On 11/04/2018 21:54, JT wrote:
(I've also posted this to the KVM mailing list)

Hey All

A hopefully simple question:

If a KVM Hypervisor is using a kernel that identifies itself as using
"Full generic retpoline", does this mean that the hypervisor and other
guests are safe from a malicious guest trying to exploit Spectre V2,
even if we haven't updated our CPU microcode to support IBPB or IBRS?

My confusion arrises from the Intel Retpoline PDF which states:
"RET has this behavior on all processors which are based on the Intel=C2=AE
microarchitecture codename Broadwell and earlier when updated with the
latest microcode."

https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A-Br=
anch-Target-Injection-Mitigation.pdf

I understand that RET has nothing to do with IBPB or IBRS, but how do
I know if my CPU has this RET behaviour that retpoline can make use
of?

Thanks

In general, the RetPoline workaround needs to be compiled into all
potentially Spectre V2 affected software, including Guest kernels.

This is because RetPoline is a code change that prevents some Spectre
attacks from actually causing the code to speculatively do the wrong
thing, even if the CPU is vulnerable.  So RetPoline only protects the
code that uses RetPoline wherever it would normally use an indirect
branch.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


Reply via email to