From nobody Mon Feb 9 09:08:52 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1571926003; cv=none; d=zoho.com; s=zohoarc; b=T+4F8dy0juPFw53Zo/aYA9fFwQAcK8kFGwmGgsGn8yE13Z4Ck3m5caT+AeJ6AW8+QOadLOeHLmGNU8ZGOTnNDIIaTArBtJqHZJY825Gqfup/boyC3q2tn6jOH7U+50x827Rz+jCGaPbMU0pzfAV01TWXtQwmTboqwixa3r4qT4c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1571926003; h=Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=klIHsHZRArDFTcQXKJkBiIBV52Qlwr6+QqqMGTKzp4Y=; b=FtARfu1Pm2eOkVeaapSVCO2WQoGiDeO23vPNYEsGyr9NcA9UDHratGg/FDF8Ebu2P46z9PhIHM6gSJ8oPCzTDmkXOFGu56rg9+PxHLm+ovHY7zq+2kIeFoSrzHFrJy0LISI3nxT/gmVjLLXq0Wpvyni/uXahGuB2zCqr2Wo9gI4= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1571926003974833.382968975701; Thu, 24 Oct 2019 07:06:43 -0700 (PDT) Received: from localhost ([::1]:43630 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNdlC-0002F1-59 for importer@patchew.org; Thu, 24 Oct 2019 10:06:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34621) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNdih-0006vR-DI for qemu-devel@nongnu.org; Thu, 24 Oct 2019 10:04:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iNdif-0007cr-Sv for qemu-devel@nongnu.org; Thu, 24 Oct 2019 10:04:07 -0400 Received: from mail-wm1-x334.google.com ([2a00:1450:4864:20::334]:39153) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iNdid-0007ag-VY for qemu-devel@nongnu.org; Thu, 24 Oct 2019 10:04:05 -0400 Received: by mail-wm1-x334.google.com with SMTP id r141so2730756wme.4 for ; Thu, 24 Oct 2019 07:04:03 -0700 (PDT) Received: from 640k.localdomain ([93.56.166.5]) by smtp.gmail.com with ESMTPSA id b7sm10610155wrn.53.2019.10.24.07.04.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Oct 2019 07:04:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=klIHsHZRArDFTcQXKJkBiIBV52Qlwr6+QqqMGTKzp4Y=; b=MMHLOjgl1bnUBY6IdFLx285S7DNwKFsOmKFUhbFwpwfHtuIGPnwREJjhs8s9HTTy/n ql7iBfG+OFMnetnBsLrSI84jdSAnNQ9mNLiodWzgOE2ijTb5o5UJo5qDXCrWplVGG1Iq 8BgLwLwyCItaLKzAP0SqsHK181uPRsV9eEeY0ilUTzZV/gHHqVG77oNEqTFh3/FynE+W hzHjn1AN6DYdJQ+yKlo3Fp4Bsw3WvFdDCBddjuzzDqlZcOt97h0GWnI0qq+kWTEt7LW/ ZPbXCVBv/+aRGAS+sEXElbTxlUsYv9h5I4aHOXQIW6G68I9MH+sIP6AGdivNCm+Cg7Le ylOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=klIHsHZRArDFTcQXKJkBiIBV52Qlwr6+QqqMGTKzp4Y=; b=le9UAQRbHPMFg6XOhz4m48mwdFsrR1ndj/U9wvz0ShTKva+35NWGqzrRc3U77npm9F 6qdarn/KqccgQRtUHlSul8z3yeF1IuPQ8khnSZa6T9gkFlf1k28tovO980T6hnVHjBXe N+WhfSWzhZIFkPxFn7QuoVuZsNsrs4jzwJRumaK0RYreKrAIP3mJJZfwY7oUsjOOrX9l fGE1+lKbOBqmFUIh5Y7/7XjUL/A5fMwZOMOL5PYggCv5CQAQCn298jUwnNAgX3Pidwi+ g+NGe+R6DRdgfdQwIMm5s4SzlnUYN9CZxcIF8n03Vfqv0JW94VbYcgFO9gitqliIDqd2 7dCw== X-Gm-Message-State: APjAAAVhSO/ekQ6i1igpZcvvxXUPPiU91mF6ItZrKt7U/HrcNCvE9O2c bOpQZBE1rJ/iUFvEicvWyckxw+FM X-Google-Smtp-Source: APXvYqzECZXcbGB7oBpbaaliiXU+gqvirWlpGsd4yHMYg5ElFnnphMNWamuXzaY9vxNqJ+EgrqUoPg== X-Received: by 2002:a1c:a556:: with SMTP id o83mr5491549wme.0.1571925841889; Thu, 24 Oct 2019 07:04:01 -0700 (PDT) From: Paolo Bonzini To: qemu-devel@nongnu.org Subject: [PULL 04/39] i386/kvm: add NoNonArchitecturalCoreSharing Hyper-V enlightenment Date: Thu, 24 Oct 2019 16:03:20 +0200 Message-Id: <1571925835-31930-5-git-send-email-pbonzini@redhat.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1571925835-31930-1-git-send-email-pbonzini@redhat.com> References: <1571925835-31930-1-git-send-email-pbonzini@redhat.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:4864:20::334 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Vitaly Kuznetsov Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Vitaly Kuznetsov Hyper-V TLFS specifies this enlightenment as: "NoNonArchitecturalCoreSharing - Indicates that a virtual processor will ne= ver share a physical core with another virtual processor, except for virtual processors that are reported as sibling SMT threads. This can be used as an optimization to avoid the performance overhead of STIBP". However, STIBP is not the only implication. It was found that Hyper-V on KVM doesn't pass MD_CLEAR bit to its guests if it doesn't see NoNonArchitecturalCoreSharing bit. KVM reports NoNonArchitecturalCoreSharing in KVM_GET_SUPPORTED_HV_CPUID to indicate that SMT on the host is impossible (not supported of forcefully disabled). Implement NoNonArchitecturalCoreSharing support in QEMU as tristate: 'off' - the feature is disabled (default) 'on' - the feature is enabled. This is only safe if vCPUS are properly pinned and correct topology is exposed. As CPU pinning is done outside of QEMU the enablement decision will be made on a higher level. 'auto' - copy KVM setting. As during live migration SMT settings on the source and destination host may differ this requires us to add a migration blocker. Signed-off-by: Vitaly Kuznetsov Message-Id: <20191018163908.10246-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini --- docs/hyperv.txt | 13 +++++++++++++ target/i386/cpu.c | 2 ++ target/i386/cpu.h | 2 ++ target/i386/hyperv-proto.h | 1 + target/i386/kvm.c | 26 ++++++++++++++++++++++++++ 5 files changed, 44 insertions(+) diff --git a/docs/hyperv.txt b/docs/hyperv.txt index 8fdf25c..6518b71 100644 --- a/docs/hyperv.txt +++ b/docs/hyperv.txt @@ -184,6 +184,19 @@ enabled. =20 Requires: hv-vpindex, hv-synic, hv-time, hv-stimer =20 +3.17. hv-no-nonarch-coresharing=3Don/off/auto +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +This enlightenment tells guest OS that virtual processors will never share= a +physical core unless they are reported as sibling SMT threads. This inform= ation +is required by Windows and Hyper-V guests to properly mitigate SMT related= CPU +vulnerabilities. +When the option is set to 'auto' QEMU will enable the feature only when KVM +reports that non-architectural coresharing is impossible, this means that +hyper-threading is not supported or completely disabled on the host. This +setting also prevents migration as SMT settings on the destination may dif= fer. +When the option is set to 'on' QEMU will always enable the feature, regard= less +of host setup. To keep guests secure, this can only be used in conjunction= with +exposing correct vCPU topology and vCPU pinning. =20 4. Development features =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 47200b4..6c87c99 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -6174,6 +6174,8 @@ static Property x86_cpu_properties[] =3D { HYPERV_FEAT_IPI, 0), DEFINE_PROP_BIT64("hv-stimer-direct", X86CPU, hyperv_features, HYPERV_FEAT_STIMER_DIRECT, 0), + DEFINE_PROP_ON_OFF_AUTO("hv-no-nonarch-coresharing", X86CPU, + hyperv_no_nonarch_cs, ON_OFF_AUTO_OFF), DEFINE_PROP_BOOL("hv-passthrough", X86CPU, hyperv_passthrough, false), =20 DEFINE_PROP_BOOL("check", X86CPU, check_cpuid, true), diff --git a/target/i386/cpu.h b/target/i386/cpu.h index cedb5bc..c50a9c7 100644 --- a/target/i386/cpu.h +++ b/target/i386/cpu.h @@ -24,6 +24,7 @@ #include "cpu-qom.h" #include "hyperv-proto.h" #include "exec/cpu-defs.h" +#include "qapi/qapi-types-common.h" =20 /* The x86 has a strong memory model with some store-after-load re-orderin= g */ #define TCG_GUEST_DEFAULT_MO (TCG_MO_ALL & ~TCG_MO_ST_LD) @@ -1614,6 +1615,7 @@ struct X86CPU { bool hyperv_synic_kvm_only; uint64_t hyperv_features; bool hyperv_passthrough; + OnOffAuto hyperv_no_nonarch_cs; =20 bool check_cpuid; bool enforce_cpuid; diff --git a/target/i386/hyperv-proto.h b/target/i386/hyperv-proto.h index cffac10..056a305 100644 --- a/target/i386/hyperv-proto.h +++ b/target/i386/hyperv-proto.h @@ -63,6 +63,7 @@ #define HV_CLUSTER_IPI_RECOMMENDED (1u << 10) #define HV_EX_PROCESSOR_MASKS_RECOMMENDED (1u << 11) #define HV_ENLIGHTENED_VMCS_RECOMMENDED (1u << 14) +#define HV_NO_NONARCH_CORESHARING (1u << 18) =20 /* * Basic virtualized MSRs diff --git a/target/i386/kvm.c b/target/i386/kvm.c index 0e3da99..49a3011 100644 --- a/target/i386/kvm.c +++ b/target/i386/kvm.c @@ -1227,6 +1227,16 @@ static int hyperv_handle_properties(CPUState *cs, } } =20 + if (cpu->hyperv_no_nonarch_cs =3D=3D ON_OFF_AUTO_ON) { + env->features[FEAT_HV_RECOMM_EAX] |=3D HV_NO_NONARCH_CORESHARING; + } else if (cpu->hyperv_no_nonarch_cs =3D=3D ON_OFF_AUTO_AUTO) { + c =3D cpuid_find_entry(cpuid, HV_CPUID_ENLIGHTMENT_INFO, 0); + if (c) { + env->features[FEAT_HV_RECOMM_EAX] |=3D + c->eax & HV_NO_NONARCH_CORESHARING; + } + } + /* Features */ r =3D hv_cpuid_check_and_set(cs, cpuid, HYPERV_FEAT_RELAXED); r |=3D hv_cpuid_check_and_set(cs, cpuid, HYPERV_FEAT_VAPIC); @@ -1340,6 +1350,7 @@ free: } =20 static Error *hv_passthrough_mig_blocker; +static Error *hv_no_nonarch_cs_mig_blocker; =20 static int hyperv_init_vcpu(X86CPU *cpu) { @@ -1359,6 +1370,21 @@ static int hyperv_init_vcpu(X86CPU *cpu) } } =20 + if (cpu->hyperv_no_nonarch_cs =3D=3D ON_OFF_AUTO_AUTO && + hv_no_nonarch_cs_mig_blocker =3D=3D NULL) { + error_setg(&hv_no_nonarch_cs_mig_blocker, + "'hv-no-nonarch-coresharing=3Dauto' CPU flag prevents m= igration" + " use explicit 'hv-no-nonarch-coresharing=3Don' instead= (but" + " make sure SMT is disabled and/or that vCPUs are prope= rly" + " pinned)"); + ret =3D migrate_add_blocker(hv_no_nonarch_cs_mig_blocker, &local_e= rr); + if (local_err) { + error_report_err(local_err); + error_free(hv_no_nonarch_cs_mig_blocker); + return ret; + } + } + if (hyperv_feat_enabled(cpu, HYPERV_FEAT_VPINDEX) && !hv_vpindex_setta= ble) { /* * the kernel doesn't support setting vp_index; assert that its va= lue --=20 1.8.3.1