On 21.12.2020 17:21, boris.ostrov...@oracle.com wrote: > > On 12/21/20 3:21 AM, Jan Beulich wrote: >> On 18.12.2020 21:43, boris.ostrov...@oracle.com wrote: >>> Can we do something like KVM's ignore_msrs (but probably return 0 on reads >>> to avoid leaks from the system)? It would allow to deal with cases when a >>> guest is suddenly unable to boot after hypervisor update (especially from >>> pre-4.14). It won't help in all cases since some MSRs may be expected to be >>> non-zero but I think it will cover large number of them. (and it will >>> certainly do what Jan is asking above but will not be specific to this >>> particular breakage) >> This would re-introduce the problem with detection (by guests) of certain >> features lacking suitable CPUID bits. Guests would no longer observe the >> expected #GP(0), and hence be at risk of misbehaving. Hence at the very >> least such an option would need to be per-domain rather than (like for >> KVM) global, > > > Yes, of course. > > >> and use of it should then imo be explicitly unsupported. > > > Unsupported or not recommended? There are options that are not recommended > from security perspective but they are still supported. For example, > `spec-ctrl=no` (although it's a global setting)
"Security unsupported", i.e. use of it causing what might look like a security issue would not get an XSA. Jan
