Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1591146rwd; Wed, 31 May 2023 16:36:30 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5+JnaTKporwg/luHaEQqIEomh8rS6LV60w+DdszAvRa+5wj0aVR4JvNPVhbKFApjsS0vIF X-Received: by 2002:a17:902:e750:b0:1a6:8031:59e7 with SMTP id p16-20020a170902e75000b001a6803159e7mr6073868plf.46.1685576190493; Wed, 31 May 2023 16:36:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685576190; cv=none; d=google.com; s=arc-20160816; b=pPRc2vMd/BO+M35cv43PxkqS1/F86pl9rcxMVTAWYA3qTN5gLHgvil4ztLxJ/wTO2G g834twToG8tHbeDwd4zWVIjQ1NUns0LHnEVtH70lF+CWsYiAhFl94An7Bo6Sb7G+zUgr BkkyXinWZ4McJFq79/aM79BNp+alFQmDogbNUQFq/+XQQlymmab4AHN3SeJRb/rXV/I2 nvP7ngAqcZs2k5mk6GTVHxVpJu9S+zby2BSOOCjy+YXJBFPZsnWaXGnkjFP+bLqGpGxQ MzrayPWyklmA/Eh57TGgZbXmkv15v844TqqeILCfYsl+3sn/ab4o/5MJIcTXoUs+Mm5d uA9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=W254lQ1WdxH8+TpMj7Iw5Y7udXwEpZc9Nu1ZxKFItqk=; b=GM1LPsHEWVoCWZZQjN88jfmSoDoZtf9m7bJpLLEL+Tt++LlWw+8nmGE4NzMvydB3Tp f0MH7F0tgxVqCg++AM+QDeKKIXrNedHE53u4IX6twYK+wtNX9Yd/7V9o5/L3oSTjEvaf JpjZrMJ9xbpPUGJSBK3Qs5H53vVhNsCvb/9UZY2W5NKGOVURnNOXTvEoToLrNDqGWWKa jHN2fzYDViryDxvezF1M2PwLuQb2CemldbtgGmWtzwO5zpBIn0Xz2XmjqJKFm/rSbIQg qPFqptNEvXRuMVHU305v06hRMuklCAJVFt1v7ZUsIIKmnnzRmVEbFvD6YP9b4s3IKhN6 GuYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qlosJiHL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q4-20020a17090311c400b001a6527f6adbsi1875543plh.137.2023.05.31.16.35.57; Wed, 31 May 2023 16:36:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qlosJiHL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230247AbjEaXS0 (ORCPT + 99 others); Wed, 31 May 2023 19:18:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229537AbjEaXSZ (ORCPT ); Wed, 31 May 2023 19:18:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A87C98; Wed, 31 May 2023 16:18:24 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D26AB63FF2; Wed, 31 May 2023 23:18:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 94305C433D2; Wed, 31 May 2023 23:18:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1685575103; bh=kTjW0S3jU9gKgIyH/dX5OVo1fp8tM6EMcyDIvWxjZU8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qlosJiHLhYVPXEBCaAIc1b6aPea1z+R0xWLMOD6/o4YNGFOlVn0xRxzFRWH9zS63e UmxkDAwS4+mJHe3vWGSHord887uaMQNfZ7oW/6+d1vacdBzg/ceX4OZFBRSFPgmXq1 mY73atm6g8pjHwJvYk4I/4h7q8IEvObCq4hDyWW+gztl32dYxcBSX/rQPQefzwtiqJ aTCGBho2jcmKBBsuy1opjFyZbzrmxEX2QUTT/765MRa7fHRHpYLTOPlFSj/YDpqbBn S4KMFqlry5I8aC5evOJa8GaRVnHY10hd6apuUIuR/3H3CnLj/hh3h3ZyCmnz5hOKS6 RZvC5fqU2Z1zw== Date: Wed, 31 May 2023 16:18:20 -0700 From: Josh Poimboeuf To: Jon Kohler Cc: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , "Peter Zijlstra (Intel)" , Pawan Gupta , Daniel Sneddon , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Cooper Subject: Re: [PATCH] KVM: VMX: remove LFENCE in vmx_spec_ctrl_restore_host() Message-ID: <20230531231820.trrs2uugc24gegj4@treble> References: <20230531150112.76156-1-jon@nutanix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20230531150112.76156-1-jon@nutanix.com> X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 31, 2023 at 11:01:12AM -0400, Jon Kohler wrote: > Remove barrier_nospec(), which translates to LFENCE, in > vmx_spec_ctrl_restore_host() as RSB-barriers (as defined by [1]) > already exist prior to this point. > > This LFENCE was added on commit fc02735b14ff ("KVM: VMX: Prevent guest > RSB poisoning attacks with eIBRS") in the 5.19 timeframe; however, > commit 2b1299322016 ("x86/speculation: Add RSB VM Exit protections") in > 6.0 timeframe added a LFENCE for X86_FEATURE_RSB_VMEXIT_LITE was added > directly in vmx_vmexit, prior to CALL vmx_spec_ctrl_restore_host. > > For posterity, vmx_spec_ctrl_restore_host also will execute WRMSR to > IA32_SPEC_CTRL for X86_FEATURE_KERNEL_IBRS or when guest/host MSR value > does not match, which serves as an additional RSB-barrier. > > [1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html > > Fixes: fc02735b14ff ("KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS") > Fixes: 2b1299322016 ("x86/speculation: Add RSB VM Exit protections") Sorry, I knew I should have put a comment there. The goal of this barrier_nospec() is to prevent speculative execution from bypassing the SPEC_CTRL write (due to misprediction of the conditional branch, Spectre v1 style). Otherwise the next indirect branch or unbalanced RET could be an attack target. So any previous LFENCEs before that conditional branch won't help here. -- Josh