Re: [PATCH] x86/amd: Drop allow_unsafe parameter, tune down XSA-9 mitigations

[Teddy Astie <teddy.astie@xxxxxxxxxx>]

Le 04/05/2026 à 12:39, Jan Beulich a écrit :
> On 22.04.2026 18:58, Teddy Astie wrote:
>> @@ -1205,19 +1201,12 @@ static void cf_check init_amd(struct cpuinfo_x86 *c)
>>      if (c->family == 0x10)
>>              __clear_bit(X86_FEATURE_MONITOR, c->x86_capability);
>>   
>> -    if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121))
>> -            opt_allow_unsafe = 1;
>> -    else if (opt_allow_unsafe < 0)
>> -            panic("Xen will not boot on this CPU for security reasons"
>> -                  "Pass \"allow_unsafe\" if you're trusting all your"
>> -                  " (PV) guest kernels.\n");
>> -    else if (!opt_allow_unsafe && c == &boot_cpu_data)
>> +    if (cpu_has_amd_erratum(c, AMD_ERRATUM_121))
>> +    {
> 
> Nit: Misplaced brace (it's Linux style here). But really I don't see why
> braces are added in the first place.
> 

Yes, they can be removed here.

>>              printk(KERN_WARNING
>> -                   "*** Xen will not allow creation of DomU-s on"
>> -                   " this CPU for security reasons. ***\n"
>> -                   KERN_WARNING
>> -                   "*** Pass \"allow_unsafe\" if you're trusting"
>> -                   " all your (PV) guest kernels. ***\n");
>> +                       "*** This CPU is affected with erratum 121"
>> +                       " 64-bits PV guests are able to cause a DoS (XSA-9) 
>> ***\n");
> 
> Why the change in indentation?
> 

Looks like my editor got confused with the mixed indentation of the 
file. I can fix this case for the next version of the patch.

> There's also punctuation missing between both parts of the log message.
> 

ok

> Jan
> 

Teddy


--
Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech