On 28/08/2020 09:41, Jan Beulich wrote: > On 27.08.2020 21:37, Andrew Cooper wrote: >> The overhead of (the lack of) MDS_NO alone has been measured at 30% on some >> workloads. While we're not in a position yet to offer MSR_ARCH_CAPS >> generally >> to guests, dom0 doesn't migrate, so we can pass a subset of hardware values >> straight through. >> >> This will cause PVH dom0's not to use KPTI by default, and all dom0's not to >> use VERW flushing by default, > To avoid VERW, shouldn't you also expose SKIP_L1DFL?
SKIP_L1DFL is a software-only bit, specifically for nested virt. It is for Xen to tell an L1 hypervisor "you don't need to flush on vmentry because I'm taking care of it". Longterm, it wants to be nestedhvm_enabled() && opt_l1d_flush, but getting this working cleanly involves moving nested-virt to being a domain creation flat so it isn't 0 during early domain construction. ~Andrew
