Re: [PATCH 0/2] KVM: x86: Propagate AMD-specific IBRS bits to guests

[Takahiro Itazuri]

Date:   Tue, 28 Feb 2023 21:45:56 +0100
From:   Borislav Petkov <bp@xxxxxxxxx>
> So you mean we should stick *all* CPUID leafs in there just because
> anything can run in guests?
> 
> What is the hypervisor then for?

I'm still a kernel newbie and I don't have a strong opinion for that.
I just thought it would be helpful if the KVM_GET_SUPPORTED_CPUID API
returns the same security information as the host, as long as it is
harmless. I'm inclined to withdraw this patch if it is not worth
enough.

> Really? Says who?
> 
> $ grep -r . /sys/devices/system/cpu/vulnerabilities/
> 
> gives you all you need to know.
> 
> And if something's missing, then I'm listening.

"De facto standard" was too much. I apologize for my incorrect
expression and poor English. What I wanted to say is that the script
was introduced as a useful tool by Intel and SLES and it provides some
additional information (IBRS always-on in this case).
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/spectre-and-meltdown-checker-script.html
https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-spectre.html

Best regards,
Takahiro Itazuri