From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To: Jim Mattson <jmattson@google.com>
Cc: Dave Hansen <dave.hansen@intel.com>,
x86@kernel.org, Jon Kohler <jon@nutanix.com>,
Nikolay Borisov <nik.borisov@suse.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Josh Poimboeuf <jpoimboe@kernel.org>,
David Kaplan <david.kaplan@amd.com>,
Sean Christopherson <seanjc@google.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
KP Singh <kpsingh@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
David Laight <david.laight.linux@gmail.com>,
Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
David Ahern <dsahern@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Jonathan Corbet <corbet@lwn.net>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
Asit Mallick <asit.k.mallick@intel.com>,
Tao Zhang <tao1.zhang@intel.com>,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-doc@vger.kernel.org, chao.gao@intel.com
Subject: Re: [PATCH v9 02/10] x86/bhi: Make clear_bhb_loop() effective on newer CPUs
Date: Thu, 9 Apr 2026 16:48:12 -0700 [thread overview]
Message-ID: <20260409234754.e5mhhg3z36uwv36r@desk> (raw)
In-Reply-To: <CALMp9eQx3H+n3V3dQh+ZafQZ6uNBjSYk8tZsvG6ffcY43YTrnQ@mail.gmail.com>
On Thu, Apr 09, 2026 at 02:06:36PM -0700, Jim Mattson wrote:
> On Thu, Apr 9, 2026 at 1:36 PM Dave Hansen <dave.hansen@intel.com> wrote:
> >
> > On 4/7/26 17:47, Jim Mattson wrote:
> > > On Tue, Apr 7, 2026 at 4:41 PM Dave Hansen <dave.hansen@intel.com> wrote:
> > >> On 4/7/26 16:27, Jim Mattson wrote:
> > >>> What is your proposed BHI_DIS_S override mechanism, then?
> > >> Let me make sure I get this right. The desire is to:
> > >>
> > >> 1. Have hypervisors lie to guests about the CPU they are running on (for
> > >> the benefit of large/diverse migration pools)
> > >> 2. Have guests be allowed to boot with BHI_DIS_S for performance
> > >> 3. Have apps in those guests that care about security to opt back in to
> > >> BHI_DIS_S for themselves?
> > > I just want guests on heterogeneous migration pools to properly
> > > protect themselves from native BHI when running on host kernels at
> > > least as far back as Linux v6.6.
> > >
> > > To that end, I would be satisfied with using the longer BHB clearing
> > > sequence when HYPERVISOR is true and BHI_CTRL is false.
> >
> > If the guests can't get mitigation information from model/family because
> > the hypervisor is lying (or may lie), then it's on the hypervisor to
> > figure it out.
> >
> > I'm not sure we want to just assume that all hypervisors are going to
> > lie all the time about this.
>
> Without any information, that is exactly what we must assume. There is
> precedent for this.
>
> In vulnerable_to_its():
>
> /*
> * If a VMM did not expose ITS_NO, assume that a guest could
> * be running on a vulnerable hardware or may migrate to such
> * hardware.
> */
> if (boot_cpu_has(X86_FEATURE_HYPERVISOR))
> return true;
>
>
> In cpu_set_bug_bits():
>
> /*
> * Intel parts with eIBRS are vulnerable to BHI attacks. Parts with
> * BHI_NO still need to use the BHI mitigation to prevent Intra-mode
> * attacks. When virtualized, eIBRS could be hidden, assume vulnerable.
> */
> if (!cpu_matches(cpu_vuln_whitelist, NO_BHI) &&
> (boot_cpu_has(X86_FEATURE_IBRS_ENHANCED) ||
> boot_cpu_has(X86_FEATURE_HYPERVISOR)))
> setup_force_cpu_bug(X86_BUG_BHI);
>
> ...and...
>
> if (c->x86_vendor == X86_VENDOR_AMD) {
> if (!cpu_has(c, X86_FEATURE_TSA_SQ_NO) ||
> !cpu_has(c, X86_FEATURE_TSA_L1_NO)) {
> if (cpu_matches(cpu_vuln_blacklist, TSA) ||
> /* Enable bug on Zen guests to allow for
> live migration. */
> (cpu_has(c, X86_FEATURE_HYPERVISOR) &&
> cpu_has(c, X86_FEATURE_ZEN)))
> setup_force_cpu_bug(X86_BUG_TSA);
> }
> }
>
>
> In check_null_seg_clears_base():
>
> /*
> * CPUID bit above wasn't set. If this kernel is still running
> * as a HV guest, then the HV has decided not to advertize
> * that CPUID bit for whatever reason. For example, one
> * member of the migration pool might be vulnerable. Which
> * means, the bug is present: set the BUG flag and return.
> */
> if (cpu_has(c, X86_FEATURE_HYPERVISOR)) {
> set_cpu_bug(c, X86_BUG_NULL_SEG);
> return;
> }
>
> The hypervisor could provide more information so that the guest can
> determine when it's safe to use the short sequence, but that's just
> icing on the cake. The default, out-of-the-box configuration must be
> safe.
In the above cases there was no practical way a VMM could have mitigated
the guest. So the only option for the guest was to take a conservative
approach. Secondly, in the BHI case, real world scenarios of migration
between pre and post ADL CPUs were unknown.
Nevertheless, Intel guidance covers this case by having KVM deploy
BHI_DIS_S for the guest using virtual-SPEC_CTRL. I understand that support
is missing currently, I am working on it. Hopefully, I will be able to
share the draft after this series settles down. We can workout the details
there.
In retrospect, it would have been ideal if this discussion had happened at
the time when virtual-SPEC_CTRL series was introduced.
next prev parent reply other threads:[~2026-04-09 23:48 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 0:30 [PATCH v9 00/10] VMSCAPE optimization for BHI variant Pawan Gupta
2026-04-03 0:30 ` [PATCH v9 01/10] x86/bhi: x86/vmscape: Move LFENCE out of clear_bhb_loop() Pawan Gupta
2026-04-03 15:16 ` Borislav Petkov
2026-04-03 16:45 ` Pawan Gupta
2026-04-03 17:11 ` Borislav Petkov
2026-04-03 0:31 ` [PATCH v9 02/10] x86/bhi: Make clear_bhb_loop() effective on newer CPUs Pawan Gupta
2026-04-03 18:10 ` Jim Mattson
2026-04-03 18:52 ` Pawan Gupta
2026-04-03 20:19 ` Jim Mattson
2026-04-03 21:34 ` Pawan Gupta
2026-04-03 21:59 ` Jim Mattson
2026-04-03 23:16 ` Pawan Gupta
2026-04-03 23:22 ` Jim Mattson
2026-04-03 23:33 ` Pawan Gupta
2026-04-03 23:39 ` Jim Mattson
2026-04-04 0:21 ` Pawan Gupta
2026-04-04 2:21 ` Jim Mattson
2026-04-04 3:49 ` Pawan Gupta
2026-04-06 14:23 ` Jim Mattson
2026-04-07 16:39 ` Pawan Gupta
2026-04-07 16:46 ` Jim Mattson
2026-04-07 17:11 ` Pawan Gupta
2026-04-07 18:40 ` Jim Mattson
2026-04-07 19:11 ` Pawan Gupta
2026-04-07 20:53 ` Jim Mattson
2026-04-07 22:27 ` Pawan Gupta
2026-04-07 23:27 ` Jim Mattson
2026-04-07 23:41 ` Dave Hansen
2026-04-08 0:47 ` Jim Mattson
2026-04-09 20:36 ` Dave Hansen
2026-04-09 21:06 ` Jim Mattson
2026-04-09 23:48 ` Pawan Gupta [this message]
2026-04-07 17:12 ` Jon Kohler
2026-04-07 17:52 ` Pawan Gupta
2026-04-03 0:31 ` [PATCH v9 03/10] x86/bhi: Rename clear_bhb_loop() to clear_bhb_loop_nofence() Pawan Gupta
2026-04-03 0:31 ` [PATCH v9 04/10] x86/vmscape: Rename x86_ibpb_exit_to_user to x86_predictor_flush_exit_to_user Pawan Gupta
2026-04-03 0:31 ` [PATCH v9 05/10] x86/vmscape: Move mitigation selection to a switch() Pawan Gupta
2026-04-03 0:32 ` [PATCH v9 06/10] x86/vmscape: Use write_ibpb() instead of indirect_branch_prediction_barrier() Pawan Gupta
2026-04-03 0:32 ` [PATCH v9 07/10] x86/vmscape: Use static_call() for predictor flush Pawan Gupta
2026-04-03 14:52 ` Sean Christopherson
2026-04-03 16:44 ` Pawan Gupta
2026-04-03 17:26 ` Pawan Gupta
2026-04-03 0:32 ` [PATCH v9 08/10] x86/vmscape: Deploy BHB clearing mitigation Pawan Gupta
2026-04-03 0:32 ` [PATCH v9 09/10] x86/vmscape: Resolve conflict between attack-vectors and vmscape=force Pawan Gupta
2026-04-03 0:33 ` [PATCH v9 10/10] x86/vmscape: Add cmdline vmscape=on to override attack vector controls Pawan Gupta
2026-04-04 15:20 ` [PATCH v9 00/10] VMSCAPE optimization for BHI variant David Laight
2026-04-05 7:23 ` Pawan Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409234754.e5mhhg3z36uwv36r@desk \
--to=pawan.kumar.gupta@linux.intel.com \
--cc=andrii@kernel.org \
--cc=asit.k.mallick@intel.com \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=bpf@vger.kernel.org \
--cc=chao.gao@intel.com \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=david.kaplan@amd.com \
--cc=david.laight.linux@gmail.com \
--cc=dsahern@kernel.org \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=jon@nutanix.com \
--cc=jpoimboe@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=martin.lau@linux.dev \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=nik.borisov@suse.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=sdf@fomichev.me \
--cc=seanjc@google.com \
--cc=song@kernel.org \
--cc=tao1.zhang@intel.com \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox