Re: XSA-351 causing Solaris-11 systems to panic during boot.

[boris.ostrovsky@xxxxxxxxxx]

On 12/21/20 3:21 AM, Jan Beulich wrote:
> On 18.12.2020 21:43, boris.ostrovsky@xxxxxxxxxx wrote:
>> Can we do something like KVM's ignore_msrs (but probably return 0 on reads 
>> to avoid leaks from the system)? It would allow to deal with cases when a 
>> guest is suddenly unable to boot after hypervisor update (especially from 
>> pre-4.14). It won't help in all cases since some MSRs may be expected to be 
>> non-zero but I think it will cover large number of them. (and it will 
>> certainly do what Jan is asking above but will not be specific to this 
>> particular breakage)
> This would re-introduce the problem with detection (by guests) of certain
> features lacking suitable CPUID bits. Guests would no longer observe the
> expected #GP(0), and hence be at risk of misbehaving. Hence at the very
> least such an option would need to be per-domain rather than (like for
> KVM) global,


Yes, of course.


>  and use of it should then imo be explicitly unsupported.


Unsupported or not recommended? There are options that are not recommended from 
security perspective but they are still supported. For example, `spec-ctrl=no` 
(although it's a global setting)


>  And
> along the lines of what KVM has, this may want to be a tristate so the
> ignoring can be both silent and verbose.


OK.


ignore_msrs="never" (default)

ignore_msrs="silent"

ignore_msrs="verbose'



-boris