Earlier this month the VMSCAPE CPU security vulnerability was made public and affecting both AMD and Intel processors. VMSCAPE can lead to leaking information from a user-space hypervisor via speculative side channels. An Intel engineer today posted a new set of patches for helping to reduce the mitigation costs of VMSCAPE protections on modern Intel processors.
Intel Linux engineer Pawan Gupta posted the set of two patches today for improving the performance on recent Core/Xeon processors following the recent VMSCAPE vulnerability mitigation.
Pawan Gupta explained with the patch series:
“These patches aim to improve the performance of a recent mitigation for VMSCAPE vulnerability. This improvement is relevant for BHI variant of VMSCAPE that affect Alder Lake and newer processors.
The current mitigation approach uses IBPB on kvm-exit-to-userspace for all affected range of CPUs. This is an overkill for CPUs that are only affected by the BHI variant. On such CPUs clearing the branch history is sufficient for VMSCAPE, and also more apt as the underlying issue is due to poisoned branch history.
Roadmap:
– First patch introduces clear_bhb_long_loop() for processors with larger branch history tables.
– Second patch replaces IBPB on exit-to-userspace with branch history clearing sequence.”
Benchmarks provided are showing the VMSCAPE mitigation using BHB-Clear being less costly than the IBPB approach:
Clearly better numbers than the original VMSCAPE mitigation with the new BHB Clear code but still not without some costs for iPerf and other workloads. This code is now under review for the Linux kernel.
