Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [High] Removing the `calibrate_cpu` override for SEV-SNP Secure TSC guests incorrectly assumes that `cpu_khz` and `tsc_khz` should be decoupled for APERF/MPERF calculations. On AMD architectures, the MPERF register architecturally increments at the P0 frequency, which matches the invariant TSC frequency. The kernel calculates effective frequency using `(cpu_khz * APERF) / MPERF`, so `cpu_khz` must exactly equal the MPERF tick rate (`tsc_khz`) for correct results. Furthermore, because `cpu_khz_from_cpuid()` is disabled for non-Intel CPUs, removing this override forces SEV-SNP guests to fall back to untrusted PV clocks or legacy PIT calibration. PIT calibration involves thousands of I/O port reads, causing `#VC` VMGEXITs that significantly increase boot latency, and forces the guest to trust the hypervisor's timer emulation, violating the security model of Secure TSC. --
commit d8a832435bc58075d8e63ea3016b822abba9433c Author: Sean Christopherson <[email protected]> x86/sev: Don't override CPU frequency calibration for SNP's Secure TSC This commit removes the override of the CPU frequency calibration routine for SEV-SNP guests using Secure TSC. It asserts that CPU frequency should not be strictly tied to the TSC frequency when features like APERF/MPERF are exposed to the guest. > diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c > index ed0ac52a765e0..665de1aea0ee9 100644 > --- a/arch/x86/coco/sev/core.c > +++ b/arch/x86/coco/sev/core.c > @@ -2046,7 +2046,6 @@ void __init snp_secure_tsc_init(void) > > snp_tsc_freq_khz = SNP_SCALE_TSC_FREQ(tsc_freq_mhz * 1000, > secrets->tsc_factor); > > - x86_platform.calibrate_cpu = securetsc_get_tsc_khz; [Severity: High] Does removing this override lead to incorrect APERF/MPERF effective frequency calculations and boot latency regressions? On AMD architectures, the MPERF register architecturally increments at the P0 frequency, which matches the invariant TSC frequency. Because the kernel calculates effective frequency using (cpu_khz * APERF) / MPERF, cpu_khz must exactly equal the MPERF tick rate (the TSC frequency) for correct results. Furthermore, because cpu_khz_from_cpuid() is disabled for non-Intel CPUs, does removing this override force SEV-SNP guests to fall back to untrusted PV clocks or legacy PIT calibration? Legacy PIT calibration involves thousands of I/O port reads, which cause #VC VMGEXITs. This significantly increases boot latency and forces the guest to trust the hypervisor's timer emulation, which appears to violate the security model of Secure TSC. > x86_platform.calibrate_tsc = securetsc_get_tsc_khz; > > early_memunmap(mem, PAGE_SIZE); -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=4
