[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 4/4] x86/cpu-policy: Derive RSBA/RRSBA for guest policies

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 13 Jun 2023 11:59:06 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+P7WAoL8zBIqTgNvju3yNWx3PgzxRz5igygtiM0PERI=; b=ZQ1SuYKuUzH5XYsdg1+I8Z5oZonX3bSc0B+X+kLx+9Qemk+h+foiV1MpBAThkh1Wg6kLDOEN8/3Uw1qOmG9NFd8Cd5xiPQzrSzqSofHmHwLEFybhIJTfxZzzT4rWNBUfEdOkUCzo0+14hzvxlStPYNO0E3JGOe6TKxjRntoAB3of+oHXZ+9AxDHu0zQfH47IOc54ptCyo9RtRkdXVs+t2ZKStQTmy1Bnz4L85F5fc3MryUBv4bYFaYWDXpqKajueRQFNI+ktQo1Wbjp8wON6gqxwUtKOxfg+Kg6yHG7Plzz6yHcsHefLD+JeMSGZQWkuu3GVhHAwNhpjjeOCZCauSw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XQiL4TWBjxIY0og1JbIO7AZPYE+xtLsGzTHjgV1JzsJ9VnsegHFVOpnzuIcD2V0da80MrCKS7vG7C2Z/NhIrUswT0rYX5kSlV2nM929Cl31I0VHaFvhcfPtByZoDv3dio7J7Xry9G/ZomN6ptWfTco41Ae4ZWgSVxEQtgpqmdE0k4x6iYp0MOXNiY/K075QathIpH9tjtbWpw3NHr4jIYUgfgVh3gQf1/zffyrv95nSPHwYBFIQsI76Jdwz1wNwZjYYTX53H5WxkyJHlO7g778y/TB22/1iUzVCESfNE+sA4CNZ/O3Fd+GO9d16nAegJ97H2euQsk3wH7RrKDYuk2w==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 13 Jun 2023 09:59:15 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 12.06.2023 18:13, Andrew Cooper wrote:
> The RSBA bit, "RSB Alternative", means that the RSB may use alternative
> predictors when empty.  From a practical point of view, this mean "Retpoline
> not safe".
> 
> Enhanced IBRS (officially IBRS_ALL in Intel's docs, previously IBRS_ATT) is a
> statement that IBRS is implemented in hardware (as opposed to the form
> retrofitted to existing CPUs in microcode).
> 
> The RRSBA bit, "Restricted-RSBA", is a combination of RSBA, and the eIBRS
> property that predictions are tagged with the mode in which they were learnt.
> Therefore, it means "when eIBRS is active, the RSB may fall back to
> alternative predictors but restricted to the current prediction mode".  As
> such, it's stronger statement than RSBA, but still means "Retpoline not safe".
> 
> CPUs are not expected to enumerate both RSBA and RRSBA.
> 
> Add feature dependencies for EIBRS and RRSBA.  While technically they're not
> linked, absolutely nothing good can come of letting the guest see RRSBA
> without EIBRS.  Nor a guest seeing EIBRS without IBRSB.  Furthermore, we use
> this dependency to simplify the max derivation logic.
> 
> The max policies gets RSBA and RRSBA unconditionally set (with the EIBRS
> dependency maybe hiding RRSBA).  We can run any VM, even if it has been told
> "somewhere you might run, Retpoline isn't safe".
> 
> The default policies are more complicated.  A guest shouldn't see both bits,
> but it needs to see one if the current host suffers from any form of RSBA, and
> which bit it needs to see depends on whether eIBRS is visible or not.
> Therefore, the calculation must be performed after sanitise_featureset().
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Jan Beulich <JBeulich@xxxxxxxx>
> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> CC: Wei Liu <wl@xxxxxxx>
> 
> v3:
>  * Minor commit message adjustment.
>  * Drop changes to recalculate_cpuid_policy().  Deferred to a later series.

With this dropped, with the title not saying "max/default", and with
the description also not mentioning "live" policies at all, I don't
think this patch is self-consistent (meaning in particular: leaving
aside the fact that there's no way right now to requests e.g. both
RSBA and RRSBA for a guest; aiui it is possible for Dom0).

As you may imagine I'm also curious why you decided to drop this.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.