Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp1945190ybc; Wed, 13 Nov 2019 06:46:37 -0800 (PST) X-Google-Smtp-Source: APXvYqxlQiZYpmFeN9irVMmxJmhdGB6zI4ksG3zTkZ+qk2VwGcAKjJvKFSWXDxcxV53F80UEnbFp X-Received: by 2002:a17:906:8548:: with SMTP id h8mr3082611ejy.290.1573656397228; Wed, 13 Nov 2019 06:46:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573656397; cv=none; d=google.com; s=arc-20160816; b=ubEEVXjQcG21H6o/wINFGoA10YOIwkNCBfRh/xfGW29f3jQcpmkQGMrAn5W3QG7Vqs EtWaZMjO81wvpW/PE6g39W+LXhjNul9KqH3/R6dNTQG/weGrTMm+93/jwG5W1nnK5jWk fURJLTqRtJ+pMlsh7gYkpBY0TW46cQ13K9scj27oYTRtdq36pu4mkvlb9mHilDdzmVxM a8E+BQZFLvY6NuGNz7Vp1kC0N8iVn9EhF5E7Ds2T1JDpLDppWNzlwEOMKYyIn0gEIkeE Q7WXnK8H6Sv396QRmN30QNRYUlHwnPP/1jmIGLDCBj2u2B6ueKpY+2DeSW5n8BUkJFLU dPqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject:dkim-signature; bh=bC4T8pgydI4B01e4W+simxuv/TyXNcqyN4ZGiE+0SQI=; b=DmT3LLyHGAs9tWS8EwXguXN1g61XB6qLcWERRgim1o6I4t16pt6cjYgTNwVIKer5KC LDtGVCw3IIsBXft4SA2IXzOO0M8R0UICHVFzjdpfhvU93Ar2zBYYO6EB92IyFBHnjKC4 yYcqiYlqKK+EhYqvsyXE5JafUH5qo92g3Eek08SHztCzu2H1PMo8qIuJqrn5AjRhvbDV gvaWT8iEfVpcradsxEoQgjiMCOExm+H1bJSM11PxCfSohqf0j+PhoyNiYOLdsGPqFl+x lhUAVKVnwBbyMdqS3eVXP9HootxgTyCTgyG0w4hrFqXkaXom81vnhOEMF/MjWwiTEqSv y3/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PjisUTBr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id jz12si1214887ejb.193.2019.11.13.06.46.05; Wed, 13 Nov 2019 06:46:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=PjisUTBr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727730AbfKMOoL (ORCPT + 99 others); Wed, 13 Nov 2019 09:44:11 -0500 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:40015 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726982AbfKMOoL (ORCPT ); Wed, 13 Nov 2019 09:44:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573656249; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:openpgp:openpgp; bh=bC4T8pgydI4B01e4W+simxuv/TyXNcqyN4ZGiE+0SQI=; b=PjisUTBr2+Sctzo9PP7oZYht1HZw5aw1N/MvUJTPFtZXRzJyys2lmtGCe/gH4E/39bnLq9 ukbanKVK3J4gmY9bf3Dq+MUJ4e6SnZjkLfErrZv3+dUtHfflSlO6Lc68IidUd86E1UZL7z w4F8dTOaV79oiGKTZ1GMLvi/y/4Z/Ek= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-82-g9gnedinPU6ELS5pwSrRbg-1; Wed, 13 Nov 2019 09:44:08 -0500 Received: by mail-wr1-f70.google.com with SMTP id m17so1675498wrn.23 for ; Wed, 13 Nov 2019 06:44:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=dbS92pVYxEVofFiDK5lk0fDOG1KrLCQFjLUxVrpNKPI=; b=Qp+pJYoJHMRa0ex0+V8tb7zmk+IJ2+lujRflWuKMR9iM2R8o7Vd7Y18mV9gi8Ue9Ud C4QCzj4QP87gy/K7dcl09zdrUry8sgdUCHVziSZ6sYro6OLMe2/+NT0S47QALH89QnyX o4xzvWPV8H0nZOU1LGnaSQf6QDB6eyMu7VRpRIJqxgTSlexP6kc/HFRXnmESfN3uK6We 1152PNyXrUS+hnOdABGJrfTo5ZldWioWDlc0TEJiHrGLkraUPugB/wbhuLhrOKJIk/QC jvIllY90OdiSQKOJHT+/pQLQVU0K99HTm/qXwBh+PnzxObMawA3kA/nJ87erLHbttcky dJgA== X-Gm-Message-State: APjAAAWkKXuGt35/0toR5LlxCjosbje/W+gOfMByerfhXgmYg/x11G9o NOtye5TzRIPk7jBCZJVOGx0FRPEmcp5hLWh7eB4QhHNWGwsAX3fiIvgoIr7ybOSfkke+EhuV9R1 dOgzqUVU89a1M7FnFFYCPdZoW X-Received: by 2002:a5d:4684:: with SMTP id u4mr3038386wrq.352.1573656246884; Wed, 13 Nov 2019 06:44:06 -0800 (PST) X-Received: by 2002:a5d:4684:: with SMTP id u4mr3038366wrq.352.1573656246598; Wed, 13 Nov 2019 06:44:06 -0800 (PST) Received: from ?IPv6:2001:b07:6468:f312:64a1:540d:6391:74a9? ([2001:b07:6468:f312:64a1:540d:6391:74a9]) by smtp.gmail.com with ESMTPSA id z4sm2704216wmf.36.2019.11.13.06.44.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Nov 2019 06:44:06 -0800 (PST) Subject: Re: [FYI PATCH 0/7] Mitigation for CVE-2018-12207 To: Jinpu Wang Cc: LKML , "KVM-ML (kvm@vger.kernel.org)" References: <1573593697-25061-1-git-send-email-pbonzini@redhat.com> From: Paolo Bonzini Openpgp: preference=signencrypt Message-ID: <6cb5e680-86f1-108d-92db-62e904dccb7c@redhat.com> Date: Wed, 13 Nov 2019 15:44:08 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-MC-Unique: g9gnedinPU6ELS5pwSrRbg-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/11/19 14:00, Jinpu Wang wrote: > Hi Paolo, hi list, >=20 > Thanks for info, do we need qemu patch for full mitigation? > Debian mentioned: > https://linuxsecurity.com/advisories/debian/debian-dsa-4566-1-qemu-securi= ty-update-17-10-10 > " > A qemu update adding support for the PSCHANGE_MC_NO feature, which > allows to disable iTLB Multihit mitigations in nested hypervisors > will be provided via DSA 4566-1. >=20 > " > But It's not yet available publicly. I will send it today, but it's not needed for full mitigation. It just provides a knob to turn it on and off in nested hypervisors. > About the performance hit, do you know any number? probably the answer > is workload dependent. We generally measured 0-4%. There can be latency spikes for RT, which I will send a patch for soon. Paolo