From: Alejandro Vallejo <alejandro.garciavallejo@amd.com>
To: Teddy Astie <teddy.astie@vates.tech>, <xen-devel@lists.xenproject.org>
Cc: "Oleksii Kurochko" <oleksii.kurochko@gmail.com>,
"Community Manager" <community.manager@xenproject.org>,
"Jan Beulich" <jbeulich@suse.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Roger Pau Monné" <roger.pau@citrix.com>
Subject: Re: [PATCH 1/4] x86: Reject CPU policies with vendors other than the host's
Date: Fri, 23 Jan 2026 12:30:33 +0100 [thread overview]
Message-ID: <DFVXNMUYBPUS.JMNJIXEVQ264@amd.com> (raw)
In-Reply-To: <5a96fb6d-ce8b-409e-9050-3499ac90eb65@vates.tech>
On Thu Jan 22, 2026 at 6:13 PM CET, Teddy Astie wrote:
> Le 22/01/2026 à 17:51, Alejandro Vallejo a écrit :
>> While in principle it's possible to have a vendor virtualising another,
>> this is fairly tricky in practice and comes with the world's supply of
>> security issues.
>>
>> Reject any CPU policy with vendors not matching the host's.
>> > Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@amd.com>
>> ---
>> CHANGELOG.md | 4 ++++
>> xen/lib/x86/policy.c | 3 ++-
>> 2 files changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/CHANGELOG.md b/CHANGELOG.md
>> index 18f3d10f20..eae2f961c7 100644
>> --- a/CHANGELOG.md
>> +++ b/CHANGELOG.md
>> @@ -22,6 +22,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
>> - Xenoprofile support. Oprofile themselves removed support for Xen in 2014
>> prior to the version 1.0 release, and there has been no development since
>> before then in Xen.
>> + - Cross-vendor support. Refuse to start domains whose CPU vendor differs> + from the host so that security mitigations stay consistent.
> Cross-vendor
???
>> + setups have been unreliable and not practical since 2017 with the advent of
>> + speculation security.
>>
>
> I don't really like the wording, it sounds like guest will suddenly stop
> to work for some reason. AFAIK, in the Xen Project only suspend/resume
> logic is going to be affected, and we probably want to reflect on that
> instead.
You also won't be able to start a cross vendor VM, which you can do by
manually picking the CPUID leaves in xl.cfg. Though you're right that for the
overwhelming majority of affected users this would manifest as not being able to
restore a saved VM (or not being able to live-migrate, which is effectively the
same thing for this purpose). It's unlikely anyone abuses xl the way I
described.
I'll reword it differently to note the overwhelmingly most affected workflow.
>
>> - Removed xenpm tool on non-x86 platforms as it doesn't actually provide
>> anything useful outside of x86.
>> diff --git a/xen/lib/x86/policy.c b/xen/lib/x86/policy.c
>> index f033d22785..4c0c5386ea 100644
>> --- a/xen/lib/x86/policy.c
>> +++ b/xen/lib/x86/policy.c
>> @@ -15,7 +15,8 @@ int x86_cpu_policies_are_compatible(const struct cpu_policy *host,
>> #define FAIL_MSR(m) \
>> do { e.msr = (m); goto out; } while ( 0 )
>>
>> - if ( guest->basic.max_leaf > host->basic.max_leaf )
>> + if ( (guest->basic.max_leaf > host->basic.max_leaf) ||
>> + (guest->x86_vendor != host->x86_vendor) )
>> FAIL_CPUID(0, NA);
>>
>> if ( guest->feat.max_subleaf > host->feat.max_subleaf )
>
>
>
> --
> Teddy Astie | Vates XCP-ng Developer
>
> XCP-ng & Xen Orchestra - Vates solutions
>
> web: https://vates.tech
next prev parent reply other threads:[~2026-01-23 11:31 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 16:49 [PATCH 0/4] x86: Drop cross-vendor support Alejandro Vallejo
2026-01-22 16:49 ` [PATCH 1/4] x86: Reject CPU policies with vendors other than the host's Alejandro Vallejo
2026-01-22 17:13 ` Teddy Astie
2026-01-23 11:30 ` Alejandro Vallejo [this message]
2026-01-23 16:29 ` Andrew Cooper
2026-01-22 16:49 ` [PATCH 2/4] x86/hvm: Disable non-FEP cross-vendor handling in #UD handler Alejandro Vallejo
2026-01-22 17:28 ` Teddy Astie
2026-01-23 12:28 ` Alejandro Vallejo
2026-01-23 18:40 ` Andrew Cooper
2026-01-26 11:58 ` Alejandro Vallejo
2026-01-28 12:38 ` Alejandro Vallejo
2026-01-22 16:49 ` [PATCH 3/4] x86/hvm: Remove cross-vendor checks from MSR handlers Alejandro Vallejo
2026-01-22 17:34 ` Teddy Astie
2026-01-23 18:35 ` Andrew Cooper
2026-01-26 8:40 ` Jan Beulich
2026-01-26 11:32 ` Alejandro Vallejo
2026-01-22 16:49 ` [PATCH 4/4] x86/svm: Drop emulation of Intel's SYSENTER behaviour Alejandro Vallejo
2026-01-22 17:52 ` Teddy Astie
2026-01-23 12:31 ` Alejandro Vallejo
2026-01-23 18:08 ` Andrew Cooper
2026-01-22 17:10 ` [PATCH 0/4] x86: Drop cross-vendor support Andrew Cooper
2026-01-22 17:42 ` Alejandro Vallejo
2026-01-22 18:16 ` Teddy Astie
2026-01-23 12:10 ` Alejandro Vallejo
2026-01-23 14:05 ` Jan Beulich
2026-01-23 15:45 ` Alejandro Vallejo
2026-01-23 18:25 ` Andrew Cooper
2026-01-22 18:19 ` Andrew Cooper
2026-01-23 11:39 ` Alejandro Vallejo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DFVXNMUYBPUS.JMNJIXEVQ264@amd.com \
--to=alejandro.garciavallejo@amd.com \
--cc=andrew.cooper3@citrix.com \
--cc=community.manager@xenproject.org \
--cc=jbeulich@suse.com \
--cc=oleksii.kurochko@gmail.com \
--cc=roger.pau@citrix.com \
--cc=teddy.astie@vates.tech \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.