Security: Do I need to pass "spec_ctrl=on" to the XEN cmdline?

Ryzen9950x · September 28, 2025, 8:34pm

CPU is Ryzen 9 9950x

in xl dmesg (with spec_ctrl=on)

(XEN) Speculative mitigation facilities:
(XEN)   Hardware hints: STIBP_ALWAYS IBRS_FAST IBRS_SAME_MODE BTC_NO IBPB_RET IBPB_BRTYPE SRSO_US_NO
(XEN)   Hardware features: IBPB IBRS STIBP SSBD PSFD L1D_FLUSH SBPB
(XEN)   Compiled-in support: INDIRECT_THUNK RETURN_THUNK HARDEN_ARRAY HARDEN_BRANCH HARDEN_GUEST_ACCESS HARDEN_LOCK
(XEN)   Xen settings: BTI-Thunk: JMP, SPEC_CTRL: IBRS+ STIBP+ SSBD- PSFD-, Other: IBPB-ctxt BRANCH_HARDEN
(XEN)   Support for HVM VMs: MSR_SPEC_CTRL MSR_VIRT_SPEC_CTRL RSB IBPB-entry
(XEN)   Support for PV VMs: None
(XEN)   XPTI (64-bit PV only): Dom0 disabled, DomU disabled (without PCID)
(XEN)   PV L1TF shadowing: Dom0 disabled, DomU disabled

The default on Qubes 4.2.4 was “=unpriv-mmio”

qubist · September 29, 2025, 8:15am

Could you paste the dom0 output of:

grep . /sys/devices/system/cpu/vulnerabilities/*

Ryzen9950x · September 29, 2025, 12:38pm

Certainly
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable

[user@dom0 Desktop]$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/ghostwrite:Not affected
/sys/devices/system/cpu/vulnerabilities/indirect_target_selection:Not affected
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Not affected
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/retbleed:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Mitigation: Safe RET
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Retpolines; IBPB: conditional; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected
/sys/devices/system/cpu/vulnerabilities/srbds:Not affected
/sys/devices/system/cpu/vulnerabilities/tsa:Not affected
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected

[user@dom0 Desktop]$ grep XEN /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="console=none dom0_mem=min:1024M dom0_mem=max:4096M ucode=scan smt=off gnttab_max_frames=2048 gnttab_max_maptrack_frames=4096 spec_ctrl=on"

qubist · September 29, 2025, 5:26pm

Interesting:

/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable


Isn't there a mitigation for your CPU? Or has that been reported (if not)?