Re: [PATCH v2 5/8] x86/speculation: Add basic support for IBPB

[Borislav Petkov <bp@alien8.de>]

On Sun, Jan 21, 2018 at 07:29:43PM +0100, KarimAllah Ahmed wrote:
> Because static_cpu_has is an indirect branch which will cause speculation
> and
> we have to avoid that.

How so?

The JMP_NOSPEC macro protects against JMP <reg> jumps but the
static_cpu_has() macros all add JMPs with an immediate offset from the
next instruction and I wouldn't call them indirect JMPs as there are no
registers to speculate on there.

IOW, before alternatives, the patch site of static_cpu_has() looks like this:

# 151 "./arch/x86/include/asm/cpufeature.h" 1
        1: jmp 6f

and that 6f label is:

6:
 testb $1,boot_cpu_data+50(%rip)        #, MEM[(const char *)&boot_cpu_data + 50B]
 jnz .L707      #
 jmp .L706      #

i.e., we basically do if (boot_cpu_has(..)).

If the feature is not present, same patch site turns into:

4: jmp .L706    #
5:

after patching. Which is a label after the whole thing. That is not an
indrect jump through a register either.

If the feature is present, the patch site becomes:

	NOP	- added by the patching

# ./arch/x86/include/asm/msr.h:105:     asm volatile("1: wrmsr\n"
        .loc 18 105 0
        movl    $73, %ecx       #, tmp138
        movl    $1, %eax        #, tmp139
        xorl    %edx, %edx      # tmp140
#APP
# 105 "./arch/x86/include/asm/msr.h" 1
        1: wrmsr
2:

so execution runs directly into the MSR write and the JMP is gone.

So I don't see indirect branches anywhere...

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.