src/cpu_map/Makefile.inc.am | 5 ++ src/cpu_map/index.xml | 5 ++ src/cpu_map/x86_Cascadelake-Server-noTSX.xml | 78 ++++++++++++++++ src/cpu_map/x86_Icelake-Client-noTSX.xml | 81 +++++++++++++++++ src/cpu_map/x86_Icelake-Server-noTSX.xml | 90 +++++++++++++++++++ src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 73 +++++++++++++++ src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 75 ++++++++++++++++ 7 files changed, 407 insertions(+) create mode 100644 src/cpu_map/x86_Cascadelake-Server-noTSX.xml create mode 100644 src/cpu_map/x86_Icelake-Client-noTSX.xml create mode 100644 src/cpu_map/x86_Icelake-Server-noTSX.xml create mode 100644 src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml create mode 100644 src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
One of the mitigation methods for TAA[1] is to disable TSX
support on the host system. Linux added a mechanism to disable
TSX globally through the kernel command line, and many Linux
distributions now default to tsx=off. This makes existing CPU
models that have HLE and RTM enabled not usable anymore.
Add new versions of all CPU models that have the HLE and RTM
features enabled, that can be used when TSX is disabled in the
host system.
On systems disabling the features without those types defined
in cpu-maps users end up without modern CPU types in the list
of usable CPUs to use in the likes of virsh domcapabilities
or tools higher in the stack like virt-manager.
This adds:
-Cascadelake-Server-noTSX
-Icelake-Client-noTSX
-Icelake-Server-noTSX
-Skylake-Server-noTSX-IBRS
-Skylake-Client-noTSX-IBRS
Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function)
and commit v4.2.0-rc2-4-g02fa60d101 (names)
References:
[1] TAA, TSX asynchronous Abort:
https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1853200
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
src/cpu_map/Makefile.inc.am | 5 ++
src/cpu_map/index.xml | 5 ++
src/cpu_map/x86_Cascadelake-Server-noTSX.xml | 78 ++++++++++++++++
src/cpu_map/x86_Icelake-Client-noTSX.xml | 81 +++++++++++++++++
src/cpu_map/x86_Icelake-Server-noTSX.xml | 90 +++++++++++++++++++
src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 73 +++++++++++++++
src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 75 ++++++++++++++++
7 files changed, 407 insertions(+)
create mode 100644 src/cpu_map/x86_Cascadelake-Server-noTSX.xml
create mode 100644 src/cpu_map/x86_Icelake-Client-noTSX.xml
create mode 100644 src/cpu_map/x86_Icelake-Server-noTSX.xml
create mode 100644 src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
create mode 100644 src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
diff --git a/src/cpu_map/Makefile.inc.am b/src/cpu_map/Makefile.inc.am
index e935178304..be64c9a0d4 100644
--- a/src/cpu_map/Makefile.inc.am
+++ b/src/cpu_map/Makefile.inc.am
@@ -20,6 +20,7 @@ cpumap_DATA = \
cpu_map/x86_Broadwell-noTSX.xml \
cpu_map/x86_Broadwell-noTSX-IBRS.xml \
cpu_map/x86_Cascadelake-Server.xml \
+ cpu_map/x86_Cascadelake-Server-noTSX.xml \
cpu_map/x86_Conroe.xml \
cpu_map/x86_core2duo.xml \
cpu_map/x86_coreduo.xml \
@@ -33,7 +34,9 @@ cpumap_DATA = \
cpu_map/x86_Haswell-noTSX.xml \
cpu_map/x86_Haswell-noTSX-IBRS.xml \
cpu_map/x86_Icelake-Client.xml \
+ cpu_map/x86_Icelake-Client-noTSX.xml \
cpu_map/x86_Icelake-Server.xml \
+ cpu_map/x86_Icelake-Server-noTSX.xml \
cpu_map/x86_IvyBridge.xml \
cpu_map/x86_IvyBridge-IBRS.xml \
cpu_map/x86_kvm32.xml \
@@ -58,8 +61,10 @@ cpumap_DATA = \
cpu_map/x86_SandyBridge-IBRS.xml \
cpu_map/x86_Skylake-Client.xml \
cpu_map/x86_Skylake-Client-IBRS.xml \
+ cpu_map/x86_Skylake-Client-noTSX-IBRS.xml \
cpu_map/x86_Skylake-Server.xml \
cpu_map/x86_Skylake-Server-IBRS.xml \
+ cpu_map/x86_Skylake-Server-noTSX-IBRS.xml \
cpu_map/x86_Westmere.xml \
cpu_map/x86_Westmere-IBRS.xml \
$(NULL)
diff --git a/src/cpu_map/index.xml b/src/cpu_map/index.xml
index ffb2f6fe1b..50b030de29 100644
--- a/src/cpu_map/index.xml
+++ b/src/cpu_map/index.xml
@@ -44,11 +44,16 @@
<include filename="x86_Broadwell-IBRS.xml"/>
<include filename="x86_Skylake-Client.xml"/>
<include filename="x86_Skylake-Client-IBRS.xml"/>
+ <include filename="x86_Skylake-Client-noTSX-IBRS.xml"/>
<include filename="x86_Skylake-Server.xml"/>
<include filename="x86_Skylake-Server-IBRS.xml"/>
+ <include filename="x86_Skylake-Server-noTSX-IBRS.xml"/>
<include filename="x86_Cascadelake-Server.xml"/>
+ <include filename="x86_Cascadelake-Server-noTSX.xml"/>
<include filename="x86_Icelake-Client.xml"/>
+ <include filename="x86_Icelake-Client-noTSX.xml"/>
<include filename="x86_Icelake-Server.xml"/>
+ <include filename="x86_Icelake-Server-noTSX.xml"/>
<!-- AMD CPUs -->
<include filename="x86_athlon.xml"/>
diff --git a/src/cpu_map/x86_Cascadelake-Server-noTSX.xml b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
new file mode 100644
index 0000000000..4a979739e2
--- /dev/null
+++ b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
@@ -0,0 +1,78 @@
+<cpus>
+ <model name='Cascadelake-Server'>
+ <signature family='6' model='85'/> <!-- 050654 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512bw'/>
+ <feature name='avx512cd'/>
+ <feature name='avx512dq'/>
+ <feature name='avx512f'/>
+ <feature name='avx512vl'/>
+ <feature name='avx512vnni'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='clflushopt'/>
+ <feature name='clwb'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pdpe1gb'/>
+ <feature name='pge'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='ssbd'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='vme'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Icelake-Client-noTSX.xml b/src/cpu_map/x86_Icelake-Client-noTSX.xml
new file mode 100644
index 0000000000..4feb9cef2d
--- /dev/null
+++ b/src/cpu_map/x86_Icelake-Client-noTSX.xml
@@ -0,0 +1,81 @@
+<cpus>
+ <model name='Icelake-Client'>
+ <signature family='6' model='126'/> <!-- 0706e0 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512-vpopcntdq'/>
+ <feature name='avx512bitalg'/>
+ <feature name='avx512vbmi'/>
+ <feature name='avx512vbmi2'/>
+ <feature name='avx512vnni'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='gfni'/>
+ <feature name='intel-pt'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pge'/>
+ <feature name='pku'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='ssbd'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='umip'/>
+ <feature name='vaes'/>
+ <feature name='vme'/>
+ <feature name='vpclmulqdq'/>
+ <feature name='wbnoinvd'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Icelake-Server-noTSX.xml b/src/cpu_map/x86_Icelake-Server-noTSX.xml
new file mode 100644
index 0000000000..76ae713a4d
--- /dev/null
+++ b/src/cpu_map/x86_Icelake-Server-noTSX.xml
@@ -0,0 +1,90 @@
+<cpus>
+ <model name='Icelake-Server'>
+ <signature family='6' model='134'/> <!-- 080660 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512-vpopcntdq'/>
+ <feature name='avx512bitalg'/>
+ <feature name='avx512bw'/>
+ <feature name='avx512cd'/>
+ <feature name='avx512dq'/>
+ <feature name='avx512f'/>
+ <feature name='avx512vbmi'/>
+ <feature name='avx512vbmi2'/>
+ <feature name='avx512vl'/>
+ <feature name='avx512vnni'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='clflushopt'/>
+ <feature name='clwb'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='gfni'/>
+ <feature name='intel-pt'/>
+ <feature name='invpcid'/>
+ <feature name='la57'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pdpe1gb'/>
+ <feature name='pge'/>
+ <feature name='pku'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='ssbd'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='umip'/>
+ <feature name='vaes'/>
+ <feature name='vme'/>
+ <feature name='vpclmulqdq'/>
+ <feature name='wbnoinvd'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
new file mode 100644
index 0000000000..5fa4a733c6
--- /dev/null
+++ b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
@@ -0,0 +1,73 @@
+<cpus>
+ <model name='Skylake-Client-IBRS'>
+ <signature family='6' model='94'/> <!-- 0506e0 -->
+ <signature family='6' model='78'/> <!-- 0406e0 -->
+ <!-- These are Kaby Lake and Coffee Lake successors to Skylake,
+ but we don't have specific models for them. -->
+ <signature family='6' model='142'/> <!-- 0806e0 -->
+ <signature family='6' model='158'/> <!-- 0906e0 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pge'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='vme'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
new file mode 100644
index 0000000000..cb65474767
--- /dev/null
+++ b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
@@ -0,0 +1,75 @@
+<cpus>
+ <model name='Skylake-Server-IBRS'>
+ <signature family='6' model='85'/> <!-- 050654 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512bw'/>
+ <feature name='avx512cd'/>
+ <feature name='avx512dq'/>
+ <feature name='avx512f'/>
+ <feature name='avx512vl'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='clwb'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pdpe1gb'/>
+ <feature name='pge'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='vme'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
--
2.25.1
On Fri, Mar 06, 2020 at 09:41:43 +0100, Christian Ehrhardt wrote: > One of the mitigation methods for TAA[1] is to disable TSX > support on the host system. Linux added a mechanism to disable > TSX globally through the kernel command line, and many Linux > distributions now default to tsx=off. This makes existing CPU > models that have HLE and RTM enabled not usable anymore. > > Add new versions of all CPU models that have the HLE and RTM > features enabled, that can be used when TSX is disabled in the > host system. > > On systems disabling the features without those types defined > in cpu-maps users end up without modern CPU types in the list > of usable CPUs to use in the likes of virsh domcapabilities > or tools higher in the stack like virt-manager. > > This adds: > -Cascadelake-Server-noTSX > -Icelake-Client-noTSX > -Icelake-Server-noTSX > -Skylake-Server-noTSX-IBRS > -Skylake-Client-noTSX-IBRS Originally, I was thinking we should just ignore these new CPU models. After all, there was a consensus the -IBRS models should have never existed and new suffixes were not introduced for other vulnerabilities either. However, noTSX is different. Usually mitigating a CPU vulnerability involves adding a new CPU feature which needs to be passed to a guest and it is perfectly fine to keep using an existing model and just enabling the new feature on top of it (either manually or automatically in some way). But noTSX is about removing existing features. While an existing model can still be used when hle and rtm features are explicitly disabled, the model itself is not directly usable on a host which masks TSX on the host level. Domains with host-model CPUs will work just fine, but other use cases will be broken as several CPU models will suddenly be marked as unusable in domain capabilities. So I changed my mind and I think we should add all these noTSX variants. But for better compatibility with existing libvirt releases, we should make sure these new models will not be used automatically by libvirt, i.e., as a host-model CPU, because we can express the same CPU in a compatible way by disabling hle and rtm. But of course, the new CPU models would be advertised as supported and usable in domain capabilities and users could explicitly request them. I guess we could do this by adding a flag to the CPU model XML and check for it in the CPU model detection code. In addition to this, we should add a new cputest data for a CPU with disabled TSX. I already have the test locally based on the CPU data you gave me on IRC and I'll send the patch shortly. I imagine the test should go first (showing a wrong CPU model being used as host CPU), followed by the addition of the new noTSX models (both host and guest CPUs should change in the test) and finally applying a patch to ignore the new models for host-model (the guest CPU should change back to the original model without -noTSX). Jirka
On Fri, Mar 06, 2020 at 09:41:43 +0100, Christian Ehrhardt wrote:
> One of the mitigation methods for TAA[1] is to disable TSX
> support on the host system. Linux added a mechanism to disable
> TSX globally through the kernel command line, and many Linux
> distributions now default to tsx=off. This makes existing CPU
> models that have HLE and RTM enabled not usable anymore.
>
> Add new versions of all CPU models that have the HLE and RTM
> features enabled, that can be used when TSX is disabled in the
> host system.
>
> On systems disabling the features without those types defined
> in cpu-maps users end up without modern CPU types in the list
> of usable CPUs to use in the likes of virsh domcapabilities
> or tools higher in the stack like virt-manager.
>
> This adds:
> -Cascadelake-Server-noTSX
> -Icelake-Client-noTSX
> -Icelake-Server-noTSX
> -Skylake-Server-noTSX-IBRS
> -Skylake-Client-noTSX-IBRS
>
> Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function)
> and commit v4.2.0-rc2-4-g02fa60d101 (names)
>
> References:
>
> [1] TAA, TSX asynchronous Abort:
> https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
> https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
>
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1853200
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
> src/cpu_map/Makefile.inc.am | 5 ++
> src/cpu_map/index.xml | 5 ++
> src/cpu_map/x86_Cascadelake-Server-noTSX.xml | 78 ++++++++++++++++
> src/cpu_map/x86_Icelake-Client-noTSX.xml | 81 +++++++++++++++++
> src/cpu_map/x86_Icelake-Server-noTSX.xml | 90 +++++++++++++++++++
> src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 73 +++++++++++++++
> src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 75 ++++++++++++++++
> 7 files changed, 407 insertions(+)
> create mode 100644 src/cpu_map/x86_Cascadelake-Server-noTSX.xml
> create mode 100644 src/cpu_map/x86_Icelake-Client-noTSX.xml
> create mode 100644 src/cpu_map/x86_Icelake-Server-noTSX.xml
> create mode 100644 src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
> create mode 100644 src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
...
> diff --git a/src/cpu_map/x86_Cascadelake-Server-noTSX.xml b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
> new file mode 100644
> index 0000000000..4a979739e2
> --- /dev/null
> +++ b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
> @@ -0,0 +1,78 @@
> +<cpus>
> + <model name='Cascadelake-Server'>
'Cascadelake-Server-noTSX'
...
> diff --git a/src/cpu_map/x86_Icelake-Client-noTSX.xml b/src/cpu_map/x86_Icelake-Client-noTSX.xml
> new file mode 100644
> index 0000000000..4feb9cef2d
> --- /dev/null
> +++ b/src/cpu_map/x86_Icelake-Client-noTSX.xml
> @@ -0,0 +1,81 @@
> +<cpus>
> + <model name='Icelake-Client'>
'Icelake-Client-noTSX'
...
> diff --git a/src/cpu_map/x86_Icelake-Server-noTSX.xml b/src/cpu_map/x86_Icelake-Server-noTSX.xml
> new file mode 100644
> index 0000000000..76ae713a4d
> --- /dev/null
> +++ b/src/cpu_map/x86_Icelake-Server-noTSX.xml
> @@ -0,0 +1,90 @@
> +<cpus>
> + <model name='Icelake-Server'>
'Icelake-Server-noTSX'
...
> diff --git a/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
> new file mode 100644
> index 0000000000..5fa4a733c6
> --- /dev/null
> +++ b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
> @@ -0,0 +1,73 @@
> +<cpus>
> + <model name='Skylake-Client-IBRS'>
'Skylake-Client-noTSX-IBRS'
...
> diff --git a/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
> new file mode 100644
> index 0000000000..cb65474767
> --- /dev/null
> +++ b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
> @@ -0,0 +1,75 @@
> +<cpus>
> + <model name='Skylake-Server-IBRS'>
'Skylake-Server-noTSX-IBRS'
...
Running make check would reveal all these issues because every single
test which involves parsing the cpu_map was failing due to multiple
definitions of the same CPU model.
And since this patch is adding several CPU models which are already
supported by QEMU since 4.2.0, you need to update several existing test
files for domaincapstest too. You can use
VIR_TEST_REGENERATE_OUTPUT=1 tests/domaincapstest
to regenerate the files. Just make sure you review the changes before
adding them to this commit.
Regenerating the test files will also be needed for cputest because I
just pushed the "cputest: Add data for Intel(R) Core(TM) i7-8550U CPU
without TSX". Doing so will nicely show that the computed host CPU model
(in x86_64-cpuid-Core-i7-8550U-host.xml file) is
Skylake-Client-noTSX-IBRS rather than Broadwell-noTSX-IBRS.
However, the CPU used for host-model (and reported in domain
capabilities) as shown in x86_64-cpuid-Core-i7-8550U-guest.xml and
x86_64-cpuid-Core-i7-8550U-json.xml will change from Skylake-Client-IBRS
to Skylake-Client-noTSX-IBRS. As I said in my previous reply to this
patch, I think these two CPU definitions should keep using the old
Skylake-Client-IBRS model to make sure any domain with host-model CPU
will always use the CPU models without noTSX for better compatibility
between current and future version of libvirt. This change should be in
a separate patch, but in single series with the current patch.
Jirka
> ... > > Running make check would reveal all these issues because every single > test which involves parsing the cpu_map was failing due to multiple > definitions of the same CPU model. > > I'd not have expected that the tests will exercise the new XMLs in any way. Good to know and thanks for your feedback. > And since this patch is adding several CPU models which are already > supported by QEMU since 4.2.0, you need to update several existing test > files for domaincapstest too. You can use > > VIR_TEST_REGENERATE_OUTPUT=1 tests/domaincapstest > > to regenerate the files. Just make sure you review the changes before > adding them to this commit. > Without regenerating these I see as expected FAIL: domaincapstest FAIL: cputest Adding these 5 types to the qemu 4.2 and qemu 5.0 tests/domaincapsdata worked. I've squashed that into the same patch - let me know if you'd prefer the domaincapsdata change as an individual patch instead. Regenerating the test files will also be needed for cputest because I > just pushed the "cputest: Add data for Intel(R) Core(TM) i7-8550U CPU > without TSX". Doing so will nicely show that the computed host CPU model > (in x86_64-cpuid-Core-i7-8550U-host.xml file) is > Skylake-Client-noTSX-IBRS rather than Broadwell-noTSX-IBRS. > Indeed: 1007 In '/home/paelzer/work/libvirt/libvirt-ubuntu-git/build/../tests/cputestdata/x86_64-cpuid-Core-i7-8550U-host.xml': ... 1009 Expect [Broadwell-noTSX-IBRS</model> ... 1043 Actual [Skylake-Client-noTSX-IBRS</model> > However, the CPU used for host-model (and reported in domain > capabilities) as shown in x86_64-cpuid-Core-i7-8550U-guest.xml and > x86_64-cpuid-Core-i7-8550U-json.xml will change from Skylake-Client-IBRS > to Skylake-Client-noTSX-IBRS. As I said in my previous reply to this > patch, I think these two CPU definitions should keep using the old > Skylake-Client-IBRS model to make sure any domain with host-model CPU > will always use the CPU models without noTSX for better compatibility > between current and future version of libvirt. I see three changes: x86_64-cpuid-Core-i7-8550U-host.xml: Broadwell-noTSX-IBRS -> Skylake-Client-noTSX-IBRS x86_64-cpuid-Core-i7-8550U-guest.xml: Skylake-Client-IBRS -> Skylake-Client-noTSX-IBRS This shows up twice in: 238) cpuTestGuestCPUID(x86_64): Core-i7-8550U 240) cpuTestGuestCPUID(x86_64): Core-i7-8550U x86_64-cpuid-Core-i7-8550U-json.xml: Skylake-Client-IBRS -> Skylake-Client-noTSX-IBRS So far so good and as expected. But I have to beg your pardon and need to ask where such an override to continue to use "Skylake-Client-IBRS + policy='disable' name='hle' policy='disable' name='rtm'" instead of just "Skylake-Client-noTSX-IBRS" would have to go? Holding back v2 submission until this is solved ... This change should be in > a separate patch, but in single series with the current patch. > > Jirka > > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
On Tue, Mar 10, 2020 at 10:18 AM Christian Ehrhardt < christian.ehrhardt@canonical.com> wrote: > > ... >> >> Running make check would reveal all these issues because every single >> test which involves parsing the cpu_map was failing due to multiple >> definitions of the same CPU model. >> >> I'd not have expected that the tests will exercise the new XMLs in any > way. > Good to know and thanks for your feedback. > > >> And since this patch is adding several CPU models which are already >> supported by QEMU since 4.2.0, you need to update several existing test >> files for domaincapstest too. You can use >> >> VIR_TEST_REGENERATE_OUTPUT=1 tests/domaincapstest >> >> to regenerate the files. Just make sure you review the changes before >> adding them to this commit. >> > > Without regenerating these I see as expected > FAIL: domaincapstest > FAIL: cputest > > Adding these 5 types to the qemu 4.2 and qemu 5.0 > tests/domaincapsdata worked. > I've squashed that into the same patch - let me know if you'd prefer the > domaincapsdata change as an individual patch instead. > > Regenerating the test files will also be needed for cputest because I >> just pushed the "cputest: Add data for Intel(R) Core(TM) i7-8550U CPU >> without TSX". Doing so will nicely show that the computed host CPU model >> (in x86_64-cpuid-Core-i7-8550U-host.xml file) is >> Skylake-Client-noTSX-IBRS rather than Broadwell-noTSX-IBRS. >> > > Indeed: > 1007 In > '/home/paelzer/work/libvirt/libvirt-ubuntu-git/build/../tests/cputestdata/x86_64-cpuid-Core-i7-8550U-host.xml': > ... > 1009 Expect [Broadwell-noTSX-IBRS</model> > ... > 1043 Actual [Skylake-Client-noTSX-IBRS</model> > > >> However, the CPU used for host-model (and reported in domain >> capabilities) as shown in x86_64-cpuid-Core-i7-8550U-guest.xml and >> x86_64-cpuid-Core-i7-8550U-json.xml will change from Skylake-Client-IBRS >> to Skylake-Client-noTSX-IBRS. As I said in my previous reply to this >> patch, I think these two CPU definitions should keep using the old >> Skylake-Client-IBRS model to make sure any domain with host-model CPU >> will always use the CPU models without noTSX for better compatibility >> between current and future version of libvirt. > > > I see three changes: > x86_64-cpuid-Core-i7-8550U-host.xml: Broadwell-noTSX-IBRS -> > Skylake-Client-noTSX-IBRS > x86_64-cpuid-Core-i7-8550U-guest.xml: Skylake-Client-IBRS -> > Skylake-Client-noTSX-IBRS > This shows up twice in: > 238) cpuTestGuestCPUID(x86_64): Core-i7-8550U > 240) cpuTestGuestCPUID(x86_64): Core-i7-8550U > x86_64-cpuid-Core-i7-8550U-json.xml: Skylake-Client-IBRS -> > Skylake-Client-noTSX-IBRS > > So far so good and as expected. > But I have to beg your pardon and need to ask where such an override to > continue to use > "Skylake-Client-IBRS + policy='disable' name='hle' policy='disable' > name='rtm'" instead of just "Skylake-Client-noTSX-IBRS" would have to go? > Do I get it right that this request would break the current definition of cpuDecode: ... 185 * when decoding the data. In general, this function will select the model 186 * closest to the CPU specified by @data. 187 * 188 * For VIR_ARCH_I686 and VIR_ARCH_X86_64 architectures this means the computed 189 * CPU definition will have the shortest possible list of additional features. The actual decode is arch specific via x86DecodeCPUData, here it evaluates the length of the feature list and thereby prefers the -noTSX type. Skylake-Client-noTSX-IBRS: (gdb) p cpuCandidate->nfeatures $30 = 25 And since it needs to disable hle/rtm the type Skylake-Client-IBRS will have (gdb) p cpuCandidate->nfeatures $33 = 27 I don't see an obvious non-hacky way yet to get these detected as non -noTSX types. And in general I think we'd not want to map just -noTSX-IBRS to the -IBRS types. With the versioned CPUs it is more like "Skylake-Client-* => Skylake-Client" which is like selecting the moving base version. I really beg your pardon, but I don't see this as part of this patch set just trying to add these new -noTSX types, but some later work to add versioned CPU support. Please tell if I'm missing something here and guide me to where such an override of the preferred type should be done. Until then I'll prep a v2 that also adapts the cputests to match ... Holding back v2 submission until this is solved ... > > This change should be in >> a separate patch, but in single series with the current patch. >> >> Jirka >> >> > > -- > Christian Ehrhardt > Staff Engineer, Ubuntu Server > Canonical Ltd > -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd
Thanks for the discussion on v1. I was rerunning the tests to make the tests pass. I have not made it prefer -IBRS types before -noTS-IBRS types as outlined in my former reply to this thread. But I wanted to submit the v2 to have this topic make some progress without waiting for the potentially long "should we prefer -IBRS discussion". Updates in v2: - fix model names in new cpu_map files - update domaincapsdata to match the new models - update cputestdata to match the new models Christian Ehrhardt (1): cpu_map: Add more -noTSX x86 CPU models src/cpu_map/Makefile.inc.am | 5 ++ src/cpu_map/index.xml | 5 ++ src/cpu_map/x86_Cascadelake-Server-noTSX.xml | 78 ++++++++++++++++ src/cpu_map/x86_Icelake-Client-noTSX.xml | 81 +++++++++++++++++ src/cpu_map/x86_Icelake-Server-noTSX.xml | 90 +++++++++++++++++++ src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 73 +++++++++++++++ src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 75 ++++++++++++++++ tests/x86_64-cpuid-Core-i7-8550U-guest.xml | 4 +- tests/x86_64-cpuid-Core-i7-8550U-host.xml | 11 +-- tests/x86_64-cpuid-Core-i7-8550U-json.xml | 4 +- tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 5 ++ tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 5 ++ tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 5 ++ tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 5 ++ tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 5 ++ tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 5 ++ 16 files changed, 440 insertions(+), 16 deletions(-) create mode 100644 src/cpu_map/x86_Cascadelake-Server-noTSX.xml create mode 100644 src/cpu_map/x86_Icelake-Client-noTSX.xml create mode 100644 src/cpu_map/x86_Icelake-Server-noTSX.xml create mode 100644 src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml create mode 100644 src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml -- 2.25.1
One of the mitigation methods for TAA[1] is to disable TSX
support on the host system. Linux added a mechanism to disable
TSX globally through the kernel command line, and many Linux
distributions now default to tsx=off. This makes existing CPU
models that have HLE and RTM enabled not usable anymore.
Add new versions of all CPU models that have the HLE and RTM
features enabled, that can be used when TSX is disabled in the
host system.
On systems disabling the features without those types defined
in cpu-maps users end up without modern CPU types in the list
of usable CPUs to use in the likes of virsh domcapabilities
or tools higher in the stack like virt-manager.
This adds:
-Cascadelake-Server-noTSX
-Icelake-Client-noTSX
-Icelake-Server-noTSX
-Skylake-Server-noTSX-IBRS
-Skylake-Client-noTSX-IBRS
Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function)
and commit v4.2.0-rc2-4-g02fa60d101 (names)
References:
[1] TAA, TSX asynchronous Abort:
https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1853200
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
src/cpu_map/Makefile.inc.am | 5 ++
src/cpu_map/index.xml | 5 ++
src/cpu_map/x86_Cascadelake-Server-noTSX.xml | 78 ++++++++++++++++
src/cpu_map/x86_Icelake-Client-noTSX.xml | 81 +++++++++++++++++
src/cpu_map/x86_Icelake-Server-noTSX.xml | 90 +++++++++++++++++++
src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 73 +++++++++++++++
src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 75 ++++++++++++++++
.../x86_64-cpuid-Core-i7-8550U-guest.xml | 4 +-
.../x86_64-cpuid-Core-i7-8550U-host.xml | 11 +--
.../x86_64-cpuid-Core-i7-8550U-json.xml | 4 +-
.../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 5 ++
.../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 5 ++
tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 5 ++
.../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 5 ++
.../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 5 ++
tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 5 ++
16 files changed, 440 insertions(+), 16 deletions(-)
create mode 100644 src/cpu_map/x86_Cascadelake-Server-noTSX.xml
create mode 100644 src/cpu_map/x86_Icelake-Client-noTSX.xml
create mode 100644 src/cpu_map/x86_Icelake-Server-noTSX.xml
create mode 100644 src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
create mode 100644 src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
diff --git a/src/cpu_map/Makefile.inc.am b/src/cpu_map/Makefile.inc.am
index e935178304..be64c9a0d4 100644
--- a/src/cpu_map/Makefile.inc.am
+++ b/src/cpu_map/Makefile.inc.am
@@ -20,6 +20,7 @@ cpumap_DATA = \
cpu_map/x86_Broadwell-noTSX.xml \
cpu_map/x86_Broadwell-noTSX-IBRS.xml \
cpu_map/x86_Cascadelake-Server.xml \
+ cpu_map/x86_Cascadelake-Server-noTSX.xml \
cpu_map/x86_Conroe.xml \
cpu_map/x86_core2duo.xml \
cpu_map/x86_coreduo.xml \
@@ -33,7 +34,9 @@ cpumap_DATA = \
cpu_map/x86_Haswell-noTSX.xml \
cpu_map/x86_Haswell-noTSX-IBRS.xml \
cpu_map/x86_Icelake-Client.xml \
+ cpu_map/x86_Icelake-Client-noTSX.xml \
cpu_map/x86_Icelake-Server.xml \
+ cpu_map/x86_Icelake-Server-noTSX.xml \
cpu_map/x86_IvyBridge.xml \
cpu_map/x86_IvyBridge-IBRS.xml \
cpu_map/x86_kvm32.xml \
@@ -58,8 +61,10 @@ cpumap_DATA = \
cpu_map/x86_SandyBridge-IBRS.xml \
cpu_map/x86_Skylake-Client.xml \
cpu_map/x86_Skylake-Client-IBRS.xml \
+ cpu_map/x86_Skylake-Client-noTSX-IBRS.xml \
cpu_map/x86_Skylake-Server.xml \
cpu_map/x86_Skylake-Server-IBRS.xml \
+ cpu_map/x86_Skylake-Server-noTSX-IBRS.xml \
cpu_map/x86_Westmere.xml \
cpu_map/x86_Westmere-IBRS.xml \
$(NULL)
diff --git a/src/cpu_map/index.xml b/src/cpu_map/index.xml
index ffb2f6fe1b..50b030de29 100644
--- a/src/cpu_map/index.xml
+++ b/src/cpu_map/index.xml
@@ -44,11 +44,16 @@
<include filename="x86_Broadwell-IBRS.xml"/>
<include filename="x86_Skylake-Client.xml"/>
<include filename="x86_Skylake-Client-IBRS.xml"/>
+ <include filename="x86_Skylake-Client-noTSX-IBRS.xml"/>
<include filename="x86_Skylake-Server.xml"/>
<include filename="x86_Skylake-Server-IBRS.xml"/>
+ <include filename="x86_Skylake-Server-noTSX-IBRS.xml"/>
<include filename="x86_Cascadelake-Server.xml"/>
+ <include filename="x86_Cascadelake-Server-noTSX.xml"/>
<include filename="x86_Icelake-Client.xml"/>
+ <include filename="x86_Icelake-Client-noTSX.xml"/>
<include filename="x86_Icelake-Server.xml"/>
+ <include filename="x86_Icelake-Server-noTSX.xml"/>
<!-- AMD CPUs -->
<include filename="x86_athlon.xml"/>
diff --git a/src/cpu_map/x86_Cascadelake-Server-noTSX.xml b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
new file mode 100644
index 0000000000..d24415ebce
--- /dev/null
+++ b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
@@ -0,0 +1,78 @@
+<cpus>
+ <model name='Cascadelake-Server-noTSX'>
+ <signature family='6' model='85'/> <!-- 050654 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512bw'/>
+ <feature name='avx512cd'/>
+ <feature name='avx512dq'/>
+ <feature name='avx512f'/>
+ <feature name='avx512vl'/>
+ <feature name='avx512vnni'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='clflushopt'/>
+ <feature name='clwb'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pdpe1gb'/>
+ <feature name='pge'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='ssbd'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='vme'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Icelake-Client-noTSX.xml b/src/cpu_map/x86_Icelake-Client-noTSX.xml
new file mode 100644
index 0000000000..cd51881f40
--- /dev/null
+++ b/src/cpu_map/x86_Icelake-Client-noTSX.xml
@@ -0,0 +1,81 @@
+<cpus>
+ <model name='Icelake-Client-noTSX'>
+ <signature family='6' model='126'/> <!-- 0706e0 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512-vpopcntdq'/>
+ <feature name='avx512bitalg'/>
+ <feature name='avx512vbmi'/>
+ <feature name='avx512vbmi2'/>
+ <feature name='avx512vnni'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='gfni'/>
+ <feature name='intel-pt'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pge'/>
+ <feature name='pku'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='ssbd'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='umip'/>
+ <feature name='vaes'/>
+ <feature name='vme'/>
+ <feature name='vpclmulqdq'/>
+ <feature name='wbnoinvd'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Icelake-Server-noTSX.xml b/src/cpu_map/x86_Icelake-Server-noTSX.xml
new file mode 100644
index 0000000000..538c656712
--- /dev/null
+++ b/src/cpu_map/x86_Icelake-Server-noTSX.xml
@@ -0,0 +1,90 @@
+<cpus>
+ <model name='Icelake-Server-noTSX'>
+ <signature family='6' model='134'/> <!-- 080660 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512-vpopcntdq'/>
+ <feature name='avx512bitalg'/>
+ <feature name='avx512bw'/>
+ <feature name='avx512cd'/>
+ <feature name='avx512dq'/>
+ <feature name='avx512f'/>
+ <feature name='avx512vbmi'/>
+ <feature name='avx512vbmi2'/>
+ <feature name='avx512vl'/>
+ <feature name='avx512vnni'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='clflushopt'/>
+ <feature name='clwb'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='gfni'/>
+ <feature name='intel-pt'/>
+ <feature name='invpcid'/>
+ <feature name='la57'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pdpe1gb'/>
+ <feature name='pge'/>
+ <feature name='pku'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='ssbd'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='umip'/>
+ <feature name='vaes'/>
+ <feature name='vme'/>
+ <feature name='vpclmulqdq'/>
+ <feature name='wbnoinvd'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
new file mode 100644
index 0000000000..3d2976692f
--- /dev/null
+++ b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
@@ -0,0 +1,73 @@
+<cpus>
+ <model name='Skylake-Client-noTSX-IBRS'>
+ <signature family='6' model='94'/> <!-- 0506e0 -->
+ <signature family='6' model='78'/> <!-- 0406e0 -->
+ <!-- These are Kaby Lake and Coffee Lake successors to Skylake,
+ but we don't have specific models for them. -->
+ <signature family='6' model='142'/> <!-- 0806e0 -->
+ <signature family='6' model='158'/> <!-- 0906e0 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pge'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='vme'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
new file mode 100644
index 0000000000..455a072119
--- /dev/null
+++ b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
@@ -0,0 +1,75 @@
+<cpus>
+ <model name='Skylake-Server-noTSX-IBRS'>
+ <signature family='6' model='85'/> <!-- 050654 -->
+ <vendor name='Intel'/>
+ <feature name='3dnowprefetch'/>
+ <feature name='abm'/>
+ <feature name='adx'/>
+ <feature name='aes'/>
+ <feature name='apic'/>
+ <feature name='arat'/>
+ <feature name='avx'/>
+ <feature name='avx2'/>
+ <feature name='avx512bw'/>
+ <feature name='avx512cd'/>
+ <feature name='avx512dq'/>
+ <feature name='avx512f'/>
+ <feature name='avx512vl'/>
+ <feature name='bmi1'/>
+ <feature name='bmi2'/>
+ <feature name='clflush'/>
+ <feature name='clwb'/>
+ <feature name='cmov'/>
+ <feature name='cx16'/>
+ <feature name='cx8'/>
+ <feature name='de'/>
+ <feature name='erms'/>
+ <feature name='f16c'/>
+ <feature name='fma'/>
+ <feature name='fpu'/>
+ <feature name='fsgsbase'/>
+ <feature name='fxsr'/>
+ <feature name='invpcid'/>
+ <feature name='lahf_lm'/>
+ <feature name='lm'/>
+ <feature name='mca'/>
+ <feature name='mce'/>
+ <feature name='mmx'/>
+ <feature name='movbe'/>
+ <feature name='mpx'/>
+ <feature name='msr'/>
+ <feature name='mtrr'/>
+ <feature name='nx'/>
+ <feature name='pae'/>
+ <feature name='pat'/>
+ <feature name='pcid'/>
+ <feature name='pclmuldq'/>
+ <feature name='pdpe1gb'/>
+ <feature name='pge'/>
+ <feature name='pni'/>
+ <feature name='popcnt'/>
+ <feature name='pse'/>
+ <feature name='pse36'/>
+ <feature name='rdrand'/>
+ <feature name='rdseed'/>
+ <feature name='rdtscp'/>
+ <feature name='sep'/>
+ <feature name='smap'/>
+ <feature name='smep'/>
+ <feature name='spec-ctrl'/>
+ <feature name='sse'/>
+ <feature name='sse2'/>
+ <feature name='sse4.1'/>
+ <feature name='sse4.2'/>
+ <feature name='ssse3'/>
+ <feature name='syscall'/>
+ <feature name='tsc'/>
+ <feature name='tsc-deadline'/>
+ <feature name='vme'/>
+ <feature name='x2apic'/>
+ <feature name='xgetbv1'/>
+ <feature name='xsave'/>
+ <feature name='xsavec'/>
+ <feature name='xsaveopt'/>
+ </model>
+</cpus>
diff --git a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml
index 92404e4d03..e03c4a06ba 100644
--- a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml
+++ b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-guest.xml
@@ -1,5 +1,5 @@
<cpu mode='custom' match='exact'>
- <model fallback='forbid'>Skylake-Client-IBRS</model>
+ <model fallback='forbid'>Skylake-Client-noTSX-IBRS</model>
<vendor>Intel</vendor>
<feature policy='require' name='ds'/>
<feature policy='require' name='acpi'/>
@@ -26,6 +26,4 @@
<feature policy='require' name='pdpe1gb'/>
<feature policy='require' name='invtsc'/>
<feature policy='require' name='skip-l1dfl-vmentry'/>
- <feature policy='disable' name='hle'/>
- <feature policy='disable' name='rtm'/>
</cpu>
diff --git a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-host.xml b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-host.xml
index 808a8ff969..7f6fe2eac3 100644
--- a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-host.xml
+++ b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-host.xml
@@ -1,8 +1,7 @@
<cpu>
<arch>x86_64</arch>
- <model>Broadwell-noTSX-IBRS</model>
+ <model>Skylake-Client-noTSX-IBRS</model>
<vendor>Intel</vendor>
- <feature name='vme'/>
<feature name='ds'/>
<feature name='acpi'/>
<feature name='ss'/>
@@ -18,22 +17,14 @@
<feature name='xtpr'/>
<feature name='pdcm'/>
<feature name='osxsave'/>
- <feature name='f16c'/>
- <feature name='rdrand'/>
- <feature name='arat'/>
<feature name='tsc_adjust'/>
- <feature name='mpx'/>
<feature name='clflushopt'/>
<feature name='intel-pt'/>
<feature name='md-clear'/>
<feature name='stibp'/>
<feature name='ssbd'/>
- <feature name='xsaveopt'/>
- <feature name='xsavec'/>
- <feature name='xgetbv1'/>
<feature name='xsaves'/>
<feature name='pdpe1gb'/>
- <feature name='abm'/>
<feature name='invtsc'/>
<feature name='skip-l1dfl-vmentry'/>
</cpu>
diff --git a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml
index 645c0934c2..3d8e6775bf 100644
--- a/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml
+++ b/tests/cputestdata/x86_64-cpuid-Core-i7-8550U-json.xml
@@ -1,5 +1,5 @@
<cpu mode='custom' match='exact'>
- <model fallback='forbid'>Skylake-Client-IBRS</model>
+ <model fallback='forbid'>Skylake-Client-noTSX-IBRS</model>
<vendor>Intel</vendor>
<feature policy='require' name='ss'/>
<feature policy='require' name='vmx'/>
@@ -14,6 +14,4 @@
<feature policy='require' name='xsaves'/>
<feature policy='require' name='pdpe1gb'/>
<feature policy='require' name='skip-l1dfl-vmentry'/>
- <feature policy='disable' name='hle'/>
- <feature policy='disable' name='rtm'/>
</cpu>
diff --git a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
index eaa3b75695..1b8b8be2f5 100644
--- a/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-q35.x86_64.xml
@@ -63,8 +63,10 @@
<model usable='no'>athlon</model>
<model usable='yes'>Westmere-IBRS</model>
<model usable='yes'>Westmere</model>
+ <model usable='no'>Skylake-Server-noTSX-IBRS</model>
<model usable='no'>Skylake-Server-IBRS</model>
<model usable='no'>Skylake-Server</model>
+ <model usable='yes'>Skylake-Client-noTSX-IBRS</model>
<model usable='yes'>Skylake-Client-IBRS</model>
<model usable='yes'>Skylake-Client</model>
<model usable='yes'>SandyBridge-IBRS</model>
@@ -79,7 +81,9 @@
<model usable='yes'>Nehalem</model>
<model usable='yes'>IvyBridge-IBRS</model>
<model usable='yes'>IvyBridge</model>
+ <model usable='no'>Icelake-Server-noTSX</model>
<model usable='no'>Icelake-Server</model>
+ <model usable='no'>Icelake-Client-noTSX</model>
<model usable='no'>Icelake-Client</model>
<model usable='yes'>Haswell-noTSX-IBRS</model>
<model usable='yes'>Haswell-noTSX</model>
@@ -89,6 +93,7 @@
<model usable='no'>EPYC</model>
<model usable='no'>Dhyana</model>
<model usable='yes'>Conroe</model>
+ <model usable='no'>Cascadelake-Server-noTSX</model>
<model usable='no'>Cascadelake-Server</model>
<model usable='yes'>Broadwell-noTSX-IBRS</model>
<model usable='yes'>Broadwell-noTSX</model>
diff --git a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
index af482e3821..a348c7f2fc 100644
--- a/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0-tcg.x86_64.xml
@@ -73,8 +73,10 @@
<model usable='yes'>athlon</model>
<model usable='no'>Westmere-IBRS</model>
<model usable='no'>Westmere</model>
+ <model usable='no'>Skylake-Server-noTSX-IBRS</model>
<model usable='no'>Skylake-Server-IBRS</model>
<model usable='no'>Skylake-Server</model>
+ <model usable='no'>Skylake-Client-noTSX-IBRS</model>
<model usable='no'>Skylake-Client-IBRS</model>
<model usable='no'>Skylake-Client</model>
<model usable='no'>SandyBridge-IBRS</model>
@@ -89,7 +91,9 @@
<model usable='no'>Nehalem</model>
<model usable='no'>IvyBridge-IBRS</model>
<model usable='no'>IvyBridge</model>
+ <model usable='no'>Icelake-Server-noTSX</model>
<model usable='no'>Icelake-Server</model>
+ <model usable='no'>Icelake-Client-noTSX</model>
<model usable='no'>Icelake-Client</model>
<model usable='no'>Haswell-noTSX-IBRS</model>
<model usable='no'>Haswell-noTSX</model>
@@ -99,6 +103,7 @@
<model usable='no'>EPYC</model>
<model usable='no'>Dhyana</model>
<model usable='yes'>Conroe</model>
+ <model usable='no'>Cascadelake-Server-noTSX</model>
<model usable='no'>Cascadelake-Server</model>
<model usable='no'>Broadwell-noTSX-IBRS</model>
<model usable='no'>Broadwell-noTSX</model>
diff --git a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
index c82d12d3ce..213dcc5a08 100644
--- a/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_4.2.0.x86_64.xml
@@ -62,8 +62,10 @@
<model usable='no'>athlon</model>
<model usable='yes'>Westmere-IBRS</model>
<model usable='yes'>Westmere</model>
+ <model usable='no'>Skylake-Server-noTSX-IBRS</model>
<model usable='no'>Skylake-Server-IBRS</model>
<model usable='no'>Skylake-Server</model>
+ <model usable='yes'>Skylake-Client-noTSX-IBRS</model>
<model usable='yes'>Skylake-Client-IBRS</model>
<model usable='yes'>Skylake-Client</model>
<model usable='yes'>SandyBridge-IBRS</model>
@@ -78,7 +80,9 @@
<model usable='yes'>Nehalem</model>
<model usable='yes'>IvyBridge-IBRS</model>
<model usable='yes'>IvyBridge</model>
+ <model usable='no'>Icelake-Server-noTSX</model>
<model usable='no'>Icelake-Server</model>
+ <model usable='no'>Icelake-Client-noTSX</model>
<model usable='no'>Icelake-Client</model>
<model usable='yes'>Haswell-noTSX-IBRS</model>
<model usable='yes'>Haswell-noTSX</model>
@@ -88,6 +92,7 @@
<model usable='no'>EPYC</model>
<model usable='no'>Dhyana</model>
<model usable='yes'>Conroe</model>
+ <model usable='no'>Cascadelake-Server-noTSX</model>
<model usable='no'>Cascadelake-Server</model>
<model usable='yes'>Broadwell-noTSX-IBRS</model>
<model usable='yes'>Broadwell-noTSX</model>
diff --git a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
index d60ea85ffc..45c3e00b1e 100644
--- a/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-q35.x86_64.xml
@@ -63,8 +63,10 @@
<model usable='no'>athlon</model>
<model usable='yes'>Westmere-IBRS</model>
<model usable='yes'>Westmere</model>
+ <model usable='no'>Skylake-Server-noTSX-IBRS</model>
<model usable='no'>Skylake-Server-IBRS</model>
<model usable='no'>Skylake-Server</model>
+ <model usable='yes'>Skylake-Client-noTSX-IBRS</model>
<model usable='yes'>Skylake-Client-IBRS</model>
<model usable='yes'>Skylake-Client</model>
<model usable='yes'>SandyBridge-IBRS</model>
@@ -79,7 +81,9 @@
<model usable='yes'>Nehalem</model>
<model usable='yes'>IvyBridge-IBRS</model>
<model usable='yes'>IvyBridge</model>
+ <model usable='no'>Icelake-Server-noTSX</model>
<model usable='no'>Icelake-Server</model>
+ <model usable='no'>Icelake-Client-noTSX</model>
<model usable='no'>Icelake-Client</model>
<model usable='yes'>Haswell-noTSX-IBRS</model>
<model usable='yes'>Haswell-noTSX</model>
@@ -89,6 +93,7 @@
<model usable='no'>EPYC</model>
<model usable='no'>Dhyana</model>
<model usable='yes'>Conroe</model>
+ <model usable='no'>Cascadelake-Server-noTSX</model>
<model usable='no'>Cascadelake-Server</model>
<model usable='yes'>Broadwell-noTSX-IBRS</model>
<model usable='yes'>Broadwell-noTSX</model>
diff --git a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
index 6c9ab40ca4..d567863f49 100644
--- a/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0-tcg.x86_64.xml
@@ -72,8 +72,10 @@
<model usable='yes'>athlon</model>
<model usable='no'>Westmere-IBRS</model>
<model usable='yes'>Westmere</model>
+ <model usable='no'>Skylake-Server-noTSX-IBRS</model>
<model usable='no'>Skylake-Server-IBRS</model>
<model usable='no'>Skylake-Server</model>
+ <model usable='no'>Skylake-Client-noTSX-IBRS</model>
<model usable='no'>Skylake-Client-IBRS</model>
<model usable='no'>Skylake-Client</model>
<model usable='no'>SandyBridge-IBRS</model>
@@ -88,7 +90,9 @@
<model usable='yes'>Nehalem</model>
<model usable='no'>IvyBridge-IBRS</model>
<model usable='no'>IvyBridge</model>
+ <model usable='no'>Icelake-Server-noTSX</model>
<model usable='no'>Icelake-Server</model>
+ <model usable='no'>Icelake-Client-noTSX</model>
<model usable='no'>Icelake-Client</model>
<model usable='no'>Haswell-noTSX-IBRS</model>
<model usable='no'>Haswell-noTSX</model>
@@ -98,6 +102,7 @@
<model usable='no'>EPYC</model>
<model usable='no'>Dhyana</model>
<model usable='yes'>Conroe</model>
+ <model usable='no'>Cascadelake-Server-noTSX</model>
<model usable='no'>Cascadelake-Server</model>
<model usable='no'>Broadwell-noTSX-IBRS</model>
<model usable='no'>Broadwell-noTSX</model>
diff --git a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
index 6b5f175614..d2a884eed1 100644
--- a/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
+++ b/tests/domaincapsdata/qemu_5.0.0.x86_64.xml
@@ -62,8 +62,10 @@
<model usable='no'>athlon</model>
<model usable='yes'>Westmere-IBRS</model>
<model usable='yes'>Westmere</model>
+ <model usable='no'>Skylake-Server-noTSX-IBRS</model>
<model usable='no'>Skylake-Server-IBRS</model>
<model usable='no'>Skylake-Server</model>
+ <model usable='yes'>Skylake-Client-noTSX-IBRS</model>
<model usable='yes'>Skylake-Client-IBRS</model>
<model usable='yes'>Skylake-Client</model>
<model usable='yes'>SandyBridge-IBRS</model>
@@ -78,7 +80,9 @@
<model usable='yes'>Nehalem</model>
<model usable='yes'>IvyBridge-IBRS</model>
<model usable='yes'>IvyBridge</model>
+ <model usable='no'>Icelake-Server-noTSX</model>
<model usable='no'>Icelake-Server</model>
+ <model usable='no'>Icelake-Client-noTSX</model>
<model usable='no'>Icelake-Client</model>
<model usable='yes'>Haswell-noTSX-IBRS</model>
<model usable='yes'>Haswell-noTSX</model>
@@ -88,6 +92,7 @@
<model usable='no'>EPYC</model>
<model usable='no'>Dhyana</model>
<model usable='yes'>Conroe</model>
+ <model usable='no'>Cascadelake-Server-noTSX</model>
<model usable='no'>Cascadelake-Server</model>
<model usable='yes'>Broadwell-noTSX-IBRS</model>
<model usable='yes'>Broadwell-noTSX</model>
--
2.25.1
On Tue, Mar 10, 2020 at 11:48 AM Christian Ehrhardt < christian.ehrhardt@canonical.com> wrote: > One of the mitigation methods for TAA[1] is to disable TSX > support on the host system. Linux added a mechanism to disable > TSX globally through the kernel command line, and many Linux > distributions now default to tsx=off. This makes existing CPU > models that have HLE and RTM enabled not usable anymore. > > Add new versions of all CPU models that have the HLE and RTM > features enabled, that can be used when TSX is disabled in the > host system. > > On systems disabling the features without those types defined > in cpu-maps users end up without modern CPU types in the list > of usable CPUs to use in the likes of virsh domcapabilities > or tools higher in the stack like virt-manager. > > This adds: > -Cascadelake-Server-noTSX > -Icelake-Client-noTSX > -Icelake-Server-noTSX > -Skylake-Server-noTSX-IBRS > -Skylake-Client-noTSX-IBRS > > Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function) > and commit v4.2.0-rc2-4-g02fa60d101 (names) > Ping - anything else that we need for this v2 right now to accept it? I know in the long run Jiri would want to auto-select the non noTSX types. But as I outlined before I'd consider this a later change or would need some guidance where/how it is envisioned to do tat preference.
On Fri, Mar 13, 2020 at 09:45:15 +0100, Christian Ehrhardt wrote: > On Tue, Mar 10, 2020 at 11:48 AM Christian Ehrhardt < > christian.ehrhardt@canonical.com> wrote: > > > One of the mitigation methods for TAA[1] is to disable TSX > > support on the host system. Linux added a mechanism to disable > > TSX globally through the kernel command line, and many Linux > > distributions now default to tsx=off. This makes existing CPU > > models that have HLE and RTM enabled not usable anymore. > > > > Add new versions of all CPU models that have the HLE and RTM > > features enabled, that can be used when TSX is disabled in the > > host system. > > > > On systems disabling the features without those types defined > > in cpu-maps users end up without modern CPU types in the list > > of usable CPUs to use in the likes of virsh domcapabilities > > or tools higher in the stack like virt-manager. > > > > This adds: > > -Cascadelake-Server-noTSX > > -Icelake-Client-noTSX > > -Icelake-Server-noTSX > > -Skylake-Server-noTSX-IBRS > > -Skylake-Client-noTSX-IBRS > > > > Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function) > > and commit v4.2.0-rc2-4-g02fa60d101 (names) > > > > Ping - anything else that we need for this v2 right now to accept it? > > I know in the long run Jiri would want to auto-select the non noTSX types. > But as I outlined before I'd consider this a later change or would need > some guidance where/how it is envisioned to do tat preference. Sorry, I already started working on this additional patch as I'd like it to be pushed right after yours. But I got distracted by other higher priority things. I hope to finish it and send for a review soon. Jirka
On Tue, Mar 10, 2020 at 11:48:06 +0100, Christian Ehrhardt wrote: > One of the mitigation methods for TAA[1] is to disable TSX > support on the host system. Linux added a mechanism to disable > TSX globally through the kernel command line, and many Linux > distributions now default to tsx=off. This makes existing CPU > models that have HLE and RTM enabled not usable anymore. > > Add new versions of all CPU models that have the HLE and RTM > features enabled, that can be used when TSX is disabled in the > host system. > > On systems disabling the features without those types defined > in cpu-maps users end up without modern CPU types in the list > of usable CPUs to use in the likes of virsh domcapabilities > or tools higher in the stack like virt-manager. > > This adds: > -Cascadelake-Server-noTSX > -Icelake-Client-noTSX > -Icelake-Server-noTSX > -Skylake-Server-noTSX-IBRS > -Skylake-Client-noTSX-IBRS > > Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function) > and commit v4.2.0-rc2-4-g02fa60d101 (names) > > References: > > [1] TAA, TSX asynchronous Abort: > https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort > https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html > > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1853200 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> Reviewed-by: Jiri Denemark <jdenemar@redhat.com> I just resent this patch (with my Reviewed-by already applied) together with a few additional patches for not using the new noTSX model for host-model CPUs. Jirka
© 2016 - 2024 Red Hat, Inc.