Re: [PATCH] docs: qemu-cpu-models: Document '-noTSX' variants and 'mds-no'

["Daniel P. Berrangé" <berrange@redhat.com>]

On Thu, Jan 16, 2020 at 06:36:38PM +0100, Kashyap Chamarthy wrote:
> - Add the -noTSX variants for CascadeLake and SkyLake.
> 
> - Add a note aboute the 'mds-no' MSR.  Two confusing things about this:
> 
>   (1) The 'mds-no' will _not_ show up in the guest's /proc/cpuinfo.
>       Rather it is used to fill in the guest's sysfs:
> 
>         sys/devices/system/cpu/vulnerabilities/mds:Not affected
> 
>       Paolo confirmed on IRC as such.
> 
>   (2) There are _three_ variants[+] of CascadeLake CPUs, with different
>       stepping levels: 5, 6, and 7.  To quite wikichip.org[*]:
> 
>         "note that while steppings 6 & 7 are fully mitigated, earlier
>         stepping 5 is not protected against MSBDS, MLPDS, nor MDSUM"
> 
>       The above is also indicated in the Intel's manual itself[+], as
>       indicated by "No" under the three columns of MFBDS, MSBDS, and
>       MLPDS.
> 
>       [+] https://software.intel.com/security-software-guidance/insights/processors-affected-microarchitectural-data-sampling
>       [*] https://en.wikichip.org/wiki/intel/microarchitectures/cascade_lake#Key_changes_from_Skylake
> 
> Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
> ---
> TODO:
>  - I think I also need to add a note about 'tsx-ctrl' bit.  Here too,
>    same question as above -- does it show up in /proc/cpuinfo/?
> ---
>  docs/qemu-cpu-models.texi | 37 ++++++++++++++++++++++++++++++++++++-
>  1 file changed, 36 insertions(+), 1 deletion(-)
> 
> diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi
> index f88a1def0d042cc25213259172a648f0a9c514dc..e6c4058e764a81988d6bc97457c668cb0ad2ea37 100644
> --- a/docs/qemu-cpu-models.texi
> +++ b/docs/qemu-cpu-models.texi
> @@ -72,14 +72,30 @@ between machines, if live migration compatibility is required, use the newest
>  CPU model that is compatible across all desired hosts.
>  
>  @table @option
> +
> +@item @code{Cascadelake-Server-noTSX}

Also needs

   @item @code{Cascadelake-Server}

> +
> +Intell Xeon Processor (Cascade Lake, 2019-2020), with "stepping" levels

s/Intell/Intel/

s/-2020//  as we only need the initial year of introduction IMHO.

> +6 or 7 only.  (The Cascade Lake Xeon processor with @b{stepping 5 is
> +vulnerable to MDS variants}; refer below.)
> +
> +@code{/proc/cpuinfo}.
> +
> +The @code{mds-no} bit does not show up under @code{/proc/cpuinfo}.
> +Rather it shows up under the @code{sysfs}, as
> +@code{/sys/devices/system/cpu/vulnerabilities/mds:Not affected}

We already talk about this later on we I thin kwe can trim the
/proc/cpinfo bit

>  @item @code{Skylake-Server}
>  @item @code{Skylake-Server-IBRS}
> +@item @code{Skylake-Server-noTSX-IBRS}
>  
>  Intel Xeon Processor (Skylake, 2016)
>  
>  
>  @item @code{Skylake-Client}
>  @item @code{Skylake-Client-IBRS}
> +@item @code{Skylake-Client-noTSX-IBRS}
>  
>  Intel Core Processor (Skylake, 2015)
>  
> @@ -214,9 +230,28 @@ Must be explicitly turned on for all Intel CPU models.
>  
>  Requires the host CPU microcode to support this feature before it
>  can be used for guest CPUs.
> +
> +@item @code{mds-no}
> +
> +This is an MSR (Model-Specific Register) used by QEMU to indicate that
> +the host is @i{not} vulnerable to any of the MDS variants ([MFBDS]
> +CVE-2018-12130, [MLPDS] CVE-2018-12127, [MSBDS] CVE-2018-12126).
> +
> +Note that there are @i{three} versions of Intel's Cascade Lake
> +processor, as distinguished by their "stepping" levels 5, 6, and 7.  The
> +CPU with stepping "5" is @b{vulnerable to MDS variants}; and the CPUs
> +with steppings "6" and "7" are @b{not vulnerable} to the above mentioned
> +MDS variants.  The processor "stepping" is reported in
> +@code{/proc/cpuinfo}.
> +
> +Confusingly, the @code{mds-no} bit does not show up under
> +@code{/proc/cpuinfo} inside the guest.  Rather the kernel uses it to
> +fill in the @code{sysfs}, as
> +@code{/sys/devices/system/cpu/vulnerabilities/mds: Not affected},
> +assuming the processor is running with stepping 6 or 7.

I think we can simplify this a little - we don't need to talk
about CPU steppings - the user simply needs to know whether the
sysfs file reports vulnerable or not.

So perhaps this text:

  Recommended to inform the guest OS that the host is @i{not]
  vulnerable to any of the MDS variants ([MFBDS]
  CVE-2018-12130, [MLPDS] CVE-2018-12127, [MSBDS] CVE-2018-12126).

  This is a MSR feature rather than a CPUID feature, so will not
  appear in the Linux @code{/proc/cpuinfo} in the host or guest.

  It should only be enabled for VMs if the host reports
  @code{Not affected} in the
  @code{/sys/devices/system/cpu/vulnerabilities/mds} file.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|