Heading toward the Linux 7.0 kernel and marked for back-porting to current stable Linux kernel versions is employing a new SEV-SNP security feature found on AMD Zen 5 processors for enhancing security of guest virtual machines.
A patch is on its way to the mainline Linux kernel to allow the IBPB-on-Entry feature for AMD SEV-SNP guest VMs. The IBPB-on-Entry feature is supported by AMD EPYC Zen 5 processors. Only a few lines of code are needed to enabl this feature for Linux SEV-SNP use but seemingly an oversight until now for not making use of this hardware capability.
IBPB-on-Entry provides greater security by forcing an Indirect Branch Predictor Barrier (IBPB) on entering the guest virtual machine to help prevent speculative execution attacks.
The enablement patch explains:
“The SEV-SNP IBPB-on-Entry feature does not require a guest-side implementation. It was added in Zen5 h/w, after the first SNP Zen implementation, and thus was not accounted for when the initial set of SNP features were added to the kernel.
In its abundant precaution, commit
8c29f0165405 (“x86/sev: Add SEV-SNP guest feature negotiation support”)
included SEV_STATUS’ IBPB-on-Entry bit as a reserved bit, thereby masking guests from using the feature.
Allow guests to IBPB-on-Entry when supported by the hypervisor, as the bit is now architecturally defined and safe to expose.”
The patch is in the tip/tip.git’s “x86/urgent” branch. With it being a TIP “urgent” branch it’s likely to be submitted for the current Linux 7.0 kernel cycle rather than waiting around for the Linux v7.1 merge window. The patch is also marked for back-porting to the stable kernel series. As it’s a few lines of code change and enables an important security feature for SEV-SNP VMs, it’s a safe candidate for back-porting albeit unfortunate it’s taken until now for enabling this Zen 5 hardware security feature.
