Xen project Mailing List

[PATCH 1/2] VMX/cpu-policy: check availability of RDTSCP and INVPCID

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 26 Apr 2023 14:57:53 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OpLaqKMeaT1bmjVi3m3iJaeh3uX4cpagAbFfokRvcts=; b=iL2tP/sn25sqST0bIBBOABKVMgYN1dQbk9N5alJcn19vlqxkQkS27efBuy3+5oKh22Xea1jTMn/+Zjf9ve9ZKyqXqG8/YKS/S1DhKMC5UqWjG7XbUfHMi/oHrIbcsOuo3WJxyZGMm5jUw6l8fLi+8/zf72lmx1NUSv33W1n/FGmtinkVSMRA+kEEHFrgmH0yTUMN5hcgNLqC/lBhx5eDNIWSEaXjPouNDLy6HCra6P4FqU0qAq1gK/hCUAPbBzObBWnjS2t/FvTJYH/M0RMlm5gq+jNgx0l975eCNEu1HVYb+JI57nZDsShoKNEyjNf69FdDNN463tWWZIIErI2WZg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VDyKX6YF40SxYygAlXF6rlt07fDgYTi7F7MMuVSHsqZyYehQ/AWT9pTmB8fWzoRe7beC/glhVkRazmuBjh4euEqQWsjJcXjIVwcSSJbWxafJ0ddXunPCa63JC1qN97MvF8L0vKrjCGH7vsFATFsKNyL/zFoD+V3GAdpfbZZyxp1fGrhySbRwxn8fNmZXPOxj0YBhHEFW1Hhbws0A0Pbp13CKij2+/tGVXDYmuJG/mJxF5Vod2zz8a1dp43BAsgEbOCc3wI5+Cz97yI0MgkV1lUq+os6rW2TtCa0vBQaz54oH4dqC0LCj6DtGs9bPVT1ZAq2yt8gi1ybDRZx2tBMBwg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>

Delivery-date: Wed, 26 Apr 2023 12:58:01 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Both have separate enable bits, which are optional. While on real hardware we can perhaps expect these VMX controls to be available if (and only if) the base CPU feature is available, when running virtualized ourselves this may not be the case. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- Afaics we don't ourselves expose the 1-setting of the two enables. (We also don't constrain guests to set only bits we report as available to set; there's a respective TODO comment in set_vvmcs_virtual_safe().) --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -594,6 +594,12 @@ static void __init calculate_hvm_max_pol */ if ( cpu_has_vmx ) { + if ( !cpu_has_vmx_rdtscp ) + __clear_bit(X86_FEATURE_RDTSCP, fs); + + if ( !cpu_has_vmx_invpcid ) + __clear_bit(X86_FEATURE_INVPCID, fs); + if ( !cpu_has_vmx_mpx ) __clear_bit(X86_FEATURE_MPX, fs); --- a/xen/arch/x86/include/asm/hvm/vmx/vmcs.h +++ b/xen/arch/x86/include/asm/hvm/vmx/vmcs.h @@ -299,6 +299,8 @@ extern u64 vmx_ept_vpid_cap; (vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_EPT) #define cpu_has_vmx_dt_exiting \ (vmx_secondary_exec_control & SECONDARY_EXEC_DESCRIPTOR_TABLE_EXITING) +#define cpu_has_vmx_rdtscp \ + (vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_RDTSCP) #define cpu_has_vmx_vpid \ (vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_VPID) #define cpu_has_monitor_trap_flag \ @@ -314,6 +316,8 @@ extern u64 vmx_ept_vpid_cap; SECONDARY_EXEC_UNRESTRICTED_GUEST) #define cpu_has_vmx_ple \ (vmx_secondary_exec_control & SECONDARY_EXEC_PAUSE_LOOP_EXITING) +#define cpu_has_vmx_invpcid \ + (vmx_secondary_exec_control & SECONDARY_EXEC_ENABLE_INVPCID) #define cpu_has_vmx_apic_reg_virt \ (vmx_secondary_exec_control & SECONDARY_EXEC_APIC_REGISTER_VIRT) #define cpu_has_vmx_virtual_intr_delivery \

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.