From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Christophe de Dinechin <christophe.de.dinechin@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
David Woodhouse <dwmw2@infradead.org>,
Arjan van de Ven <arjan@linux.intel.com>,
Eduardo Habkost <ehabkost@redhat.com>,
KarimAllah Ahmed <karahmed@amazon.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andi Kleen <ak@linux.intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Andy Lutomirski <luto@kernel.org>,
Ashok Raj <ashok.raj@intel.com>,
Asit Mallick <asit.k.mallick@intel.com>,
Borislav Petkov <bp@suse.de>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
Joerg Roedel <joro@8bytes.org>,
Subject: Re: [RFC,05/10] x86/speculation: Add basic IBRS support infrastructure
Date: Tue, 30 Jan 2018 15:52:09 +0100 [thread overview]
Message-ID: <6a2713b1-74e7-53db-527d-d77cc4394f61@de.ibm.com> (raw)
In-Reply-To: <F3EF5343-C86F-4242-B254-20EF26BAB96C@dinechin.org>
On 01/30/2018 03:46 PM, Christophe de Dinechin wrote:
>
>
>> On 30 Jan 2018, at 13:11, Christian Borntraeger <borntraeger@de.ibm.com> wrote:
>>
>>
>>
>> On 01/30/2018 01:23 AM, Linus Torvalds wrote:
>> [...]
>>>
>>> So I actually have a _different_ question to the virtualization
>>> people. This includes the vmware people, but it also obviously
>>> incldues the Amazon AWS kind of usage.
>>>
>>> When you're a hypervisor (whether vmware or Amazon), why do you even
>>> end up caring about these things so much? You're protected from
>>> meltdown thanks to the virtual environment already having separate
>>> page tables. And the "big hammer" approach to spectre would seem to
>>> be to just make sure the BTB and RSB are flushed at vmexit time - and
>>> even then you might decide that you really want to just move it to
>>> vmenter time, and only do it if the VM has changed since last time
>>> (per CPU).
>>>
>>> Why do you even _care_ about the guest, and how it acts wrt Skylake?
>>> What you should care about is not so much the guests (which do their
>>> own thing) but protect guests from each other, no?
>>>
>>> So I'm a bit mystified by some of this discussion within the context
>>> of virtual machines. I think that is separate from any measures that
>>> the guest machine may then decide to partake in.
>>>
>>> If you are ever going to migrate to Skylake, I think you should just
>>> always tell the guests that you're running on Skylake. That way the
>>> guests will always assume the worst case situation wrt Specte.
>>>
>>> Maybe that mystification comes from me missing something.
>>
>> I can only speak for KVM, but I think the hypervisor issues come from
>> the fact that for migration purposes the hypervisor "lies" to the guest
>> in regard to what kind of CPU is running. (it has to lie, see below).
>>
>> This is to avoid random guest crashes by not announcing features. For
>> example if you want to migrate forth and back between a system that
>> has AVX512 and another one that has not you must tell the guest that
>> AVX512 is not available - even if it runs on the capable system.
>>
>> To protect against new features the hypervisor only announces features
>> that it understands.
>> So you essentially start a VM in QEMU of a given CPU type that is
>> constructed of a base cpu type plus extra features. Before migration,
>> it is checked if he target system can run a guest of given type -
>> otherwise migration is rejected.
>>
>> The management stack also knows things like baselining - basically
>> creating the best possible guest CPU given a set of hosts.
>>
>> The problem now is: If you have lets say Broadwell and Skylakes.
>> What kind of CPU type are you telling your guest? If you claim
>> broadwell but run on skylake then you prevent that the guest can
>> protect itself, because the guest does not know that it should do
>> something special. If you say skylake the guest might start using
>> features that broadwell does not understand.
>
> I believe that Linus’ question was whether it makes sense to defer
> the entirety of the protection to the host kernel, although I was a bit
> confused by his suggestion to always assume Skylake.
>
> In other words, is it safe enough to rely on the host kernel countermeasure
> to protect guest kernels and their applications? In which case having
> the guest believe it runs on Broadwell would not be that problematic.
>
> Aren’t there enough vmexits on the guest kernel context switch
> to enforce protection on its behalf? Even if it’s
>
> a) some old kernel that without mitigation code
>
> or
>
> b) some new kernel that thinks it runs on an old CPU and disabled mitigation
>
I think it is not safe to just protect the host. CPU bound workload in the guest
will switch a lot between guest user and guest kernel without triggering an
exit.
next prev parent reply other threads:[~2018-01-30 14:52 UTC|newest]
Thread overview: 135+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-20 19:22 [RFC 00/10] Speculation Control feature support KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 01/10] x86/speculation: Add basic support for IBPB KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 02/10] x86/kvm: Add IBPB support KarimAllah Ahmed
2018-01-20 20:18 ` Woodhouse, David
2018-01-22 18:56 ` Jim Mattson
2018-01-22 19:31 ` Jim Mattson
2018-01-20 19:22 ` [RFC 03/10] x86/speculation: Use Indirect Branch Prediction Barrier in context switch KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 04/10] x86/mm: Only flush indirect branches when switching into non dumpable process KarimAllah Ahmed
2018-01-20 21:06 ` Woodhouse, David
2018-01-22 18:29 ` Tim Chen
2018-01-21 11:22 ` Peter Zijlstra
2018-01-21 12:04 ` David Woodhouse
2018-01-21 14:07 ` H.J. Lu
2018-01-22 10:19 ` Peter Zijlstra
2018-01-22 10:23 ` David Woodhouse
2018-01-21 16:21 ` Ingo Molnar
2018-01-21 16:25 ` Arjan van de Ven
2018-01-21 22:20 ` Woodhouse, David
2018-01-29 6:35 ` Jon Masters
2018-01-29 14:07 ` Peter Zijlstra
2018-01-20 19:22 ` [RFC 05/10] x86/speculation: Add basic IBRS support infrastructure KarimAllah Ahmed
2018-01-21 14:31 ` Thomas Gleixner
2018-01-21 14:56 ` Borislav Petkov
2018-01-22 9:51 ` Peter Zijlstra
2018-01-22 12:06 ` Borislav Petkov
2018-01-22 13:30 ` Greg Kroah-Hartman
2018-01-22 13:36 ` Woodhouse, David
2018-01-21 15:25 ` David Woodhouse
2018-01-23 20:58 ` David Woodhouse
2018-01-24 8:47 ` Peter Zijlstra
2018-01-24 9:02 ` David Woodhouse
2018-01-24 9:10 ` Greg Kroah-Hartman
2018-01-24 15:09 ` Arjan van de Ven
2018-01-24 15:18 ` David Woodhouse
2018-01-24 9:34 ` Peter Zijlstra
2018-01-24 10:49 ` Henrique de Moraes Holschuh
2018-01-24 12:30 ` David Woodhouse
2018-01-24 12:14 ` David Woodhouse
2018-01-24 12:29 ` Peter Zijlstra
2018-01-24 12:58 ` David Woodhouse
2018-01-29 20:14 ` [RFC,05/10] " Eduardo Habkost
2018-01-29 20:17 ` David Woodhouse
2018-01-29 20:42 ` Eduardo Habkost
2018-01-29 20:44 ` Arjan van de Ven
2018-01-29 21:02 ` David Woodhouse
2018-01-29 21:37 ` Jim Mattson
2018-01-29 21:50 ` Eduardo Habkost
2018-01-29 22:12 ` Jim Mattson
2018-01-30 1:22 ` Eduardo Habkost
2018-01-29 22:25 ` Andi Kleen
2018-01-30 1:37 ` Eduardo Habkost
2018-01-29 21:37 ` Andi Kleen
2018-01-29 21:44 ` Eduardo Habkost
2018-01-29 22:10 ` Konrad Rzeszutek Wilk
2018-01-30 1:12 ` Eduardo Habkost
2018-01-30 0:23 ` Linus Torvalds
2018-01-30 1:03 ` Jim Mattson
2018-01-30 3:13 ` Andi Kleen
2018-01-31 15:03 ` Paolo Bonzini
2018-01-31 15:07 ` Dr. David Alan Gilbert
2018-01-30 1:32 ` Arjan van de Ven
2018-01-30 3:32 ` Linus Torvalds
2018-01-30 12:04 ` Eduardo Habkost
2018-01-30 13:54 ` Arjan van de Ven
2018-01-30 8:22 ` David Woodhouse
2018-01-30 11:35 ` David Woodhouse
2018-01-30 11:56 ` Dr. David Alan Gilbert
2018-01-30 12:11 ` Christian Borntraeger
2018-01-30 14:46 ` Christophe de Dinechin
2018-01-30 14:52 ` Christian Borntraeger [this message]
2018-01-30 14:56 ` Christophe de Dinechin
2018-01-30 15:33 ` Christian Borntraeger
2018-01-30 20:46 ` Alan Cox
2018-01-31 10:05 ` Christophe de Dinechin
2018-01-31 10:15 ` Thomas Gleixner
2018-01-31 11:04 ` Dr. David Alan Gilbert
2018-01-31 11:52 ` Borislav Petkov
2018-01-31 12:30 ` Dr. David Alan Gilbert
2018-01-31 13:18 ` Borislav Petkov
2018-01-31 14:04 ` Dr. David Alan Gilbert
2018-01-31 14:44 ` Eduardo Habkost
2018-01-31 16:28 ` Borislav Petkov
2018-01-31 11:07 ` Christophe de Dinechin
2018-01-31 15:00 ` Eduardo Habkost
2018-01-31 15:11 ` Arjan van de Ven
2018-01-31 10:03 ` [RFC 05/10] " Christophe de Dinechin
2018-01-20 19:22 ` [RFC 06/10] x86/speculation: Add inlines to control Indirect Branch Speculation KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 07/10] x86: Simplify spectre_v2 command line parsing KarimAllah Ahmed
2018-01-20 19:22 ` [RFC 08/10] x86/idle: Control Indirect Branch Speculation in idle KarimAllah Ahmed
2018-01-20 19:23 ` [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation KarimAllah Ahmed
2018-01-21 19:14 ` Andy Lutomirski
2018-01-23 16:12 ` Tom Lendacky
2018-01-23 16:20 ` Woodhouse, David
2018-01-23 22:37 ` Tom Lendacky
2018-01-23 22:49 ` Andi Kleen
2018-01-23 23:14 ` Woodhouse, David
2018-01-23 23:22 ` Andi Kleen
2018-01-24 0:47 ` Tim Chen
2018-01-24 1:00 ` Andy Lutomirski
2018-01-24 1:22 ` David Woodhouse
2018-01-24 1:59 ` Van De Ven, Arjan
2018-01-24 3:25 ` Andy Lutomirski
[not found] ` <CA+55aFxUEPHc7JRQG3zmxEsfmfJOiJa1QqFBKCBNb5Tt5vfiSg@mail.gmail.com>
2018-01-21 20:28 ` David Woodhouse
2018-01-21 21:35 ` Linus Torvalds
2018-01-21 22:00 ` David Woodhouse
2018-01-21 22:27 ` Linus Torvalds
2018-01-22 16:27 ` David Woodhouse
2018-01-23 7:29 ` Ingo Molnar
2018-01-23 7:53 ` Ingo Molnar
2018-01-23 9:27 ` Ingo Molnar
2018-01-23 9:37 ` David Woodhouse
2018-01-23 15:01 ` Dave Hansen
2018-01-23 9:30 ` David Woodhouse
2018-01-23 10:15 ` Ingo Molnar
2018-01-23 10:27 ` David Woodhouse
2018-01-23 10:44 ` Ingo Molnar
2018-01-23 10:23 ` Ingo Molnar
2018-02-04 18:43 ` Thomas Gleixner
2018-02-04 20:22 ` David Woodhouse
2018-02-06 9:14 ` David Woodhouse
2018-01-23 20:16 ` Pavel Machek
2018-01-20 19:23 ` [RFC 10/10] x86/enter: Use IBRS on syscall and interrupts KarimAllah Ahmed
2018-01-21 13:50 ` Konrad Rzeszutek Wilk
2018-01-21 14:40 ` KarimAllah Ahmed
2018-01-21 17:22 ` Dave Hansen
2018-01-21 14:02 ` [RFC 00/10] Speculation Control feature support Konrad Rzeszutek Wilk
2018-01-22 21:27 ` David Woodhouse
-- strict thread matches above, loose matches on Subject: below --
2018-01-29 22:29 [RFC,05/10] x86/speculation: Add basic IBRS support infrastructure David Dunn
2018-01-29 22:41 ` Andi Kleen
2018-01-29 22:49 ` Jim Mattson
2018-01-30 1:10 ` Eduardo Habkost
2018-01-30 1:20 ` David Dunn
2018-01-30 1:30 ` Eduardo Habkost
2018-01-29 23:51 ` Fred Jacobs
2018-01-30 1:08 ` Eduardo Habkost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a2713b1-74e7-53db-527d-d77cc4394f61@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=Janakarajan.Natarajan@amd.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=ashok.raj@intel.com \
--cc=asit.k.mallick@intel.com \
--cc=bp@suse.de \
--cc=christophe.de.dinechin@gmail.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@intel.com \
--cc=dwmw2@infradead.org \
--cc=ehabkost@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=joro@8bytes.org \
--cc=karahmed@amazon.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).