Re: [PATCH] x86/its: use Sapphire Rapids+ feature to opt out

[Sean Christopherson <seanjc@google.com>]

On Thu, Oct 16, 2025, Jon Kohler wrote:
> A VMM may not expose ITS_NO or BHI_CTL, so guests cannot rely on those
> bits to determine whether they might be migrated to ITS-affected
> hardware. Rather than depending on a control that may be absent, detect
> ITS-unaffected hosts via a CPU feature that is exclusive to Sapphire
> Rapids and newer processors.
> 
> Use X86_FEATURE_BUS_LOCK_DETECT as the canary: it is present on
> Sapphire Rapids+ parts and provides a reliable indicator that the guest
> won't be moved to ITS-affected hardware. This avoids false negatives
> caused by VMMs that omit ITS_NO or BHI_CTL. For example, QEMU added
> bhi-ctrl only in v9.2.0 [1], well after adding the Sapphire Rapids
> model in v8.0.0 [2].
> 
> [1] 10eaf9c0fb7 ("target/i386: Add more features enumerated by CPUID.7.2.EDX")
> [2] 7eb061b06e9 ("i386: Add new CPU model SapphireRapids")
> 
> Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
> Fixes: 159013a7ca1 ("x86/its: Enumerate Indirect Target Selection (ITS) bug")
> Signed-off-by: Jon Kohler <jon@nutanix.com>
> ---
>  .../admin-guide/hw-vuln/indirect-target-selection.rst       | 5 +++--
>  arch/x86/kernel/cpu/common.c                                | 6 ++++--
>  2 files changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst b/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
> index d9ca64108d23..3cfe4b9f9bd0 100644
> --- a/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
> +++ b/Documentation/admin-guide/hw-vuln/indirect-target-selection.rst
> @@ -98,8 +98,9 @@ Mitigation in guests
>  ^^^^^^^^^^^^^^^^^^^^
>  All guests deploy ITS mitigation by default, irrespective of eIBRS enumeration
>  and Family/Model of the guest. This is because eIBRS feature could be hidden
> -from a guest. One exception to this is when a guest enumerates BHI_DIS_S, which
> -indicates that the guest is running on an unaffected host.
> +from a guest. One exception to this is when a guest enumerates BHI_DIS_S or
> +BUS_LOCK_DETECT, either of which indicates that the guest is running on an
> +unaffected host and would not be migratable to an affected host.
>  
>  To prevent guests from unnecessarily deploying the mitigation on unaffected
>  platforms, Intel has defined ITS_NO bit(62) in MSR IA32_ARCH_CAPABILITIES. When
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index c7d3512914ca..3de4b51d8681 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -1361,9 +1361,11 @@ static bool __init vulnerable_to_its(u64 x86_arch_cap_msr)
>  	/*
>  	 * If a VMM did not expose ITS_NO, assume that a guest could
>  	 * be running on a vulnerable hardware or may migrate to such
> -	 * hardware.
> +	 * hardware, except in the situation where the guest is presented
> +	 * with a feature that only exists in non-vulnerable hardware.
>  	 */
> -	if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
> +	if (boot_cpu_has(X86_FEATURE_HYPERVISOR) ||
> +	    boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT))

Uh, don't you want something like this?

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c7d3512914ca..8c4bc9b5d8ed 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1364,7 +1364,7 @@ static bool __init vulnerable_to_its(u64 x86_arch_cap_msr)
         * hardware.
         */
        if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
-               return true;
+               return !boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT);
 
        if (cpu_matches(cpu_vuln_blacklist, ITS))
                return true;

Functionality aside, this is quite heinous.  I don't see why the answer isn't
"Fix the VMM to specify ITS_NO".