[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.17 3/4] amd/ssbd: remove hypervisor SSBD selection

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 14 Oct 2022 11:00:10 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CjplBNW+RgXUi+BL/4Ogjbzs6ieH+wtWMYCTOnWjWzg=; b=fp55HboPLeXVK8XmzVh2cCzDKRaMuIns+snUsiBxCoeVaBHtmf0eyg8D/gr1jXfdw+WGDUJsWzngpuu27eJ/KVwnyZ8EFW5vbxQ6+NJTa2haAwjDnJjoPMW0Q6mATeivP0Z+Th+1V/8fHEbjva3HWGT74gk656kIhv86ggozApFL3vfe9AX4i4uT8LjjbKwIZThr8tyNHAJzkAk20x/v56OjXkt+Zo/TzrX9PUlqDXQcI2lznaPKJhPFlenn6qPsbZOeu5C9pBE1r4YELV5Bzgy8L0+RR8bQRSX2nGy7ivT8I7zgOcti0zllOEOpGAr3WfrpcFy0YMmEwrKO2AVJeg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NaN2wjQQOZVEHJZ71X/vI07Fg9G+51Pq76RWskmumBKrMvtqdbv5rwgr7IMg+CAVPXhS8lMM2ALv8sG7XCYjyGap1AmVlTryrLVTPlp9KR6MQfRY+WaTeXDv8QzFT2mWolXevJ3rK8a3hW+tkqrnhu1v3nBqkboc1bOPSPyG/WjlmMEhr3KvZ/BvxrDnJd2BcW4v04Kw3bSqJja25tHXdDZDp09DKsF+pt1GXVVb1OZfScs3Yc2NLmT2Zy6cQVaw0iEvRsBey2aHeItSzWxYRZnsdC19Al5+1BYCpjwOdntSD8oz0Hhx9hrycFp1mtWYmZiWB7yAPO4XszjfMoSb8w==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Henry.Wang@xxxxxxx, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Fri, 14 Oct 2022 09:00:23 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 14.10.2022 10:17, Roger Pau Monné wrote:
> On Thu, Oct 13, 2022 at 04:20:45PM +0200, Jan Beulich wrote:
>> On 13.10.2022 15:50, Roger Pau Monné wrote:
>>> On Wed, Oct 12, 2022 at 10:30:45AM +0200, Jan Beulich wrote:
>>>> On 11.10.2022 18:02, Roger Pau Monne wrote:
>>>>> @@ -2365,12 +2365,6 @@ On hardware supporting STIBP (Single Thread 
>>>>> Indirect Branch Predictors), the
>>>>>  By default, Xen will use STIBP when IBRS is in use (IBRS implies STIBP), 
>>>>> and
>>>>>  when hardware hints recommend using it as a blanket setting.
>>>>>  
>>>>> -On hardware supporting SSBD (Speculative Store Bypass Disable), the 
>>>>> `ssbd=`
>>>>> -option can be used to force or prevent Xen using the feature itself.
>>>>
>>>> Why would we want to take away this level of control? Shouldn't we turn 
>>>> this
>>>> on while in Xen if so requested? Which would then either mean enabling it 
>>>> on
>>>> VMEXIT if a guest has it off, or running with it turned on using the OR of
>>>> guest and host settings.
>>>
>>> Right, but then we need to context switch the value on vm{entry,exit}
>>> which is problematic.  I could move the context switch code code out
>>> of the GIF=0 region, and assume that NMIs executing with the guest
>>> selection of SSBD are OK.
>>>
>>> Alternatively setting ssbd= on the command line could be taken as a
>>> value to enforce for the whole system and prevent guest attempts to
>>> change it, not exposing VIRT_SSBD, AMD_SSBD or SSBD (haven't
>>> looked at whether not exposing the SSBD CPUID related to
>>> SPEC_CTRL.SSBD will have impact on other features).
>>
>> That would be my preference (albeit I'm uncertain about the "not exposing"
>> part, as we don't want to misguide guests into thinking they're unsafe or
>> can't guarantee safety when requested by user mode code), but ...
> 
> For ssbd=1 we could expose the SSBD controls, as the guest trying to
> turn it off would have no effect and it would still be protected.
> 
> OTOH if the user sets ssbd=0 on the command line then exposing the
> SSBD controls to the guest would be misleading, as the guest setting
> SSBD will have no effect and thus it won't be protected when it thinks
> it is.

Irrespective of your subsequent reply: Unlike "cpuid=no-ssbd",
"spec-ctrl=no-ssbd" ought to affect only Xen itself:

"On hardware supporting SSBD (Speculative Store Bypass Disable), the `ssbd=`
 option can be used to force or prevent Xen using the feature itself."

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.