From: Alexandre Chartre <alexandre.chartre@oracle.com>
To: Nikolay Borisov <nik.borisov@suse.com>,
x86@kernel.org, kvm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, daniel.sneddon@linux.intel.com,
pawan.kumar.gupta@linux.intel.com, tglx@linutronix.de,
konrad.wilk@oracle.com, peterz@infradead.org,
gregkh@linuxfoundation.org, seanjc@google.com,
andrew.cooper3@citrix.com, dave.hansen@linux.intel.com,
kpsingh@kernel.org, longman@redhat.com, bp@alien8.de,
pbonzini@redhat.com, alexandre.chartre@oracle.com
Subject: Re: [PATCH] KVM: x86: Set BHI_NO in guest when host is not affected by BHI
Date: Thu, 11 Apr 2024 09:49:55 +0200 [thread overview]
Message-ID: <d248fdfb-e89d-409f-97f6-5ded84a5b495@oracle.com> (raw)
In-Reply-To: <18b29bd6-5eb5-4344-b80f-f6a55c18b8ba@suse.com>
On 4/11/24 09:34, Nikolay Borisov wrote:
>
>
> On 11.04.24 г. 10:24 ч., Alexandre Chartre wrote:
>> When a system is not affected by the BHI bug then KVM should
>> configure guests with BHI_NO to ensure they won't enable any
>> BHI mitigation.
>>
>> Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
>> ---
>> arch/x86/kvm/x86.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> index 984ea2089efc..f43d3c15a6b7 100644
>> --- a/arch/x86/kvm/x86.c
>> +++ b/arch/x86/kvm/x86.c
>> @@ -1678,6 +1678,9 @@ static u64 kvm_get_arch_capabilities(void)
>> if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated())
>> data |= ARCH_CAP_GDS_NO;
>> + if (!boot_cpu_has_bug(X86_BUG_BHI))
>> + data |= ARCH_CAP_BHI_NO;
>> +
>
> But this is already handled since ARCH_CAP_BHI_NO is added to
> KVM_SUPPORTED_ARCH_CAP so when the host caps are read that bit is
> going to be set there, if it's set for the physical cpu of course.
Correct, if the host has ARCH_CAP_BHI_NO then it will be propagated to the
guest. But the host might not have ARCH_CAP_BHI_NO set and not be affected
by BHI.
That's the case for example of Skylake servers: they don't have ARCH_CAP_BHI_NO,
but they are not affected by BHI because they don't have eIBRS. However, a guest
will think it is affected because it doesn't know if eIBRS is present on the
system (because virtualization can hide it).
I tested on Skylake:
Without the patch, both host and guest are running 6.9.0-rc3, then BHI mitigations are:
- Host: BHI: Not affected
- Guest: BHI: SW loop, KVM: SW loop
=> so guest enables BHI SW loop mitigation although host doesn't need mitigation.
With the patch on the host, guest still running 6.9.0-rc3, then BHI mitigations are:
- Host: BHI: Not affected
- Guest: BHI: Not affected
=> now guest doesn't enable BHI mitigation, like the host.
Thanks,
alex.
next prev parent reply other threads:[~2024-04-11 7:50 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-11 7:24 [PATCH] KVM: x86: Set BHI_NO in guest when host is not affected by BHI Alexandre Chartre
2024-04-11 7:34 ` Nikolay Borisov
2024-04-11 7:49 ` Alexandre Chartre [this message]
2024-04-11 7:51 ` Greg KH
2024-04-11 8:00 ` Alexandre Chartre
2024-04-11 7:51 ` Nikolay Borisov
2024-04-11 8:43 ` Andrew Cooper
2024-04-11 9:33 ` Alexandre Chartre
2024-04-11 9:38 ` Andrew Cooper
2024-04-11 11:14 ` Chao Gao
2024-04-11 13:20 ` Alexandre Chartre
2024-04-15 15:14 ` Alexandre Chartre
2024-04-15 17:17 ` Dave Hansen
2024-04-16 8:41 ` Alexandre Chartre
2024-04-25 20:45 ` Konrad Rzeszutek Wilk
2024-04-11 13:22 ` Paolo Bonzini
2024-04-11 13:32 ` Alexandre Chartre
2024-04-11 14:13 ` Andrew Cooper
2024-04-11 14:33 ` Alexandre Chartre
2024-04-11 14:46 ` Paolo Bonzini
2024-04-11 15:12 ` Alexandre Chartre
2024-04-11 15:20 ` Paolo Bonzini
2024-04-11 15:56 ` Chao Gao
2024-04-11 20:50 ` Konrad Rzeszutek Wilk
2024-04-12 3:24 ` Chao Gao
2024-04-12 16:33 ` Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d248fdfb-e89d-409f-97f6-5ded84a5b495@oracle.com \
--to=alexandre.chartre@oracle.com \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=daniel.sneddon@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=konrad.wilk@oracle.com \
--cc=kpsingh@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=longman@redhat.com \
--cc=nik.borisov@suse.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).