[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] (partial) Spectre v2 mitigation without on Skylake IBRS

>>> On 26.02.18 at 11:18, <jgross@xxxxxxxx> wrote:
> On 26/02/18 10:44, Jan Beulich wrote:
>> if running PV Linux on older Xen (4.5 and earlier) is relevant, it may be
>> necessary to use a mechanism other than IBRS to mitigate Spectre v2
>> on Skylake. That is because the new MSR value can't be migrated
>> prior to migration v2. Of course one option would be to retrofit some
>> mechanism into newer Xen versions that makes them accept whatever
>> extension to e.g. struct hvm_hw_cpu one might want to invent for
>> the older Xen versions. But that doesn't seem very desirable.
> 
> Can you please elaborate a little bit more what the real problem is?
> 
> I _think_ you are referring to the problem that a pv kernel would want
> to use IBRS for mitigation of Spectre V2 and after a migration that
> setting would be lost.

"Lost" is the wrong term imo: A hypervisor that's been patched for
Spectre v2 (and that's a prereq anyway, because we want the
kernel to use IBPB, which utilizes an MSR that doesn't need
migrating) should at least do _something_ with the MSR (when it's
non-zero). The most natural thing (imo) is to make those older
hypervisors support XEN_DOMCTL_{get,set}_vcpu_msrs. That in
turn calls for the tool stack to gain the check that Andrew had
added to libxc in db24f7f012 ("libxc: use an explicit check for PV
MSRs in xc_domain_save() "), causing migration to fail when the
MSR is non-zero on any of the guest's vCPU-s.

> If this is the case I believe the easiest solution would be to let the
> kernel set the MSR again after leaving suspended state. suspend/resume
> require hooks in pv kernels after all.

Hmm, this could be leveraged irrespective of what I've written
above - the kernel could then also clear the MSR during suspend,
thus allowing the check in libxc to pass.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.