Re: [patch RFC 5/5] x86/speculation: Add basic speculation control code

[Andrea Arcangeli]

On Wed, Jan 10, 2018 at 02:02:02PM +0100, Andrea Arcangeli wrote:
> On Wed, Jan 10, 2018 at 12:51:13PM +0000, David Woodhouse wrote:
> > If it worked as Andrea suggests, then there would be absolutely no
> > point in the patches we've seen which add the IBRS-frobbing on syscall
> > entry and vmexit.
> 
> This is perhaps what you're missing I think, there is a huge point:
> performance.

And note, if you run getppid in a loop you're perfectly right
ibrs_enabled 2 will perform better than ibrs_enabled 1, but we run
multiple set of macro benchmarks and ibrs_enabled 1 ibpb_enabled 1
always wins. So ibrs_enabled 2 ibpb_enabled 1 is left as an optional
"paranoid" security mode, more secure but even slower.

We draw a line for the default to stop the PoC which we know can be
mounted (at least in theory :) and is practical attack.

Also note, the slowdown of setting IBRS varies with older CPUs being
more affected, but for all current silicon ibrs_enabled 1 ibpb_enabled
1 is faster in 99% of real life workloads.

The future silicon will set the CPUID that will tell us set
"ibrs_enabled 2" by default, but you can do it right and it's even
more secure as it completely solves any HT effect in userland and it
prevents the KVM guest kernel to be attacked by guest userland through
a spectre variant#2 attack from guest userland to qemu host userland.

Hope this helps,
Andrea