Does mitigated RFDS still leak kernel address layout information?

Since you cannot erase the architectural registers (duh), RFDS will always "leak" the contents of the kernel's stack pointer and instruction pointer right before return-to-userspace, for example.

So, anything that comes after the augmented VERW instruction is potentially leaked to the next context that runs (can be userspace, or a VM, etc). I believe there is an exception for instructions that switch away from SGX and SMM, which were also modified to clear the register file (or so I believe from a cursory reading of the Intel documentation).

Is there any relevant security impact from this? It looks like it might let one derive the approximate location of the syscall return stack and routine... how much does this impact ASLR ?

Obviously this can also be mitigated at "high cost" anywhere P-cores are available, by restricting all kernel code to run only on P-cores... at which point it might make more sense to just disable E-cores (and SMT, or it would be just security theater -- at least until we can ensure the kernel always context switches the entire core when entering or leaving kernel mode, or a VM).