Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp469619lqg;
        Thu, 11 Apr 2024 08:12:37 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVIU9SGmQw6nUBZKJtl+1Jx54M1Sb1zuBzjyhIvo9vPrV9Yusf1zt4M/B6n0zmrhKuvxx3CE92pYgfxEGF+QnDTkcECRY6OenDSLM+27A==
X-Google-Smtp-Source: AGHT+IHKHy6dI2BpZV/JORGj/eZWnet8SgmHkE94Y/aDuHrX2cU+LiNjCB2ObiykVBSpOLQkFYqA
X-Received: by 2002:a05:6a21:8015:b0:1a9:9c20:6ca with SMTP id ou21-20020a056a21801500b001a99c2006camr55787pzb.23.1712848356936;
        Thu, 11 Apr 2024 08:12:36 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712848356; cv=pass;
        d=google.com; s=arc-20160816;
        b=XNtaL6uVWMog5Xu5cY3ctTQGPKuMmZbhnNNcuMSZDc8aK6h8UIvUx1718yD5eeErto
         vYJD6ynK2+L/J/bm72YRfvQM9butucyuPs3fhOgWqPCDRlcUbruwJiSWk0TvQsVaXY0I
         0jo5+rkobSUqwELNs80aHeACqBmP4/2puLNFrfakhyoGoVGK/5QENJHIW07U/uwtYqgP
         4qCFxqK0RBo9iQ3U0nnmscNsJQE+mOc3J8WNZXzBCQARQWQsWRHakFY6R1fQCmuQjGR8
         O5udU1lt+9ZanNbA0n0Xyv3B7ITWdTsf17qDJWok1O81OCfnTQdtuY9FP1Wx/7xaHJuj
         trIA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=wPChIqhlz2fj/t/mALU/XDAB+oCXF1Eufwk1f12pr9E=;
        fh=JgePEhm9lPWtDC+gruV08Ok4xcSb/JDA60Owdy5G9Ko=;
        b=W/t5gdVgP3VMCHI+eS+miwQjSeY8wot3Psc/5xlvnUC8QGbXVlCI+P6fqaz/sbRwpO
         CBiXdMiDQ3G38IKDZ1NyZMZGquw964Sw9pcIym78Z4L9kSUmdDPPJOVrF2rgbmqLPDeK
         KuFmAV0/YZT+BpishVKsKXB1/O4OuWSqznfAP4Aeyas/IecC35cOzWZjaJ/LPuPfGkk5
         LmqcOaotpcG72CcPhEpiErtMDl9pd12P9JYLJUZH4Cg/LNt1e84lcTlCCxtEBve2ZmUy
         6Cjz0Jx8At8v0/k2q7IepfnkgMhNRonp/9noiBfGOV7a3sUgqjFafBK1yEoYuLVPvMIz
         nA4Q==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=a1RYuzBV;
       arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
       spf=pass (google.com: domain of linux-kernel+bounces-140690-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140690-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel+bounces-140690-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id v10-20020a65568a000000b005e46be657e9si1356752pgs.424.2024.04.11.08.12.36
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Apr 2024 08:12:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-140690-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=a1RYuzBV;
       arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com);
       spf=pass (google.com: domain of linux-kernel+bounces-140690-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140690-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 91158B28A7E
	for <linux.lists.archive@gmail.com>; Thu, 11 Apr 2024 14:47:00 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5E6E312E6C;
	Thu, 11 Apr 2024 14:46:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="a1RYuzBV"
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23840F9DF
	for <linux-kernel@vger.kernel.org>; Thu, 11 Apr 2024 14:46:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712846810; cv=none; b=mc2acZ0HQTMR4IpLO+6/McgrcRYcqTwS6wboqviZu5Wt10TeNvyDo4gJHHaewsgZ7PD5KUOldK0IvrhCqd9H5yT8aBoadVWxRL7lHssN4rw14B0pJ5IkPAbN0HdJBmHlA2GJBGAAhtDjJfaTnr9mpEuJZqTbuWFzTghGUgj3bj0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712846810; c=relaxed/simple;
	bh=IEu8ao+7xqBgR+dzOKjYnc1P5DiKwj2piPwPTj9Zj+o=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=KfvwZz7UTcuRb/pvHHpKmHAngh+6YwRtEwFWkRLTt+nkjir456z6mcwydGm1E1U+1OCSYI/UKmAfKkeIg5fALL0Drxq4rlczy1xcuEZIWxc3KCbai1kgMVEH4asnHLPjOATpi0cwNLRNHKPSIqIC7lf8cAcXV9IJ+Xo5pkgTx3s=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=a1RYuzBV; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1712846808;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=wPChIqhlz2fj/t/mALU/XDAB+oCXF1Eufwk1f12pr9E=;
	b=a1RYuzBV50g6S5NzOQ/WeEjUAbO9JDqP+18iZ9UiUElrMip1Oav4N4zE74+XJoIQaBdoWZ
	VXBt0fz4H1tJ9yYG/l49aOB0K2zB2VdyVFLPxu6bNZNBkGAcpK3INqqdJY8B0Ug7hBzXDe
	nf0n85qwl1VRKHS1bVH+HK/L+1YRA0Y=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-207-mNs5VQD6NIisUrjBVSd-Sg-1; Thu, 11 Apr 2024 10:46:46 -0400
X-MC-Unique: mNs5VQD6NIisUrjBVSd-Sg-1
Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-416542ed388so22531475e9.0
        for <linux-kernel@vger.kernel.org>; Thu, 11 Apr 2024 07:46:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712846805; x=1713451605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wPChIqhlz2fj/t/mALU/XDAB+oCXF1Eufwk1f12pr9E=;
        b=AShjWQFjqK9v5niAqyQEX9Ma981GpOmOd1FQLrpXGTsoEGGgvq9hszDV8OXdyU/7d7
         ER5l9riBEdz4vp0oQGYHPrp/WbtMYDeYUnsv6qUM3jx6TRLSHF9FtwWI81evmqOsKpjp
         mTd2MNstFvIOfgqcYa+UKiYgfKMldnC9UcWUn0jTPmTUxqTaugJ30M3Zl9P6S+Tbol8O
         ypVQUEciJAUT3k69cx1GozJGcjEEP4KAzyEjeX+101B6jag/6Aq12IUh5ML462wCCdjP
         2DZP04oc7nUbDahoCx7xyADki8Mhdd0Wz4OQ7szSfQnJHe67F4AZPgyGLGJha2icctav
         iwSg==
X-Forwarded-Encrypted: i=1; AJvYcCVlOHUURApzLiGw4Fg0JSeyUk512/WpZlWsYRD/zG7wPPIPLXQhvdsfkL0i1TlVvGXENfCej9y/N9lwJF2Cj6WBRllc3WQ49H1v4PiG
X-Gm-Message-State: AOJu0YyigPGgh5OSDp9Oa2ZiwOhj0ldryaaqfAFNui4F+EIdA12h0Go0
	ETyUqc2+cAOgbDm+iuFMV2/6FuOMOhZZjkTohJaIZgQ2/0+d5OX0ArNbnFH1jdBhfYn6/fcwVNQ
	rHnVTToSTAcQvdltgzvhJjZOKjppI0iC38QKvh/LmVHxBrWkll6/BgPH4L6ucGv5eD6n9rHaySg
	gbMLprh39hbhZsAX8zZ2azVk++tUM+JRwARG/e
X-Received: by 2002:a05:600c:1e09:b0:416:b5e6:d31e with SMTP id ay9-20020a05600c1e0900b00416b5e6d31emr18524wmb.4.1712846805553;
        Thu, 11 Apr 2024 07:46:45 -0700 (PDT)
X-Received: by 2002:a05:600c:1e09:b0:416:b5e6:d31e with SMTP id
 ay9-20020a05600c1e0900b00416b5e6d31emr18508wmb.4.1712846805186; Thu, 11 Apr
 2024 07:46:45 -0700 (PDT)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240411072445.522731-1-alexandre.chartre@oracle.com>
 <7f1faa48-6252-4409-aefc-2ed2f38fb1c3@citrix.com> <caa51938-c587-4403-a9cd-16e8b585bc13@oracle.com>
 <CABgObfai1TCs6pNAP4i0x99qAjXTczJ4uLHiivNV7QGoah1pVg@mail.gmail.com>
 <abbaeb7c-a0d3-4b2d-8632-d32025b165d7@oracle.com> <2afb20af-d42e-4535-a660-0194de1d0099@citrix.com>
 <ff3cf105-ef2a-426c-ba9b-00fb5c2559c7@oracle.com>
In-Reply-To: <ff3cf105-ef2a-426c-ba9b-00fb5c2559c7@oracle.com>
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu, 11 Apr 2024 16:46:32 +0200
Message-ID: <CABgObfZU_uLAPzDV--n67H3Hq6OKxUO=FQa2MH3CjdgTQR8pJg@mail.gmail.com>
Subject: Re: [PATCH] KVM: x86: Set BHI_NO in guest when host is not affected
 by BHI
To: Alexandre Chartre <alexandre.chartre@oracle.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>, x86@kernel.org, kvm@vger.kernel.org, 
	linux-kernel@vger.kernel.org, daniel.sneddon@linux.intel.com, 
	pawan.kumar.gupta@linux.intel.com, tglx@linutronix.de, konrad.wilk@oracle.com, 
	peterz@infradead.org, gregkh@linuxfoundation.org, seanjc@google.com, 
	dave.hansen@linux.intel.com, nik.borisov@suse.com, kpsingh@kernel.org, 
	longman@redhat.com, bp@alien8.de
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Apr 11, 2024 at 4:34=E2=80=AFPM Alexandre Chartre
<alexandre.chartre@oracle.com> wrote:
> Still, we could enumerate CPUs which don't have eIBRS independently of NO=
_BHI
> (if we have a list of such CPUs) and set X86_BUG_BHI for cpus with eIBRS.
>
> So in arch/x86/kernel/cpu/common.c, replace:
>
>         /* When virtualized, eIBRS could be hidden, assume vulnerable */
>         if (!(ia32_cap & ARCH_CAP_BHI_NO) &&
>             !cpu_matches(cpu_vuln_whitelist, NO_BHI) &&
>             (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) ||
>              boot_cpu_has(X86_FEATURE_HYPERVISOR)))
>                 setup_force_cpu_bug(X86_BUG_BHI);
>
> with something like:
>
>         if (!(ia32_cap & ARCH_CAP_BHI_NO) &&
>             !cpu_matches(cpu_vuln_whitelist, NO_BHI) &&
>             (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) ||
>             !cpu_matches(cpu_vuln_whitelist, NO_EIBRS)))
>                 setup_force_cpu_bug(X86_BUG_BHI);

No, that you cannot do because the hypervisor can and will fake the
family/model/stepping.

However, looking again at the original patch you submitted, I think
the review was confusing host and guest sides. If the host is "not
affected", i.e. the host *genuinely* does not have eIBRS, it can set
BHI_NO and that will bypass the "always mitigate in a guest" bit.

I think that's robust and boot_cpu_has_bug(X86_BUG_BHI) is the right
way to do it.

If a VM migration pool has both !eIBRS and eIBRS machines, it will
combine the two; on one hand it will not set the eIBRS bit (bit 1), on
the other hand it will not set BHI_NO either, and it will set the
hypervisor bit. The result is that the guest *will* use mitigations.

To double check, from the point of view of a nested hypervisor, you
could set BHI_NO in a nested guest:
* if the nested hypervisor has BHI_NO passed from the outer level
* or if its CPUID passes cpu_matches(cpu_vuln_whitelist, NO_BHI)
* but it won't matter whether the nested hypervisor lacks eIBRS,
because that bit is not reliable in a VM

The logic you'd use in KVM therefore is:

   (ia32_cap & ARCH_CAP_BHI_NO) ||
   cpu_matches(cpu_vuln_whitelist, NO_BHI) ||
   (!boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) &&
    !boot_cpu_has(X86_FEATURE_HYPERVISOR)))

but that is exactly !boot_cpu_has_bug(X86_BUG_BHI) and is therefore
what Alexandre's patch does.

So I'll wait for further comments but I think the patch is correct.

Paolo