On 11/04/2018 21:54, JT wrote:
(I've also posted this to the KVM mailing list)
A hopefully simple question:
If a KVM Hypervisor is using a kernel that identifies itself as using
"Full generic retpoline", does this mean that the hypervisor and other
guests are safe from a malicious guest trying to exploit Spectre V2,
even if we haven't updated our CPU microcode to support IBPB or IBRS?
My confusion arrises from the Intel Retpoline PDF which states:
"RET has this behavior on all processors which are based on the Intel=C2=AE
microarchitecture codename Broadwell and earlier when updated with the
I understand that RET has nothing to do with IBPB or IBRS, but how do
I know if my CPU has this RET behaviour that retpoline can make use
In general, the RetPoline workaround needs to be compiled into all
potentially Spectre V2 affected software, including Guest kernels.
This is because RetPoline is a code change that prevents some Spectre
attacks from actually causing the code to speculatively do the wrong
thing, even if the CPU is vulnerable. So RetPoline only protects the
code that uses RetPoline wherever it would normally use an indirect
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded