On 05/12/2018 08:41, Jan Beulich wrote: >>>> On 04.12.18 at 22:35, <brian.wo...@amd.com> wrote: >> The other thing I don't get is why advertise virtualized SSBD when the >> guest setting it does nothing? If ssbd_opt=true is set, as the code is >> now, why even advertise it to the guest? I'd suggest either allowing >> the guest to turn it off or not advertise it at all (when ssbd_opt = >> true). > I think it's better to advertise the feature nevertheless: Otherwise > the guest might either try some other way of mitigating the > (believed) vulnerability, or it may report in its logs that it's vulnerable > (without mitigation) when it really isn't.
opt_ssbd=true is there for the truly paranoid, and noone uses it in practice. It is a substantial performance hit for a corner case which doesn't really manifest in compiled code (Furthermore, it is a corner case which is far harder to hit on AMD hardware, as memory operands with the same base pointer are guaranteed not to speculatively pass). JIT'ed environments are the ones at risk, and that is why there is a prctl() for fine grained control. The ~100% common case is opt_ssbd=0 from the host administrators point of view, spec_store_bypass_disable=prctl (seriously - when did cmdline options turn into essays?) from the guest kernel's point of view, and certain processes specifically opting into SSBD via prctl(). However, we need MSR_VIRT_SPEC_CTRL to function correctly even when it doesn't have an effect in hardware. One contrived scenario is when a customer has opt_ssbd=0 on one server, and opt_ssbd=1 on the other, and wants VMs to migrate between the two. A more realistic scenario is when a customer has purchased some Rome hardware, and wants to upgrade their systems. They will want to migrate their VMs onto newer hardware, which will involve keeping the guest-visible MSR_VIRT_SPEC_CTRL working as before. Hopefully I'll have default-vs-max CPUID policies working by that point, at which the default policy on Rome should have MSR_SPEC_CTRL, and the max policy have both MSR_SPEC_CTRL and MSR_VIRT_SPEC_CTRL, so we can safely migrate in VMs which are using it, but not offer it by default. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
