Re: [PATCH v3] x86/speculation, KVM: only IBPB for switch_mm_always_ibpb on vCPU load

[Borislav Petkov]

On Fri, Apr 29, 2022 at 05:31:16PM +0000, Jon Kohler wrote:
> Selftests IIUC, but there may be other VMMs that do funny stuff. Said
> another way, I don’t think we actively restrict user space from doing
> this as far as I know.

"selftests", "there may be"?!

This doesn't sound like a real-life use case to me and we don't do
changes just because. Sorry.

> The paranoid aspect here is KVM is issuing an *additional* IBPB on
> top of what already happens in switch_mm(). 

Yeah, I know how that works.

> IMHO KVM side IBPB for most use cases isn’t really necessarily but 
> the general concept is that you want to protect vCPU from guest A
> from guest B, so you issue a prediction barrier on vCPU switch.
> 
> *however* that protection already happens in switch_mm(), because
> guest A and B are likely to use different mm_struct, so the only point
> of having this support in KVM seems to be to “kill it with fire” for 
> paranoid users who might be doing some tomfoolery that would 
> somehow bypass switch_mm() protection (such as somehow 
> sharing a struct).

Yeah, no, this all sounds like something highly hypothetical or there's
a use case of which you don't want to talk about publicly.

Either way, from what I'm reading I'm not in the least convinced that
this is needed.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette