CVE-2021-28689

x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests
32-bit x86 PV guest kernels run in ring 1. At the time when Xen was
developed, this area of the i386 architecture was rarely used, which is why
Xen was able to use it to implement paravirtualisation, Xen’s novel
approach to virtualization. In AMD64, Xen had to use a different
implementation approach, so Xen does not use ring 1 to support 64-bit
guests. With the focus now being on 64-bit systems, and the availability of
explicit hardware support for virtualization, fixing speculation issues in
ring 1 is not a priority for processor companies. Indirect Branch
Restricted Speculation (IBRS) is an architectural x86 extension put
together to combat speculative execution sidechannel attacks, including
Spectre v2. It was retrofitted in microcode to existing CPUs. For more
details on Spectre v2, see: http://xenbits.xen.org/xsa/advisory-254.html
However, IBRS does not architecturally protect ring 0 from predictions
learnt in ring 1. For more details, see:
https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation
Similar situations may exist with other mitigations for other kinds of
speculative execution attacks. The situation is quite likely to be similar
for speculative execution attacks which have yet to be discovered,
disclosed, or mitigated.

Notes