From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60C16C001DC for ; Thu, 20 Jul 2023 22:24:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EC9EF280169; Thu, 20 Jul 2023 18:24:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E7A0328004C; Thu, 20 Jul 2023 18:24:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D1B26280169; Thu, 20 Jul 2023 18:24:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id BE63D28004C for ; Thu, 20 Jul 2023 18:24:51 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 856D1140107 for ; Thu, 20 Jul 2023 22:24:51 +0000 (UTC) X-FDA: 81033421182.04.8E3A552 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by imf29.hostedemail.com (Postfix) with ESMTP id A3A3912000E for ; Thu, 20 Jul 2023 22:24:48 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=HJ70lSwn; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf29.hostedemail.com: domain of dave.hansen@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=dave.hansen@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689891889; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=U3WUR4DKCeW229i4+9Bac3U7EfPyR+DvBdW2sgYVcCA=; b=Rk2svBfrwYUTmac5h7szO6qOnlFf9mCFlVjKWswcSyn7lxkK5RQBMGaElu4+4kqamizRsH ZvFT/ZFH4LI8DwYPNXQSK2Ca3LOFi0m5LmQlvzjDFz5II9o5Fi6fJPQwPirwU+nct+Vvaj +dnaJYE7IjneZQjVAzPm6r6dYqUFEo4= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=HJ70lSwn; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf29.hostedemail.com: domain of dave.hansen@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=dave.hansen@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689891889; a=rsa-sha256; cv=none; b=KLHrW0aXC2RRnumkYe9s2aURwdZFBkKJ9bgmqNHYn3WhZA1HbrP0IzE4GMP4NsW1QVJruX mFEpM4cRx8Mwm2uJK6cizuZQOMus94IGLQrjnr79qlfdk9hCQ60xw3HXiL548rtxuTh0S4 cM7CmHODPsg2h0JQT7V3WjQSXcLU5oo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1689891888; x=1721427888; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=rdKwApR3nE0JioSbploXwNi+nKycgqcT+OaCWqAn1So=; b=HJ70lSwniajOU8BEd+P1hchyEN64ICw64zvNabnN1ifeGcKcYjBTEI5g Zf52jayeDBa7F495hFHmKndzgP4Nkw9DqLrEzI63agQ40T8VtR2HSx+9C 8dGXEQcLc1NVdtVcVxnCSU9XnHMyqeZuKShMU6diyATilX0yJ9yxs386A 4qCuQgpSDozEz5YD/eLxpjl53drqXwfkYN2Ngn3gje4yZZNE43klHJp/h Ozlwv1b0NnhjWihe4ZcJHd67k5tIqVh0EXF6p5wtq2GIvrukH2niEY4jf eNoGvt0Nwjf63sBIPUc/4zNlezT2lGZB2H3qIo/5R0YEK1nerOsAwDquW A==; X-IronPort-AV: E=McAfee;i="6600,9927,10777"; a="453256094" X-IronPort-AV: E=Sophos;i="6.01,219,1684825200"; d="scan'208";a="453256094" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Jul 2023 15:24:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10777"; a="814713346" X-IronPort-AV: E=Sophos;i="6.01,219,1684825200"; d="scan'208";a="814713346" Received: from tholtx-mobl.amr.corp.intel.com (HELO [10.209.39.44]) ([10.209.39.44]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Jul 2023 15:24:34 -0700 Message-ID: Date: Thu, 20 Jul 2023 15:24:33 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH RFC v9 08/51] x86/speculation: Do not enable Automatic IBRS if SEV SNP is enabled Content-Language: en-US To: Kim Phillips , Michael Roth , kvm@vger.kernel.org Cc: linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, tglx@linutronix.de, mingo@redhat.com, jroedel@suse.de, thomas.lendacky@amd.com, hpa@zytor.com, ardb@kernel.org, pbonzini@redhat.com, seanjc@google.com, vkuznets@redhat.com, jmattson@google.com, luto@kernel.org, dave.hansen@linux.intel.com, slp@redhat.com, pgonda@google.com, peterz@infradead.org, srinivas.pandruvada@linux.intel.com, rientjes@google.com, dovmurik@linux.ibm.com, tobin@ibm.com, bp@alien8.de, vbabka@suse.cz, kirill@shutemov.name, ak@linux.intel.com, tony.luck@intel.com, marcorr@google.com, sathyanarayanan.kuppuswamy@linux.intel.com, alpergun@google.com, dgilbert@redhat.com, jarkko@kernel.org, ashish.kalra@amd.com, nikunj.dadhania@amd.com, liam.merwick@oracle.com, zhi.a.wang@intel.com References: <20230612042559.375660-1-michael.roth@amd.com> <20230612042559.375660-9-michael.roth@amd.com> <696ea7fe-3294-f21b-3bc0-3f8cc0a718e9@intel.com> <396d0e29-defc-e207-2cbd-fe7137e798ad@intel.com> From: Dave Hansen In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: A3A3912000E X-Stat-Signature: s44fk16jbs5nry3yuqg43jc6f4f7dr47 X-HE-Tag: 1689891888-575909 X-HE-Meta: U2FsdGVkX1/3lXGw34YKhJYvFj4vf2e4aXW8pZPQk3YfgHgCYH6JEptAorxJQKZggdR39FY5ctcci42K5urgBKeWm/LvCpc3cOjywijyV0xJTok/zsNj5D+Ayx3r+4W5SMBKyydMixcX3rbIpnXtBV2piUfvY1c5QBsfPOs3KMSqEZzbgfeJyp/ZZ5UNfzynldZC1wfC2ItvweZQCVVcGfkWyR/Ck0q1E44mBnfnqGBOxKoka8lH7yJpHmzFbonye9KXyJth169ctvECKj2GH/egID9NNvYv1Trje0scHWlg6T7tJkJjSfTzUpff6q0Q7VRnxm9+rk9h24eWsaz4zgDxkuJL8IjxwwOi6nHpPubpP+mU1OAAU80b0w4KnU8IETS8LropYaBWGhLEipY/ZucysmZJ2EsWfX7eDXQCcJY1D2FbIaAlrpMfu0QOig+JkTWGz7Kb14gYu9rOD2LsmW2QkcGmoyZZk4L9c4ZLmrai4WMgmJAMgL3/xBOEOanBDRTqwpsRfOVD3Hw5udCqjZjyLBBpQ+ua1WhO/9GBXnr92+nz9QNbgaU7QjcGQiiHW0WkaFo4uJtFbEzAuTb0HryvEWZY7ti+nL8sbRphd7jEOU/zkdq2O2k5Nw446y468nIceUv/7FQM+sm5MlJz6vXizSOv76JVgHXpO3LEJ2qxNOCQJBM85QWI/w6aLt6x+Rx/Hvh5ACLvnKALIODVdb9sPpr70D3jK5mqbJ5tWAYrkoYDnHo5JXLx3g5NMfHj66IuHENtDPZsqwJ1ZStzZHqcqsTJOqSAUAdpmf3dr019vcPhkEcYfBaOpGP3CnJETzVo/nX1HexTdlVR1dqYw43jwjS9a5HgfxjvxhcquWDMXIx8qnraJO6NcqVLVg6Edsz8i0hx/VuE4Uj8Iy3pPzAm1GRRhVbspAUb2SZbRCIH+x8La0dqijy5XQSwq1Dd2m0t/51cfbgk5d8ljWO pzI+PrtR iqH4e20gJmnlLOzXQbI8nDOfV7zIot70bb3EeFk0sZKEHGGtgJtpL8eKaZADxR/zn3x3W41fWjd/ay3a0XU+gvu+nHSj7wY7wHKmRaztWCpxKX+Kq0O2XM5GqCoKUap8lbr00RCg19XBkeWg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 7/20/23 12:11, Kim Phillips wrote: > Hopefully the commit text in this version will help answer all your > questions?: To be honest, it didn't really. I kinda feel like I was having the APM contents tossed casually in my direction rather than being provided a fully considered explanation. Here's what I came up with instead: Host-side Automatic IBRS has different behavior based on whether SEV-SNP is enabled. Without SEV-SNP, Automatic IBRS protects only the kernel. But when SEV-SNP is enabled, the Automatic IBRS protection umbrella widens to all host-side code, including userspace. This protection comes at a cost: reduced userspace indirect branch performance. To avoid this performance loss, nix using Automatic IBRS on SEV-SNP hosts. Fall back to retpolines instead. ===== Is that about right? I don't think any chit-chat about the guest side is even relevant. This also absolutely needs a comment. Perhaps just pull the code up to the top level of the function and do this: /* * Automatic IBRS imposes unacceptable overhead on host * userspace for SEV-SNP systems. Zap it instead. */ if (cpu_feature_enabled(X86_FEATURE_SEV_SNP)) setup_clear_cpu_cap(X86_FEATURE_AUTOIBRS); BTW, I assume you've grumbled to folks about this. It's an awful shame the hardware (or ucode) was built this was. It's just throwing Automatic IBRS out the window because it's not architected in a nice way. Is there any plan to improve this?