AFAIK, all mitigable meltdown / spectre variants have software mitigation except for variant 3a and 4. Why is this the case?
For variant 4, a straightforward software mitigation is to place lfence before all memory load operations. However, according to section 4.1 of Spectre is here to stay, this will seriously slow things down. I guess this is why it is not implemented in practice.
However, for variant 3a, according to the Mitigation section of the Intel security advisory, the microcode update ensures that rdmsr doesn't speculatively return when we aren't in ring 0 or when rdmsr is configured to cause an VM exit. We can have the following software mitigation:
if in ring 0 and VM exit bit not set:
lfence
rdmsr
else:
do nothing
Does this work? If it does, why isn't it used in practice?
