Received: by 10.223.176.5 with SMTP id f5csp4397750wra; Tue, 30 Jan 2018 06:47:40 -0800 (PST) X-Google-Smtp-Source: AH8x2246ywIlEJlSeHVcRyGQFNIo9r9XVyHXSLRTv8ACdCJ7iCR5pwf/CqP8hQJHzaTxbv3cJlT/ X-Received: by 2002:a17:902:f81:: with SMTP id 1-v6mr1641084plz.383.1517323660064; Tue, 30 Jan 2018 06:47:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517323660; cv=none; d=google.com; s=arc-20160816; b=M06V2CTS7d4wE3hSLXStuLZ8a3psXdmWVbcqgvzt7CRwLfZ5nIRbtSPbgiH9JRmUEg b6enYZ6ImIaSyCg6jFT/vaNd4J+qGAy8STMLU3lRQeE+3IIeUkJ9F6fPcq2G6UlOBsXn hy97QJaYAIaizPbzzjCUukBqGLhRuQEAyDLx967cuLVez3wbf23fRf3VvBUzPZWRfgRN y3w18Wh2ehSi4E9Sd35japkUGte0XHSpqpSi11sNQ3H04icem0ok1497K1PXcHS5FZ+T A3mdp7JbUD35vgOuRQZYsYhm3qomo6lM0UYBl67gORVcc1sjTyZ1Z7B0JgTbnyzYUvBz ZgrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:subject:mime-version :from:dkim-signature:arc-authentication-results; bh=kfT/ocaPqYy54XlxqWguaP3POgjzTTuGp5LdjCtklg8=; b=VAdO9NUcwfWMOqv7jaMEu9hZVF5OOBcRrinzJkPDcsoujh9bnSXA5viL5XH0LVrstJ VP/hK2mEaVjn0nbMuuj14lbsYHqe/Y8vEocMQSBkfTli/5OmUF8qRejIXLc8u1OBbIqO VYQfz0+EhSWKR0NScu5BBBhLLad0x7fcDWey64lreIOLGo72OFleOYxKTcfWOo9mc4gi uFUsJXYLE5LVJESQjtANneIGPz+qAdsRzSYXNKTxL5wqgYcBoMlp1pc9o10QOkSIWfQj KyTRW4ebAtTddhm7kjzOuWc1FknwzABAwck67TPflpw2EqX+BUSlHR5vwfoC7MuXxhMq F6kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GzM6LFsI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si12036029ple.769.2018.01.30.06.47.24; Tue, 30 Jan 2018 06:47:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GzM6LFsI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752596AbeA3Oq2 (ORCPT + 99 others); Tue, 30 Jan 2018 09:46:28 -0500 Received: from mail-wm0-f47.google.com ([74.125.82.47]:35465 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751846AbeA3Oq0 (ORCPT ); Tue, 30 Jan 2018 09:46:26 -0500 Received: by mail-wm0-f47.google.com with SMTP id r78so1686959wme.0; Tue, 30 Jan 2018 06:46:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kfT/ocaPqYy54XlxqWguaP3POgjzTTuGp5LdjCtklg8=; b=GzM6LFsIEQNXtKDxybJPcExCIKtknZKroTblHQsLdCgwrDObZq33fScgnn7Hr/dvMr Q6SzjKzw8Gtf1B2q+LCdk+L/TOS8OrbzmOAZb+Ool77P/DMI5IbPMb4PpMReznwpPqqq /AU/0KdqlP9yPoiPLt89XZrkRsjTr1Jr3urswdOTVDYluIrJAsZ3KYKq6dwAMtsEo3oQ sgDZ5gor56WwV5YfBzhX0EkvMc+/B/xDtTD88cgwIlkiwF4CZHYgAZjxG4JamMdoCi+E CSVvyS2UpTwRC5Rse9230Yc8RdC3DekSuXWsEE0zMDu8fR8ktV2kGYcjsQccYQs+m7nQ NX/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kfT/ocaPqYy54XlxqWguaP3POgjzTTuGp5LdjCtklg8=; b=kcoEGnbgcSdFSKhyP03eM5ozIvaC82TWCDruEIqevL5wHMg+FMiErqWMdL62o3T33U uOtKU+PhgPdUX9BLczKWUD35iGJWOR86sGZAaKO8H9VoN81Jcv6B5hADwSAzGXjEHtZ7 zCDwz5Zgjjtu88aM9xueE6HrqzxcxT8rM2NYSd61jd+KajltaS8R0+FAPB48zMOzpMgl 3QLhE2Hw8/KAu1vlXs4ZatoZGmJ5jS2/AXwMrJgr5vNza1uA3/WLoxHhx3JmtBO1f807 VAyJxYVgGg5IRQO705ZtQXTTvpRsT5tnGtUntN2BhEN5tnHzh3HAvXNMa2JgTUiDQEZT DHWg== X-Gm-Message-State: AKwxytdsMryc5Mbc2RA5CX16Q9/TiYqd3XHcGO9SA+7M2nizGJMfGWxJ oxurB5H/LYY55NhMjBhSKx4= X-Received: by 10.28.114.6 with SMTP id n6mr19385475wmc.87.1517323584951; Tue, 30 Jan 2018 06:46:24 -0800 (PST) Received: from [192.168.77.22] (val06-1-88-182-161-34.fbx.proxad.net. [88.182.161.34]) by smtp.gmail.com with ESMTPSA id 19sm7072900wrx.73.2018.01.30.06.46.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jan 2018 06:46:24 -0800 (PST) From: Christophe de Dinechin X-Google-Original-From: Christophe de Dinechin Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: [RFC,05/10] x86/speculation: Add basic IBRS support infrastructure In-Reply-To: <56a33b36-5568-5d6e-a858-3b22ea335bcb@de.ibm.com> Date: Tue, 30 Jan 2018 15:46:22 +0100 Cc: Linus Torvalds , David Woodhouse , Arjan van de Ven , Eduardo Habkost , KarimAllah Ahmed , Linux Kernel Mailing List , Andi Kleen , Andrea Arcangeli , Andy Lutomirski , Ashok Raj , Asit Mallick , Borislav Petkov , Dan Williams , Dave Hansen , Greg Kroah-Hartman , "H . Peter Anvin" , Ingo Molnar , Janakarajan Natarajan , Joerg Roedel , Jun Nakajima , Laura Abbott , Masami Hiramatsu , Paolo Bonzini , Peter Zijlstra , =?utf-8?B?UmFkaW0gS3LEjW3DocWZ?= , Thomas Gleixner , Tim Chen , Tom Lendacky , KVM list , the arch/x86 maintainers , "Dr. David Alan Gilbert" Content-Transfer-Encoding: quoted-printable Message-Id: References: <1516476182-5153-6-git-send-email-karahmed@amazon.de> <20180129201404.GA1588@localhost.localdomain> <1517257022.18619.30.camel@infradead.org> <20180129204256.GV25150@localhost.localdomain> <31415b7f-9c76-c102-86cd-6bf4e23e3aee@linux.intel.com> <1517259759.18619.38.camel@infradead.org> <56a33b36-5568-5d6e-a858-3b22ea335bcb@de.ibm.com> To: Christian Borntraeger X-Mailer: Apple Mail (2.3445.5.20) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On 30 Jan 2018, at 13:11, Christian Borntraeger = wrote: >=20 >=20 >=20 > On 01/30/2018 01:23 AM, Linus Torvalds wrote: > [...] >>=20 >> So I actually have a _different_ question to the virtualization >> people. This includes the vmware people, but it also obviously >> incldues the Amazon AWS kind of usage. >>=20 >> When you're a hypervisor (whether vmware or Amazon), why do you even >> end up caring about these things so much? You're protected from >> meltdown thanks to the virtual environment already having separate >> page tables. And the "big hammer" approach to spectre would seem to >> be to just make sure the BTB and RSB are flushed at vmexit time - and >> even then you might decide that you really want to just move it to >> vmenter time, and only do it if the VM has changed since last time >> (per CPU). >>=20 >> Why do you even _care_ about the guest, and how it acts wrt Skylake? >> What you should care about is not so much the guests (which do their >> own thing) but protect guests from each other, no? >>=20 >> So I'm a bit mystified by some of this discussion within the context >> of virtual machines. I think that is separate from any measures that >> the guest machine may then decide to partake in. >>=20 >> If you are ever going to migrate to Skylake, I think you should just >> always tell the guests that you're running on Skylake. That way the >> guests will always assume the worst case situation wrt Specte. >>=20 >> Maybe that mystification comes from me missing something. >=20 > I can only speak for KVM, but I think the hypervisor issues come from > the fact that for migration purposes the hypervisor "lies" to the = guest > in regard to what kind of CPU is running. (it has to lie, see below). >=20 > This is to avoid random guest crashes by not announcing features. For > example if you want to migrate forth and back between a system that > has AVX512 and another one that has not you must tell the guest that > AVX512 is not available - even if it runs on the capable system. >=20 > To protect against new features the hypervisor only announces features > that it understands. > So you essentially start a VM in QEMU of a given CPU type that is > constructed of a base cpu type plus extra features. Before migration,=20= > it is checked if he target system can run a guest of given type -=20 > otherwise migration is rejected.=20 >=20 > The management stack also knows things like baselining - basically > creating the best possible guest CPU given a set of hosts. >=20 > The problem now is: If you have lets say Broadwell and Skylakes. > What kind of CPU type are you telling your guest? If you claim > broadwell but run on skylake then you prevent that the guest can=20 > protect itself, because the guest does not know that it should do=20 > something special. If you say skylake the guest might start using > features that broadwell does not understand. I believe that Linus=E2=80=99 question was whether it makes sense to = defer the entirety of the protection to the host kernel, although I was a bit confused by his suggestion to always assume Skylake. In other words, is it safe enough to rely on the host kernel = countermeasure to protect guest kernels and their applications? In which case having the guest believe it runs on Broadwell would not be that problematic. Aren=E2=80=99t there enough vmexits on the guest kernel context switch to enforce protection on its behalf? Even if it=E2=80=99s a) some old kernel that without mitigation code or b) some new kernel that thinks it runs on an old CPU and disabled = mitigation Christophe >=20 > So I think what we have here is that the current (guest) cpu model > for hypervisors was always designed for architectural features. > Presenting a microarchitectural knowledge for workarounds does > not seem to be well integrated into hypervisors. >=20 >=20 > PS: For a list of potential cpus/features look at > https://libvirt.org/git/?p=3Dlibvirt.git;a=3Dblob;f=3Dsrc/cpu/cpu_map.xm= l >=20