[MODERATED] Re: [PATCH v7 06/10] TAAv7 6

From: Paolo Bonzini <pbonzini@redhat.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: [PATCH v7 06/10] TAAv7 6
Date: Thu, 24 Oct 2019 22:53:16 +0200	[thread overview]
Message-ID: <8a5f0e97-e258-b58b-2fb5-63f37d2d3abc@redhat.com> (raw)
In-Reply-To: <5dae165e.1c69fb81.4beee.e271SMTPIN_ADDED_BROKEN@mx.google.com>

[-- Attachment #1: Type: text/plain, Size: 2922 bytes --]

On 21/10/19 22:28, speck for Pawan Gupta wrote:
> From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> Subject: [PATCH v7 06/10] KVM: x86/speculation/taa: Export MDS_NO=0 to guests
>  when TSX is enabled
> 
> Export IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX Async
> Abort(TAA) affected hosts that have TSX enabled and updated microcode.
> This is required so that the guests don't complain,
> 
> 	"Vulnerable: Clear CPU buffers attempted, no microcode"
> 
> when the host has the updated microcode to clear CPU buffers.

On one hand, the issue is bigger than that: if TSX is hidden from the
guest's CPUID, then the guest may show that it's not vulnerable, but it
actually is if the guest just tries executing TSX instructions.

On the other hand, removing bits from CPUID or MSRs can cause issues
even if TSX is not enabled in VMs.  Since most VMs won't have MDS_NO
set, I think we should drop this patch for now.  After the embargo lifts
we can add code to pass TSX_CTRL to the VM just like we do for
SPEC_CTRL, including disabling TSX on vmentry/vmexit depending on guest
CPUID.

Paolo

> 
> Microcode update also adds support for MSR_IA32_TSX_CTRL which is
> enumerated by the ARCH_CAP_TSX_CTRL bit in IA32_ARCH_CAPABILITIES MSR.
> Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is
> not exported to the guests.
> 
> In this case export MDS_NO=0 to the guests. When guests have
> CPUID.MD_CLEAR=1 guests deploy MDS mitigation which also mitigates TAA.
> 
> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> Reviewed-by: Tony Luck <tony.luck@intel.com>
> Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
> ---
>  arch/x86/kvm/x86.c | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 661e2bf38526..797113fa665d 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -1299,6 +1299,25 @@ static u64 kvm_get_arch_capabilities(void)
>  	if (!boot_cpu_has_bug(X86_BUG_MDS))
>  		data |= ARCH_CAP_MDS_NO;
>  
> +	/*
> +	 * On TAA affected systems, export MDS_NO=0 when:
> +	 *	- TSX is enabled on host, i.e. X86_FEATURE_RTM=1.
> +	 *	- Updated microcode is present. This is detected by
> +	 *	  the presence of ARCH_CAP_TSX_CTRL_MSR. This ensures
> +	 *	  VERW clears CPU buffers.
> +	 *
> +	 * When MDS_NO=0 is exported, guests deploy clear CPU buffer
> +	 * mitigation and don't complain:
> +	 *
> +	 *	"Vulnerable: Clear CPU buffers attempted, no microcode"
> +	 *
> +	 * If TSX is disabled on the system, guests are also mitigated against
> +	 * TAA and clear CPU buffer mitigation is not required for guests.
> +	 */
> +	if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
> +	    (data & ARCH_CAP_TSX_CTRL_MSR))
> +		data &= ~ARCH_CAP_MDS_NO;
> +
>  	return data;
>  }
>  
> 