On 26.01.2023 21:49, Andrew Cooper wrote:
> On 25/01/2023 3:26 pm, Jan Beulich wrote:
>> --- a/xen/arch/x86/domain.c
>> +++ b/xen/arch/x86/domain.c
>> @@ -2015,7 +2015,8 @@ void context_switch(struct vcpu *prev, s
>>
>> ctxt_switch_levelling(next);
>>
>> - if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) )
>> + if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) &&
>> + !(prevd->arch.spec_ctrl_flags & SCF_entry_ibpb) )
>> {
>> static DEFINE_PER_CPU(unsigned int, last);
>> unsigned int *last_id = &this_cpu(last);
>>
>>
>
> The aforementioned naming change makes the (marginal) security hole here
> more obvious.
>
> When we use entry-IBPB to protect Xen, we only care about the branch
> types in the BTB. We don't flush the RSB when using the SMEP optimisation.
>
> Therefore, entry-IBPB is not something which lets us safely skip
> exit-new-pred-context.
Yet what's to be my takeaway? You may be suggesting to drop the patch,
or you may be suggesting to tighten the condition. (My guess would be
the former.)
Jan
