From: "Luck, Tony" <tony.luck@intel.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: [PATCH] L1TF KVM ARCH_CAPABILITIES #2
Date: Mon, 16 Jul 2018 13:41:26 -0700 [thread overview]
Message-ID: <20180716204125.GA2000@agluck-desk> (raw)
In-Reply-To: <alpine.DEB.2.21.1807162225060.1693@nanos.tec.linutronix.de>
On Mon, Jul 16, 2018 at 10:31:31PM +0200, speck for Thomas Gleixner wrote:
> The magic PDF says:
>
> A nested VMM that finds IA32_FLUSH_CMD is enumerated should check whether
> IA32_ARCH_CAPABILITIES bit 3 9 (SKIP_L1DFL_VMENTRY) is set, which indicates
> that it is not required to flush L1D on VMENTER.
>
> First-level VMMs which perform an L1D flush before VMENTER may set
> SKIP_L1DFL_VMENTRY in the IA32_ARCH_CAPABILITIES value exposed to guests.
> These VMMs should set SKIP_L1DFL_VMENTRY in any case where a nested VMM may
> be present.
This is intended as an optimization to stop uselessly re-flushing L1D on
entry to a stack of nested VMMs.
E.g. if you are running a VMM "A", which is running a nested VMM "B", which
is running a guest "C". When C does something to cause a VMEXIT we will pop
all the way out to "A". It can take whatever action it needs, and then do
a flush L1D before the VMENTER back into "B".
Now "B" won't need to flush L1D again before doing the VMENTER to get
back into "C".
So it is just a s/w convention to let nested VMMs on systems vulnerable
to L1TF know that they *are* nested VMMs and they can skip just this one
part of mitigation.
-Tony
next prev parent reply other threads:[~2018-07-16 20:41 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-15 13:57 [MODERATED] [PATCH] L1TF KVM ARCH_CAPABILITIES #0 Paolo Bonzini
2018-07-15 13:57 ` [MODERATED] [PATCH] L1TF KVM ARCH_CAPABILITIES #1 Paolo Bonzini
2018-07-16 14:36 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-07-16 20:02 ` Thomas Gleixner
2018-07-17 11:20 ` [MODERATED] " Paolo Bonzini
2018-07-17 11:28 ` Thomas Gleixner
2018-07-17 17:11 ` [MODERATED] " Paolo Bonzini
2018-07-17 19:23 ` Thomas Gleixner
2018-07-15 13:57 ` [MODERATED] [PATCH] L1TF KVM ARCH_CAPABILITIES #2 Paolo Bonzini
2018-07-16 20:04 ` Thomas Gleixner
2018-07-16 20:31 ` Thomas Gleixner
2018-07-16 20:41 ` Luck, Tony [this message]
2018-07-16 21:13 ` Thomas Gleixner
2018-07-15 13:57 ` [MODERATED] [PATCH] L1TF KVM ARCH_CAPABILITIES #3 Paolo Bonzini
2018-07-15 13:57 ` [MODERATED] [PATCH] L1TF KVM ARCH_CAPABILITIES #4 Paolo Bonzini
2018-07-16 14:58 ` [MODERATED] " Konrad Rzeszutek Wilk
2018-07-16 20:06 ` Thomas Gleixner
2018-07-17 11:14 ` [MODERATED] " Paolo Bonzini
2018-07-16 20:44 ` [MODERATED] Re: [PATCH] L1TF KVM ARCH_CAPABILITIES #0 Konrad Rzeszutek Wilk
2018-07-17 11:22 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180716204125.GA2000@agluck-desk \
--to=tony.luck@intel.com \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.