Intel Preparing Virtual IA32_SPEC_CTRL Support For The Linux Kernel
The virtual IA32_SPEC_CTRL feature allows the VMM to fix some bits of the IA32_SPEC_CTRL MSR even when the model specific register is pass throughed to a guest. This new feature appears to primarily benefit handling of VMs when migrating between hosts with CPUs of different micro-architectures where the required security mitigations may be different.
The Intel patch series explains:
### Use cases of virtual IA32_SPEC_CTRL
Software mitigations like Retpoline and software BHB-clearing sequence depend on CPU microarchitectures. And guest cannot know exactly the underlying microarchitecture. When a guest is migrated between processors of different microarchitectures, software mitigations which work perfectly on previous microachitecture may be not effective on the new one. To fix the problem, some hardware mitigations should be used in conjunction with software mitigations. Using virtual IA32_SPEC_CTRL, VMM can enforce hardware mitigations transparently to guests and avoid those hardware mitigations being accidentally disabled when guest changes IA32_SPEC_CTRL MSR.
### Intention of this series
This series adds the capability of enforcing hardware mitigations for guests transparently and efficiently (i.e., without intercepting IA32_SPEC_CTRL MSR accesses) to kvm. The capability can be used to solve the VM migration issue in a pool consisting of processors of different microarchitectures.
More details via this patch series that is getting the virtual IA32_SPEC_CTRL support wired up into the Linux kernel and specifically the KVM code.