Received: by 10.223.176.5 with SMTP id f5csp4228442wra; Tue, 30 Jan 2018 04:13:20 -0800 (PST) X-Google-Smtp-Source: AH8x2249LD7YWAxVYhdFfmXPrIe+Eppvf/fM664NF255SgrE4NmnyvsiYZJGqqEnoJOaQShezOpg X-Received: by 10.98.72.214 with SMTP id q83mr29696491pfi.79.1517314400729; Tue, 30 Jan 2018 04:13:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517314400; cv=none; d=google.com; s=arc-20160816; b=sLahWxczRv6m4wp/DXCAy1Gol/Dn/2c9ZbqXk3HaQ3sZwHnYiOIEXLAjFYeQSr+XT6 xzSrgSdBcx/aA3Liq6wGmqt8Sy/IZ/NlqhElzGO0B1CiNkgj6m7FF0yMYM5Swt4Qv1HT B9vd8p79uDGG5Ml0In4giF+LDES9ussVnhtp5OBJWyh7qTvXJWtqwLw4Fj444hYHzFkv I2/Q/8d3f64gbftcmk6HafeJ/vGT8lyNcn60OgW3ciof/KL/ltwoDYt/guKWX9QckQM5 hqpfXdAP42tSqUCVz6JG0RvUhNrYMaS7MCJZHRQAV04tsZ/fEJP1wtpEbUtyMifXfXjM 7/Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date:from :references:cc:to:subject:arc-authentication-results; bh=w+KXR+np7t5n17R3+xSHlpEisJVOWHMet3RmUDWxtY8=; b=ACk9seZnpDLG2AuEI6ytvMIqt7Vysx3aRDluuwJTf7xPQlEPIvj9ZQYufS1ChzyqYO au/VRVdeZ5wAuM8xaHIZszt8b2BUTF8PZhSTmgwoDEFI/I2YJeny91nQgxPTdLb1gmKU eQizmyN9Q/T8yGm/x3ZjBQmHAHnVyyWLB6tGTq5k02NAxqkXrbIg5MnhTKvq4vVZDbUc RkX44OM6M4snrvzIT7ClGwgHp4ugdQcJlrt9pv4GpuyfRIiomSzvyC8cPl4PsU2FRZJ7 L60KG+/92jvw+lHzsk6uHfxtm/JE9uMOChrxwUlIzS3RmHNSa/NV3q+U29HeQyDE+Psg GEUg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 9-v6si2032980plb.509.2018.01.30.04.13.05; Tue, 30 Jan 2018 04:13:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751968AbeA3MLl (ORCPT + 99 others); Tue, 30 Jan 2018 07:11:41 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48962 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751822AbeA3MLj (ORCPT ); Tue, 30 Jan 2018 07:11:39 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0UCApt0042187 for ; Tue, 30 Jan 2018 07:11:38 -0500 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ftp80xer4-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 30 Jan 2018 07:11:38 -0500 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 30 Jan 2018 12:11:35 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 30 Jan 2018 12:11:26 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0UCBQlg45088876; Tue, 30 Jan 2018 12:11:26 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 613404204D; Tue, 30 Jan 2018 12:04:34 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A77342045; Tue, 30 Jan 2018 12:04:33 +0000 (GMT) Received: from oc7330422307.ibm.com (unknown [9.152.224.107]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 30 Jan 2018 12:04:33 +0000 (GMT) Subject: Re: [RFC,05/10] x86/speculation: Add basic IBRS support infrastructure To: Linus Torvalds , David Woodhouse Cc: Arjan van de Ven , Eduardo Habkost , KarimAllah Ahmed , Linux Kernel Mailing List , Andi Kleen , Andrea Arcangeli , Andy Lutomirski , Ashok Raj , Asit Mallick , Borislav Petkov , Dan Williams , Dave Hansen , Greg Kroah-Hartman , "H . Peter Anvin" , Ingo Molnar , Janakarajan Natarajan , Joerg Roedel , Jun Nakajima , Laura Abbott , Masami Hiramatsu , Paolo Bonzini , Peter Zijlstra , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Thomas Gleixner , Tim Chen , Tom Lendacky , KVM list , the arch/x86 maintainers , "Dr. David Alan Gilbert" References: <1516476182-5153-6-git-send-email-karahmed@amazon.de> <20180129201404.GA1588@localhost.localdomain> <1517257022.18619.30.camel@infradead.org> <20180129204256.GV25150@localhost.localdomain> <31415b7f-9c76-c102-86cd-6bf4e23e3aee@linux.intel.com> <1517259759.18619.38.camel@infradead.org> From: Christian Borntraeger Date: Tue, 30 Jan 2018 13:11:25 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 18013012-0020-0000-0000-000003F050A4 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18013012-0021-0000-0000-00004282B14B Message-Id: <56a33b36-5568-5d6e-a858-3b22ea335bcb@de.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-30_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801300156 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/30/2018 01:23 AM, Linus Torvalds wrote: [...] > > So I actually have a _different_ question to the virtualization > people. This includes the vmware people, but it also obviously > incldues the Amazon AWS kind of usage. > > When you're a hypervisor (whether vmware or Amazon), why do you even > end up caring about these things so much? You're protected from > meltdown thanks to the virtual environment already having separate > page tables. And the "big hammer" approach to spectre would seem to > be to just make sure the BTB and RSB are flushed at vmexit time - and > even then you might decide that you really want to just move it to > vmenter time, and only do it if the VM has changed since last time > (per CPU). > > Why do you even _care_ about the guest, and how it acts wrt Skylake? > What you should care about is not so much the guests (which do their > own thing) but protect guests from each other, no? > > So I'm a bit mystified by some of this discussion within the context > of virtual machines. I think that is separate from any measures that > the guest machine may then decide to partake in. > > If you are ever going to migrate to Skylake, I think you should just > always tell the guests that you're running on Skylake. That way the > guests will always assume the worst case situation wrt Specte. > > Maybe that mystification comes from me missing something. I can only speak for KVM, but I think the hypervisor issues come from the fact that for migration purposes the hypervisor "lies" to the guest in regard to what kind of CPU is running. (it has to lie, see below). This is to avoid random guest crashes by not announcing features. For example if you want to migrate forth and back between a system that has AVX512 and another one that has not you must tell the guest that AVX512 is not available - even if it runs on the capable system. To protect against new features the hypervisor only announces features that it understands. So you essentially start a VM in QEMU of a given CPU type that is constructed of a base cpu type plus extra features. Before migration, it is checked if he target system can run a guest of given type - otherwise migration is rejected. The management stack also knows things like baselining - basically creating the best possible guest CPU given a set of hosts. The problem now is: If you have lets say Broadwell and Skylakes. What kind of CPU type are you telling your guest? If you claim broadwell but run on skylake then you prevent that the guest can protect itself, because the guest does not know that it should do something special. If you say skylake the guest might start using features that broadwell does not understand. So I think what we have here is that the current (guest) cpu model for hypervisors was always designed for architectural features. Presenting a microarchitectural knowledge for workarounds does not seem to be well integrated into hypervisors. PS: For a list of potential cpus/features look at https://libvirt.org/git/?p=libvirt.git;a=blob;f=src/cpu/cpu_map.xml