ddive-2Di= ndirect-2Dbranch-2Drestricted-2Dspeculation&d=3DDwIBaQ&c=3Ds883GpUCOChKOHio= cYtGcg&r=3DNGPRGGo37mQiSXgHKm5rCQ&m=3Ds8fqknrIuUa_jGbbihj0anypC4jz86QQ7UzzA= op3B7k&s=3DoIcZtb8S_gcK5L1yzfPvinSHxjCCsx1PNn-imPMffKU&e=3D=20 > correctly, I don't think an RSB fill sequence is required on VMExit on > processors w/ Enhanced IBRS. Specifically: > """ > On processors with enhanced IBRS, an RSB overwrite sequence may not > suffice to prevent the predicted target of a near return from using an > RSB entry created in a less privileged predictor mode. Software can > prevent this by enabling SMEP (for transitions from user mode to > supervisor mode) and by having IA32_SPEC_CTRL.IBRS set during VM exits > """ > On Enhanced IBRS processors, it looks like SPEC_CTRL.IBRS is set > across all #VMExits via x86_virt_spec_ctrl in kvm. >=20 > So is this patch needed? >=20 > Thanks, > -- vs; Venkatesh - Thanks for the reply. I read that the other way around, wherein RSB overwrite still isn't good enough on eIBRS, so one would need to do all three of the following to be in good shape:=20 a. RSB overwrite sequence b. enable SMEP c. toggle IA32_SPEC_CTRL.IBRS on vmexits=20 Said another way, the document reads like one would always need to do the RSB overwrite sequence no matter what. Happy to hear if that is not the case though, since RSB stuffing is a little expensive. Note: I also checked the Intel SDM to see if perhaps there was something there about this, but the document you linked is the only one I could find on the topic.