From: Jan Beulich <jbeulich@suse.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>, "Wei Liu" <wl@xen.org>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH v2 3/3] x86/cpu-policy: Derive RSBA/RRSBA for guest policies
Date: Fri, 2 Jun 2023 12:20:19 +0200 [thread overview]
Message-ID: <1ce6bd53-089e-e8ab-3b54-2720a3fd2c12@suse.com> (raw)
In-Reply-To: <20230601144845.1554589-4-andrew.cooper3@citrix.com>
On 01.06.2023 16:48, Andrew Cooper wrote:
> The RSBA bit, "RSB Alternative", means that the RSB may use alternative
> predictors when empty. From a practical point of view, this mean "Retpoline
> not safe".
>
> Enhanced IBRS (officially IBRS_ALL in Intel's docs, previously IBRS_ATT) is a
> statement that IBRS is implemented in hardware (as opposed to the form
> retrofitted to existing CPUs in microcode).
>
> The RRSBA bit, "Restricted-RSBA", is a combination of RSBA, and the eIBRS
> property that predictions are tagged with the mode in which they were learnt.
> Therefore, it means "when eIBRS is active, the RSB may fall back to
> alternative predictors but restricted to the current prediction mode". As
> such, it's stronger statement than RSBA, but still means "Retpoline not safe".
>
> CPUs are not expected to enumerate both RSBA and RRSBA.
>
> Add feature dependencies for EIBRS and RRSBA. While technically they're not
> linked, absolutely nothing good can of letting the guest see RRSBA without
Nit: missing "come"?
> EIBRS. Nor can anything good come of a guest seeing EIBRS without IBRSB.
> Furthermore, we use this dependency to simplify the max derivation logic.
>[...]
> @@ -532,6 +541,21 @@ static void __init calculate_pv_def_policy(void)
> guest_common_default_feature_adjustments(fs);
>
> sanitise_featureset(fs);
> +
> + /*
> + * If the host suffers from RSBA of any form, and the guest can see
> + * MSR_ARCH_CAPS, reflect the appropriate RSBA/RRSBA property to the guest
> + * depending on the visibility of eIBRS.
> + */
> + if ( test_bit(X86_FEATURE_ARCH_CAPS, fs) &&
> + (cpu_has_rsba || cpu_has_rrsba) )
> + {
> + bool eibrs = test_bit(X86_FEATURE_EIBRS, fs);
> +
> + __set_bit(eibrs ? X86_FEATURE_RRSBA
> + : X86_FEATURE_RSBA, fs);
> + }
> +
> x86_cpu_featureset_to_policy(fs, p);
> recalculate_xstate(p);
> }
> @@ -664,6 +688,21 @@ static void __init calculate_hvm_def_policy(void)
> __set_bit(X86_FEATURE_VIRT_SSBD, fs);
>
> sanitise_featureset(fs);
> +
> + /*
> + * If the host suffers from RSBA of any form, and the guest can see
> + * MSR_ARCH_CAPS, reflect the appropriate RSBA/RRSBA property to the guest
> + * depending on the visibility of eIBRS.
> + */
> + if ( test_bit(X86_FEATURE_ARCH_CAPS, fs) &&
> + (cpu_has_rsba || cpu_has_rrsba) )
> + {
> + bool eibrs = test_bit(X86_FEATURE_EIBRS, fs);
> +
> + __set_bit(eibrs ? X86_FEATURE_RRSBA
> + : X86_FEATURE_RSBA, fs);
> + }
> +
> x86_cpu_featureset_to_policy(fs, p);
> recalculate_xstate(p);
> }
> @@ -786,6 +825,20 @@ void recalculate_cpuid_policy(struct domain *d)
>
> sanitise_featureset(fs);
>
> + /*
> + * If the host suffers from RSBA of any form, and the guest can see
> + * MSR_ARCH_CAPS, reflect the appropriate RSBA/RRSBA property to the guest
> + * depending on the visibility of eIBRS.
> + */
> + if ( test_bit(X86_FEATURE_ARCH_CAPS, fs) &&
> + (cpu_has_rsba || cpu_has_rrsba) )
> + {
> + bool eibrs = test_bit(X86_FEATURE_EIBRS, fs);
> +
> + __set_bit(eibrs ? X86_FEATURE_RRSBA
> + : X86_FEATURE_RSBA, fs);
> + }
Now that we have the same code and comment even a 3rd time, surely this
wants to be put in a helper?
What about a tool stack request leading to us setting the 2nd of the two
bits here, while the other was already set? IOW wouldn't we better clear
the other bit explicitly? (Due to the EIBRS dependency or RRSBA I think
this can really only happen when the tool stack requests RSBA+EIBRS, as
the deep deps clearing doesn't know the concept of "negative"
dependencies.)
Similarly what about a tool stack (and ultimately admin) request setting
both RSBA and RRSBA? Wouldn't we better clear the respectively wrong bit
then? People may do this in their guest configs "just to be on the safe
side" (once expressing this in guest configs is possible, of course),
and due to the max policies having both bits set this also won't occur
"automatically".
Jan
next prev parent reply other threads:[~2023-06-02 10:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-01 14:48 [PATCH v2 0/3] x86: RSBA and RRSBA handling Andrew Cooper
2023-06-01 14:48 ` [PATCH v2 1/3] x86/spec-ctrl: Rename retpoline_safe() to retpoline_calculations() Andrew Cooper
2023-06-02 9:37 ` Jan Beulich
2023-06-01 14:48 ` [PATCH v2 2/3] x86/spec-ctrl: Fix up the RSBA/RRSBA bits as appropriate Andrew Cooper
2023-06-02 9:56 ` Jan Beulich
2023-06-02 13:57 ` Andrew Cooper
2023-06-05 7:48 ` Jan Beulich
2023-06-05 7:50 ` Jan Beulich
2023-06-05 9:44 ` Andrew Cooper
2023-06-01 14:48 ` [PATCH v2 3/3] x86/cpu-policy: Derive RSBA/RRSBA for guest policies Andrew Cooper
2023-06-02 10:20 ` Jan Beulich [this message]
2023-06-02 15:29 ` Andrew Cooper
2023-06-02 15:38 ` Andrew Cooper
2023-06-05 8:04 ` Jan Beulich
2023-06-05 8:08 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ce6bd53-089e-e8ab-3b54-2720a3fd2c12@suse.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.