| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPeqx-qNnE5_w9PA@char.us.oracle.com>
Date: Tue, 21 Oct 2025 11:46:15 -0400
From: Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>
To: Jon Kohler <jon@...anix.com>
Cc: Dave Hansen <dave.hansen@...el.com>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>,
Peter Zijlstra <peterz@...radead.org>,
Josh Poimboeuf <jpoimboe@...nel.org>, Jonathan Corbet <corbet@....net>,
Ingo Molnar <mingo@...hat.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"x86@...nel.org" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>,
Brian Gerst <brgerst@...il.com>, Brendan Jackman <jackmanb@...gle.com>,
"Ahmed S. Darwish" <darwi@...utronix.de>,
Alexandre Chartre <alexandre.chartre@...cle.com>,
"linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] x86/its: use Sapphire Rapids+ feature to opt out
On Tue, Oct 21, 2025 at 03:35:28PM +0000, Jon Kohler wrote:
>
>
> > On Oct 21, 2025, at 11:27 AM, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com> wrote:
> >
> > > >
> > On Tue, Oct 21, 2025 at 02:39:15PM +0000, Jon Kohler wrote:
> >>
> >>
> >>> On Oct 21, 2025, at 10:01 AM, Dave Hansen <dave.hansen@...el.com> wrote:
> >>>
> >>>>>
> >>> On 10/21/25 06:40, Jon Kohler wrote:
> >>>> So to simplify it down:
> >>>> A guest VM that updates to a ITS-enabled guest kernel sees performance
> >>>> impacts on non-vulnerable hardware, when running on non-BHI_CTRL and/or
> >>>> non-ITS_NO hypervisors, which is a very easy situation to get into, especially
> >>>> on QEMU with live migration-enabled pools.
> >>>
> >>> By non-$FEATURE, do you mean that they chose to not enumerate those
> >>> features, or that they are completely ignorant of them?
> >>
> >> Both cases are true for QEMU.
> >>
> >> For ITS_NO, it is an allowed feature, but its not part of a QEMU model by
> >> default, so the higher level control plane whatever that may be would need to
> >> specifically turn it on, its not automatic.
> >>
> >> For BHI_CTRL, depending on what QEMU the VM was originally *started* on,
> >> the guest may have access to Sapphire Rapids models, but BHI_CTRL may
> >> not have existed in the QEMU source at that time, as those were introduced
> >> into two different timeframes.
> >
> > QEMU provides now a mechanism to update itself to a newer version. See
> >
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.oracle.com_linux_post_qemu-2Dlive-2Dupdate&d=DwIFaQ&c=s883GpUCOChKOHiocYtGcg&r=NGPRGGo37mQiSXgHKm5rCQ&m=UUSvpPViiTB6CJQtj3GREK4bQFz7MT9uNiAu5AL3O23d6I1yk4vheLDyR41ZcbRI&s=x19gwHU3HGXSlGkK0ppkawex3SIbs8xHj5hPtwNCFwc&e=
> >
> > That should solve your QEMU problem.
>
> Can this live update feature change CPU feature bits (e.g. add on
> -cpu ModelHere … new_flag=yes) during the update?
It is possible, but a pain in operation b/c you have to keep track of
the newer parameters you are adding and if add some device in wrong
order (wrong PCI BDF), well, things won't be nice.
>
> Can it change CPU models during the live update (e.g. change
> -cpu Model-v1 to -cpu Model-v2)?
Not exactly. But you can modify the built-in Model-v1 (in the newer
version) to have the newer CPU flags and it will carry-over.
Anyhow it is all in the latest version of QEMU.
Powered by blists - more mailing lists