[cesarb]

Interesting:

> Note: IBRS is not required in order to isolate branch predictions for SMM or SGX enclaves

Perhaps this microcode update exposes a feature which was originally to protect these two modes? But that would mean that Intel did think about leaks through the branch predictor, only didn't make the logical leap that this could be an issue also for normal ring0/ring3...

[contrarian_]

Huh, so did Intel know about this vulnerability when they designed SGX?

[pritambaral]

Maybe, maybe not. I looked around a bit and found [1]"that the Intel SGX does not clear branch history when switching from enclave mode to non-enclave mode", which suggests either that the SGX designers were unaware of the dangers of not separating branch prediction between privilege levels, or that Intel intentionally weakened SGX so as to not reveal the similar flaw in their ring0/ring3 separation.

1: https://arxiv.org/abs/1611.06952 (Nov '16)