Re: Help with Understanding vcpu xstate restore error during vm migration

[Jan Beulich <jbeulich@xxxxxxxx>]

On 15.07.2024 10:22, Fonyuy-Asheri Caleb wrote:
> ----- Original Message -----
>> From: "Jan Beulich" <jbeulich@xxxxxxxx>
>> To: "Fonyuy-Asheri Caleb" <fonyuy-asheri.caleb@xxxxxxxx>
>> Cc: "xen-devel" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Andrew Cooper" 
>> <andrew.cooper3@xxxxxxxxxx>
>> Sent: Monday, July 15, 2024 10:16:07 AM
>> Subject: Re: Help with Understanding vcpu xstate restore error during vm 
>> migration
> 
>> On 15.07.2024 09:38, Fonyuy-Asheri Caleb wrote:
>>>> Perhaps the more important question, are you booting the skylake with
>>>> cpuid=no-avx on the command line by any chance?
>>>
>>> No. I didn't boot any of the machines with any cpuid modification 
>>> whatsoever.
>>
>> Yet is there perhaps "Mitigating GDS by disabling AVX" in the boot log of
>> the hypervisor (which sadly so far you didn't supply anywhere afaics)?
> 
> I didn't notice that. Unfortunately I no longer have access to the logs to 
> check since I was 
> working on resources I reserved for a limited period.
> 
> However, do you mind telling me what this would mean for my environment?

Hard to tell, depending on what exactly you use that environment for. If
I'm not mistaken (Andrew will surely correct me if I'm wrong), the best
you can do is have such systems run with up-to-date microcode. Which of
course requires you have control over the physical system (to update
firmware) or at least the hypervisor (to hand it a microcode blob to load
while booting). If you had control over only the command line, you could
also choose to ignore the vulnerability and request AVX not to be turned
off ("spec-ctrl=no-gds-mit"). Yet of course you wouldn't want to do this
if you were running any not fully trusted guests.

Jan