On 13/11/2018 01:35, speck for Andi Kleen wrote:
> On Tue, Nov 13, 2018 at 12:07:47AM +0000, speck for Andrew Cooper wrote:
>> On 12/11/2018 03:41, speck for Andi Kleen wrote:
>>> @@ -329,6 +331,12 @@ For 32-bit we have the following conventions - kernel is built with
>>>  
>>>  #endif
>>>  
>>> +.macro EXIT_MDS
>>> +	/* Clear CPU buffers that could leak. Instruction must be in memory form. */
>>> +	ALTERNATIVE "", __stringify(pushq $__USER_DS ; verw (%rsp) ; addq $8, %rsp),\
>>> +		 X86_FEATURE_MB_CLEAR
>> The code sample from the slides is push $0.  Here, you are forcing an
>> implicit access into the GDT by using a non-NUL selector, which is a
>> compound performance hit.
> Actually it should be the same as 0. I think the slides just use $0 because
> they don't know which OS the sequence would be used on.

__USER_DS is GDT slot 15 in 32bit, and slot 5 in 64bit.

Either way, above and beyond the microarchitectural flush, you're
causing a implicit memory read into the GDT for VERW to fulfil its
architectural behaviour.

I was under the impression that the recommendation to use a NUL selector
was specifically to avoid this second read.

~Andrew