[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZirA1v5VL7Tdk0ej@char.us.oracle.com>
Date: Thu, 25 Apr 2024 16:45:10 -0400
From: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>
To: Alexandre Chartre <alexandre.chartre@...cle.com>, dave.hansen@...el.com,
x86@...nel.org
Cc: Dave Hansen <dave.hansen@...el.com>, Chao Gao <chao.gao@...el.com>,
Andrew Cooper <andrew.cooper3@...rix.com>, x86@...nel.org,
kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
daniel.sneddon@...ux.intel.com, pawan.kumar.gupta@...ux.intel.com,
tglx@...utronix.de, peterz@...radead.org, gregkh@...uxfoundation.org,
seanjc@...gle.com, dave.hansen@...ux.intel.com, nik.borisov@...e.com,
kpsingh@...nel.org, longman@...hat.com, bp@...en8.de,
pbonzini@...hat.com
Subject: Re: [PATCH] KVM: x86: Set BHI_NO in guest when host is not affected
by BHI
On Tue, Apr 16, 2024 at 10:41:58AM +0200, Alexandre Chartre wrote:
>
> On 4/15/24 19:17, Dave Hansen wrote:
> > > + /*
> > > + * The following Intel CPUs are affected by BHI, but they don't have
> > > + * the eIBRS feature. In that case, the default Spectre v2 mitigations
> > > + * are enough to also mitigate BHI. We mark these CPUs with NO_BHI so
> > > + * that X86_BUG_BHI doesn't get set and no extra BHI mitigation is
> > > + * enabled.
> > > + *
> > > + * This avoids guest VMs from enabling extra BHI mitigation when this
> > > + * is not needed. For guest, X86_BUG_BHI is never set for CPUs which
> > > + * don't have the eIBRS feature. But this doesn't happen in guest VMs
> > > + * as the virtualization can hide the eIBRS feature.
> > > + */
> > > + VULNWL_INTEL(IVYBRIDGE_X, NO_BHI),
> > > + VULNWL_INTEL(HASWELL_X, NO_BHI),
> > > + VULNWL_INTEL(BROADWELL_X, NO_BHI),
> > > + VULNWL_INTEL(SKYLAKE_X, NO_BHI),
> > > + VULNWL_INTEL(SKYLAKE_X, NO_BHI),
> >
> > Isn't this at odds with the existing comment?
> >
> > /* When virtualized, eIBRS could be hidden, assume vulnerable */
> >
> > Because it seems now that we've got two relatively conflicting pieces of
> > vulnerability information when running under a hypervisor.
>
> It's not at odd, it's an additional information. The comment covers the general
> case.
>
> When running under a hypervisor then the kernel can't rely on CPU features to
> find if the server has eIBRS or not, because the virtualization can be hiding
> eIBRS. And that's the problem because the kernel might enable BHI mitigation
> while it's not needed.
>
> For example on Skylake: on the host, the kernel won't see eIBRS so it won't set
> X86_BUG_BHI. But in a guest on the same platform, the kernel will set X86_BUG_BHI
> because it doesn't know if the server doesn't effectively have eIBRS or if eIBRS
> is hidden by virtualization.
>
> With the patch, the kernel can know if the CPU it is running on (e.g. Skylake)
> needs extra BHI mitigation or not. Then it can safely not enable BHI mitigation
> no matter if it is running on host or in guest.
Where do we want to go with this one?
The problem (which I think is not understood) is that on Skylake there
is no Enhanced IBRS support. There is either IBRS or retpoline - and when IBRS
is enabled it does the job of mitigating against BHI.
And as of right now on Skylake guests we enable BHI _and_ IBRS for extra
slowdown.
We can't disable IBRS as it mitigates against other bugs too, so how do
you folks want to disable automatically BHI on Skylake with the least
amount of code?
Powered by blists - more mailing lists