From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 15 Jul 2018 13:59:28 -0000 Received: from mx3-rdu2.redhat.com ([66.187.233.73] helo=mx1.redhat.com) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fehXx-0004F9-UW for speck@linutronix.de; Sun, 15 Jul 2018 15:58:46 +0200 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 07B02401EF05 for ; Sun, 15 Jul 2018 13:58:39 +0000 (UTC) Received: from [10.36.116.39] (ovpn-116-39.ams2.redhat.com [10.36.116.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5DFE42026D66 for ; Sun, 15 Jul 2018 13:58:38 +0000 (UTC) Subject: [MODERATED] Re: [patch V10 00/10] Control knobs and Documentation 0 References: <20180712141902.576562442@linutronix.de> <6e2b04bb-4786-ae48-1fe8-e1bbdbcd8b92@redhat.com> <20180713172817.GA22875@char.US.ORACLE.com> From: Paolo Bonzini Message-ID: Date: Sun, 15 Jul 2018 15:58:36 +0200 MIME-Version: 1.0 In-Reply-To: <20180713172817.GA22875@char.US.ORACLE.com> Content-Type: multipart/mixed; boundary="aCX8XzO3bW33mM9bcabJx5b1iEDxxjGN0"; protected-headers="v1" To: speck@linutronix.de List-ID: This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156) --aCX8XzO3bW33mM9bcabJx5b1iEDxxjGN0 Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 13/07/2018 19:28, speck for Konrad Rzeszutek Wilk wrote: > Perhaps: >=20 > diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/ms= r-index.h > index 0e75170..f03ec33 100644 > --- a/arch/x86/include/asm/msr-index.h > +++ b/arch/x86/include/asm/msr-index.h > @@ -70,6 +70,7 @@ > #define MSR_IA32_ARCH_CAPABILITIES 0x0000010a > #define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */= > #define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */ > +#define ARCH_CAP_SKIP_L1DFL_VMENTRY (1 << 3) /* Skip L1DF on VMENTRY= */ If this bit is set, KVM is effectively not vulnerable. I just sent a more complete follow-up, replacing what I had cooked up last Friday. Thanks, Paolo > #define ARCH_CAP_SSB_NO (1 << 4) /* > * Not susceptible to Speculative Store Bypass > * attack, so no Speculative Store Bypass > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c > index c5c0118..5209252 100644 > --- a/arch/x86/kvm/vmx.c > +++ b/arch/x86/kvm/vmx.c > @@ -216,6 +216,15 @@ static int vmx_setup_l1d_flush(enum vmx_l1d_flush_= state l1tf) > l1tf_vmx_mitigation =3D VMENTER_L1D_FLUSH_EPT_DISABLED; > return 0; > } > + if (static_cpu_has(X86_FEATURE_HYPERVISOR) && > + static_cpu_has(X86_FEATURE_FLUSH_L1D) && > + boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) { > + u64 msr; > + > + rdmsrl(MSR_IA32_ARCH_CAPABILITIES, msr); > + if (msr & ARCH_CAP_SKIP_L1DFL_VMENTRY) > + l1tf_vmx_mitigation =3D VMENTER_L1D_FLUSH_NESTED_VM; > + } > =20 > /* If set to auto use the default l1tf mitigation method */ > if (l1tf =3D=3D VMENTER_L1D_FLUSH_AUTO) { >=20 --aCX8XzO3bW33mM9bcabJx5b1iEDxxjGN0--