Assumption is too quick here. Virtualizers are very different. KVM is inside Linux kernel and Qubes (Xen) is a microkernel. A good pointer for research very much so indeed.
Quote https://download.virtualbox.org/virtualbox/5.2.18/UserManual.pdf / Chapter 8. VBoxManage
--ibpb-on-vm-[enter|exit] on|off
: Enables flushing of the indirect branch prediction buffers on every VM enter or exit respectively. This could be enabled by users overly worried about possible spectre attacks by the VM. Please note that these options may have sever impact on performance.
Have to research a lot more but this sounds very bad at first. “Enables” implies “not enabled by default” and “could be enabled by users overly worried about possible spectre attacks” indicates Oracle VirtualBox taking the position as Intel with “Indirect Branch Predictor Barrier (IBPB) is a security feature”.
https://download.virtualbox.org/virtualbox/5.2.6/UserManual.pdf does not contain mentioning of spectre
.
Related:
http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04628.html
Quote Chapter 8. VBoxManage
--ibpb-on-vm-[enter|exit] on|off
: Enables flushing of the indirect branch prediction buffers on every VM enter or exit respectively. This could be enabled by users overly worried about possible spectre attacks by the VM. Please note that these options may have sever impact on performance.
--ibpb-on-vm-enter on
--ibpb-on-vm-exit on
--spec-ctrl on|off
: This setting enables/disables exposing speculation control interfaces to the guest, provided they are available on the host. Depending on the host CPU and workload, enabling speculation control may significantly reduce performance.
--l1d-flush-on-sched on|off
: Enables flushing of the level 1 data cache on scheduling EMT for guest execution. See Section 13.4.1, “CVE-2018-3646”.
Qubes R4 Debian VM:
sudo journalctl | grep -i spectre
Aug 27 14:04:24 localhost kernel: Spectre V2 : Mitigation: Full generic retpoline
Aug 27 14:04:24 localhost kernel: Spectre V2 : Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier
Aug 27 14:04:24 localhost kernel: Spectre V2 : Enabling Restricted Speculation for firmware calls
Same for Qubes Whonix 14. Same for Qubes fedora-26. Same for Qubes dom0.