From: Jon Kohler <jon@nutanix.com>
To: Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Jonathan Corbet <corbet@lwn.net>, Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
Brian Gerst <brgerst@gmail.com>,
Brendan Jackman <jackmanb@google.com>,
"Ahmed S. Darwish" <darwi@linutronix.de>,
Alexandre Chartre <alexandre.chartre@oracle.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Jon Kohler <jon@nutanix.com>
Subject: [PATCH] x86/its: use Sapphire Rapids+ feature to opt out
Date: Thu, 16 Oct 2025 18:12:49 -0700 [thread overview]
Message-ID: <20251017011253.2937710-1-jon@nutanix.com> (raw)
A VMM may not expose ITS_NO or BHI_CTL, so guests cannot rely on those
bits to determine whether they might be migrated to ITS-affected
hardware. Rather than depending on a control that may be absent, detect
ITS-unaffected hosts via a CPU feature that is exclusive to Sapphire
Rapids and newer processors.
Use X86_FEATURE_BUS_LOCK_DETECT as the canary: it is present on
Sapphire Rapids+ parts and provides a reliable indicator that the guest
won't be moved to ITS-affected hardware. This avoids false negatives
caused by VMMs that omit ITS_NO or BHI_CTL. For example, QEMU added
bhi-ctrl only in v9.2.0 [1], well after adding the Sapphire Rapids
model in v8.0.0 [2].
[1] 10eaf9c0fb7 ("target/i386: Add more features enumerated by CPUID.7.2.EDX")
[2] 7eb061b06e9 ("i386: Add new CPU model SapphireRapids")
Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Fixes: 159013a7ca1 ("x86/its: Enumerate Indirect Target Selection (ITS) bug")
Signed-off-by: Jon Kohler <jon@nutanix.com>
---
.../admin-guide/hw-vuln/indirect-target-selection.rst | 5 +++--
arch/x86/kernel/cpu/common.c | 6 ++++--
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst b/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
index d9ca64108d23..3cfe4b9f9bd0 100644
--- a/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
+++ b/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
@@ -98,8 +98,9 @@ Mitigation in guests
^^^^^^^^^^^^^^^^^^^^
All guests deploy ITS mitigation by default, irrespective of eIBRS enumeration
and Family/Model of the guest. This is because eIBRS feature could be hidden
-from a guest. One exception to this is when a guest enumerates BHI_DIS_S, which
-indicates that the guest is running on an unaffected host.
+from a guest. One exception to this is when a guest enumerates BHI_DIS_S or
+BUS_LOCK_DETECT, either of which indicates that the guest is running on an
+unaffected host and would not be migratable to an affected host.
To prevent guests from unnecessarily deploying the mitigation on unaffected
platforms, Intel has defined ITS_NO bit(62) in MSR IA32_ARCH_CAPABILITIES. When
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c7d3512914ca..3de4b51d8681 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1361,9 +1361,11 @@ static bool __init vulnerable_to_its(u64 x86_arch_cap_msr)
/*
* If a VMM did not expose ITS_NO, assume that a guest could
* be running on a vulnerable hardware or may migrate to such
- * hardware.
+ * hardware, except in the situation where the guest is presented
+ * with a feature that only exists in non-vulnerable hardware.
*/
- if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
+ if (boot_cpu_has(X86_FEATURE_HYPERVISOR) ||
+ boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT))
return true;
if (cpu_matches(cpu_vuln_blacklist, ITS))
--
2.43.0
next reply other threads:[~2025-10-17 0:34 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 1:12 Jon Kohler [this message]
2025-10-20 15:48 ` [PATCH] x86/its: use Sapphire Rapids+ feature to opt out Sean Christopherson
2025-10-20 16:05 ` Jon Kohler
2025-10-20 16:21 ` Dave Hansen
2025-10-20 16:26 ` Jon Kohler
2025-10-20 19:26 ` Pawan Gupta
2025-10-20 19:38 ` Jon Kohler
2025-10-20 19:53 ` Pawan Gupta
2025-10-20 20:29 ` Jon Kohler
2025-10-20 19:44 ` Pawan Gupta
2025-10-20 19:54 ` Jon Kohler
2025-10-20 20:40 ` Pawan Gupta
2025-10-20 21:02 ` Jon Kohler
2025-10-20 22:09 ` Dave Hansen
2025-10-20 22:41 ` Pawan Gupta
2025-10-21 13:40 ` Jon Kohler
2025-10-21 14:01 ` Dave Hansen
2025-10-21 14:39 ` Jon Kohler
2025-10-21 15:21 ` Dave Hansen
2025-10-21 15:40 ` Jon Kohler
2025-10-21 15:27 ` Konrad Rzeszutek Wilk
2025-10-21 15:35 ` Jon Kohler
2025-10-21 15:46 ` Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251017011253.2937710-1-jon@nutanix.com \
--to=jon@nutanix.com \
--cc=alexandre.chartre@oracle.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=corbet@lwn.net \
--cc=darwi@linutronix.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jackmanb@google.com \
--cc=jpoimboe@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox