From: sashiko-bot@kernel.org
To: "Sean Christopherson" <seanjc@google.com>
Cc: linux-hyperv@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH v4 04/47] x86/sev: Don't override CPU frequency calibration for SNP's Secure TSC
Date: Fri, 29 May 2026 15:44:45 +0000 [thread overview]
Message-ID: <20260529154446.255551F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260529144435.704127-5-seanjc@google.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Removing the `calibrate_cpu` override for SEV-SNP Secure TSC guests incorrectly assumes that `cpu_khz` and `tsc_khz` should be decoupled for APERF/MPERF calculations. On AMD architectures, the MPERF register architecturally increments at the P0 frequency, which matches the invariant TSC frequency. The kernel calculates effective frequency using `(cpu_khz * APERF) / MPERF`, so `cpu_khz` must exactly equal the MPERF tick rate (`tsc_khz`) for correct results. Furthermore, because `cpu_khz_from_cpuid()` is disabled for non-Intel CPUs, removing this override forces SEV-SNP guests to fall back to untrusted PV clocks or legacy PIT calibration. PIT calibration involves thousands of I/O port reads, causing `#VC` VMGEXITs that significantly increase boot latency, and forces the guest to trust the hypervisor's timer emulation, violating the security model of Secure TSC.
--
commit d8a832435bc58075d8e63ea3016b822abba9433c
Author: Sean Christopherson <seanjc@google.com>
x86/sev: Don't override CPU frequency calibration for SNP's Secure TSC
This commit removes the override of the CPU frequency calibration routine
for SEV-SNP guests using Secure TSC. It asserts that CPU frequency should
not be strictly tied to the TSC frequency when features like APERF/MPERF
are exposed to the guest.
> diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c
> index ed0ac52a765e0..665de1aea0ee9 100644
> --- a/arch/x86/coco/sev/core.c
> +++ b/arch/x86/coco/sev/core.c
> @@ -2046,7 +2046,6 @@ void __init snp_secure_tsc_init(void)
>
> snp_tsc_freq_khz = SNP_SCALE_TSC_FREQ(tsc_freq_mhz * 1000, secrets->tsc_factor);
>
> - x86_platform.calibrate_cpu = securetsc_get_tsc_khz;
[Severity: High]
Does removing this override lead to incorrect APERF/MPERF effective frequency
calculations and boot latency regressions?
On AMD architectures, the MPERF register architecturally increments at the P0
frequency, which matches the invariant TSC frequency. Because the kernel
calculates effective frequency using (cpu_khz * APERF) / MPERF, cpu_khz
must exactly equal the MPERF tick rate (the TSC frequency) for correct results.
Furthermore, because cpu_khz_from_cpuid() is disabled for non-Intel CPUs,
does removing this override force SEV-SNP guests to fall back to untrusted PV
clocks or legacy PIT calibration?
Legacy PIT calibration involves thousands of I/O port reads, which cause #VC
VMGEXITs. This significantly increases boot latency and forces the guest to
trust the hypervisor's timer emulation, which appears to violate the security
model of Secure TSC.
> x86_platform.calibrate_tsc = securetsc_get_tsc_khz;
>
> early_memunmap(mem, PAGE_SIZE);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260529144435.704127-1-seanjc@google.com?part=4
next prev parent reply other threads:[~2026-05-29 15:44 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 14:43 [PATCH v4 00/47] x86: Try to wrangle PV clocks vs. TSC Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 01/47] x86/tsc: Never re-calibrate TSC frequency if its exact timing is known Sean Christopherson
2026-05-30 3:07 ` Borislav Petkov
2026-05-29 14:43 ` [PATCH v4 02/47] x86/tsc: Add a standalone helpers for getting TSC info from CPUID.0x15 Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 03/47] x86/sev: Mark TSC as reliable when configuring Secure TSC Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 04/47] x86/sev: Don't override CPU frequency calibration for SNP's " Sean Christopherson
2026-05-29 15:44 ` sashiko-bot [this message]
2026-05-29 14:43 ` [PATCH v4 05/47] x86/sev: Move check for SNP Secure TSC support to tsc_early_init() Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 06/47] x86/sev: Shove SNP's secure/trusted TSC frequency directly into "calibration" Sean Christopherson
2026-05-29 16:14 ` sashiko-bot
2026-05-29 16:23 ` Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 07/47] x86/tdx: Force TSC frequency with CPUID-based info provided by the TDX-Module Sean Christopherson
2026-05-29 16:21 ` sashiko-bot
2026-05-29 16:59 ` Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 08/47] x86/tsc: Add dedicated hypervisor hooks for getting known TSC/CPU frequencies Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 09/47] x86/acrn: Mark TSC frequency as known when using ACRN for calibration Sean Christopherson
2026-05-29 16:40 ` sashiko-bot
2026-05-29 17:01 ` Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 10/47] x86/tsc: Consolidate forcing of X86_FEATURE_TSC_KNOWN_FREQ for PV code Sean Christopherson
2026-05-29 19:01 ` sashiko-bot
2026-05-29 14:43 ` [PATCH v4 11/47] x86/tsc: Kill off x86_platform_ops.calibrate_{cpu,tsc}() hooks Sean Christopherson
2026-05-29 14:43 ` [PATCH v4 12/47] x86/tsc: Rename pit_hpet_ptimer_calibrate_cpu() => native_calibrate_cpu_late() Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 13/47] x86/tsc: Fold native_calibrate_cpu() into recalibrate_cpu_khz() Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 14/47] x86/kvmclock: Rename kvm_get_tsc_khz() to kvmclock_get_tsc_khz() Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 15/47] KVM: x86: Officially define CPUID 0x40000010 as PV Timing Info (TSC and Bus) Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 16/47] x86/kvm: Obtain TSC frequency from PV CPUID if present Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 17/47] x86/kvm: Mark TSC as reliable when it's constant and nonstop Sean Christopherson
2026-05-29 18:12 ` sashiko-bot
2026-05-29 18:57 ` Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 18/47] x86/kvm: Get local APIC bus frequency from PV CPUID Timing Info Sean Christopherson
2026-05-29 18:12 ` sashiko-bot
2026-05-29 18:24 ` Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 19/47] x86/tsc: Add standalone helper for getting CPU frequency from CPUID Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 20/47] x86/kvm: Get CPU base frequency from CPUID when it's available Sean Christopherson
2026-05-30 6:24 ` sashiko-bot
2026-05-29 14:44 ` [PATCH v4 21/47] x86/xen: Obtain TSC frequency from CPUID if present Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 22/47] clocksource: hyper-v: Register sched_clock save/restore iff it's necessary Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 23/47] clocksource: hyper-v: Drop wrappers to sched_clock save/restore helpers Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 24/47] clocksource: hyper-v: Don't save/restore TSC offset when using HV sched_clock Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 25/47] x86/kvmclock: Setup kvmclock for secondary CPUs iff CONFIG_SMP=y Sean Christopherson
2026-05-29 14:44 ` [PATCH v4 26/47] x86/kvm: Don't disable kvmclock on BSP in syscore_suspend() Sean Christopherson
2026-05-30 7:08 ` sashiko-bot
2026-05-29 15:06 ` [PATCH v4 27/47] x86/paravirt: Remove unnecessary PARAVIRT=n stub for paravirt_set_sched_clock() Sean Christopherson
2026-05-29 15:07 ` [PATCH v4 28/47] x86/paravirt: Move handling of unstable PV clocks into paravirt_set_sched_clock() Sean Christopherson
2026-05-29 15:07 ` [PATCH v4 29/47] x86/kvmclock: Move sched_clock save/restore helpers up in kvmclock.c Sean Christopherson
2026-05-29 15:07 ` [PATCH v4 30/47] x86/xen/time: NOP-ify x86_platform's sched_clock save/restore hooks Sean Christopherson
2026-05-29 15:07 ` [PATCH v4 31/47] x86/vmware: NOP-ify save/restore hooks when using VMware's sched_clock Sean Christopherson
2026-05-29 15:07 ` [PATCH v4 32/47] x86/tsc: WARN if TSC sched_clock save/restore used with PV sched_clock Sean Christopherson
2026-05-29 15:07 ` [PATCH v4 33/47] x86/paravirt: Pass sched_clock save/restore helpers during registration Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 34/47] x86/kvmclock: Move kvm_sched_clock_init() down in kvmclock.c Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 35/47] x86/xen/time: Mark xen_setup_vsyscall_time_info() as __init Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 36/47] x86/pvclock: Mark setup helpers and related various as __init/__ro_after_init Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 37/47] x86/pvclock: WARN if pvclock's valid_flags are overwritten Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 38/47] x86/kvmclock: Refactor handling of PVCLOCK_TSC_STABLE_BIT during kvmclock_init() Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 39/47] timekeeping: Resume clocksources before reading persistent clock Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 40/47] x86/kvmclock: Hook clocksource.suspend/resume when kvmclock isn't sched_clock Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 41/47] x86/kvmclock: WARN if wall clock is read while kvmclock is suspended Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 42/47] x86/paravirt: Mark __paravirt_set_sched_clock() as __init Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 43/47] x86/paravirt: Plumb a return code into __paravirt_set_sched_clock() Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 44/47] x86/paravirt: Don't use a PV sched_clock in CoCo guests with trusted TSC Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 45/47] x86/kvmclock: Use TSC for sched_clock if it's constant and non-stop Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 46/47] x86/kvmclock: Plumb in AP-online and BSP-resume to kvmlock, for documentation Sean Christopherson
2026-05-29 15:08 ` [PATCH v4 47/47] x86/paravirt: Move using_native_sched_clock() stub into timer.h Sean Christopherson
2026-05-29 15:10 ` [PATCH v4 00/47] x86: Try to wrangle PV clocks vs. TSC Sean Christopherson
2026-05-29 15:17 ` Jürgen Groß
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260529154446.255551F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-hyperv@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox