x86/vmscape: Add conditional IBPB mitigation

Waiman Longrequested to merge
llong1/centos-stream-10:rhel-114277_bugs_vmscape into main

JIRA: https://issues.redhat.com/browse/RHEL-114277
CVE: CVE-2025-40300
MR: !1499 (merged)

VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit.

Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB.

More information this new CPU vulnerability can be found in the "VMSCAPE: Exposing and Exploiting Incomplete Branch Predictor Isolation in Cloud Environments" paper [1].

[1] https://comsec-files.ethz.ch/papers/vmscape_sp26.pdf

Signed-off-by: Waiman Long longman@redhat.com

Edited by Waiman Long

Merge request reports