On Thu, Oct 10, 2019 at 05:13:17PM +0100, Mark Rutland wrote:

> So if all the boot-time CPUs have E0PD, we can spawn a VM that starts
> using E0PD, but we might (silently) later migrate it to a CPU without
> E0PD, breaking the security guarantee.

> I think we want this to be STRICT, so that we at least warn in such a
> case.

> More generally than this patch, I suspect we probably want to abort the
> hotplug if we online a CPU that doesn't provide the same gaurantees as
> the sys_val for the field.

Right, if we make it STRICT we at least avoid that issue with KVM.

> > +#ifdef CONFIG_ARM64_E0PD
> > +	{
> > +		.desc = "E0PD",
> > +		.capability = ARM64_HAS_E0PD,
> > +		.type = ARM64_CPUCAP_WEAK_LOCAL_CPU_FEATURE,

> I suspect it would be better to treat this as a system-wide capability,
> as with KPTI, which will make it much easier to reason about.

> That would rule out having E0PD on a subset of CPUs, with or without
> KPTI. With KPTI it's not really necessary, and without KPTI we don't
> have a consistent guarantee, so that sounds reasonable to me.

It does - the main motivation for doing it as a local feature was
to avoid the regression with systems with late CPUs that lack the
capability which Will was concerned about but I'm not sure how
realistic such systems actually are.