x86/srso: Add IBPB on VMEXIT

Add the option to flush IBPB only on VMEXIT in order to protect from malicious guests but one otherwise trusts the software that runs on the hypervisor. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
author: Borislav Petkov (AMD) <bp@alien8.de> 2023-07-07 13:53:41 +0200
committer: Borislav Petkov (AMD) <bp@alien8.de> 2023-07-27 11:07:19 +0200
commit: d893832d0e1ef41c72cdae444268c1d64a2be8ad (patch)
tree: 83f7e30871207c98c916ca6d76f946c79b6108b9 /arch/x86/kvm/svm/svm.c
parent: 233d6f68b98d480a7c42ebe78c38f79d44741ca9 (diff)
download: linux-d893832d0e1ef41c72cdae444268c1d64a2be8ad.tar.gz
linux-d893832d0e1ef41c72cdae444268c1d64a2be8ad.tar.bz2
linux-d893832d0e1ef41c72cdae444268c1d64a2be8ad.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index d381ad424554..0a51fd56f960 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1498,7 +1498,9 @@ static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 
 	if (sd->current_vmcb != svm->vmcb) {
 		sd->current_vmcb = svm->vmcb;
-		indirect_branch_prediction_barrier();
+
+		if (!cpu_feature_enabled(X86_FEATURE_IBPB_ON_VMEXIT))
+			indirect_branch_prediction_barrier();
 	}
 	if (kvm_vcpu_apicv_active(vcpu))
 		avic_vcpu_load(vcpu, cpu);
author	Borislav Petkov (AMD) <bp@alien8.de>	2023-07-07 13:53:41 +0200
committer	Borislav Petkov (AMD) <bp@alien8.de>	2023-07-27 11:07:19 +0200
commit	d893832d0e1ef41c72cdae444268c1d64a2be8ad (patch)
tree	83f7e30871207c98c916ca6d76f946c79b6108b9 /arch/x86/kvm/svm/svm.c
parent	233d6f68b98d480a7c42ebe78c38f79d44741ca9 (diff)
download	linux-d893832d0e1ef41c72cdae444268c1d64a2be8ad.tar.gz linux-d893832d0e1ef41c72cdae444268c1d64a2be8ad.tar.bz2 linux-d893832d0e1ef41c72cdae444268c1d64a2be8ad.zip