[PATCH 2/2] target/i386: drop AMD machine check bits from Intel CPUID

Paolo Bonzini posted 2 patches 5 months ago
Maintainers: Paolo Bonzini <pbonzini@redhat.com>, Marcelo Tosatti <mtosatti@redhat.com>
[PATCH 2/2] target/i386: drop AMD machine check bits from Intel CPUID
Posted by Paolo Bonzini 5 months ago
The recent addition of the SUCCOR bit to kvm_arch_get_supported_cpuid()
causes the bit to be visible when "-cpu host" VMs are started on Intel
processors.

While this should in principle be harmless, it's not tidy and we don't
even know for sure that it doesn't cause any guest OS to take unexpected
paths.  Since x86_cpu_get_supported_feature_word() can return different
different values depending on the guest, adjust it to hide the SUCCOR
bit if the guest has non-AMD vendor.

Suggested-by: Xiaoyao Li <xiaoyao.li@intel.com>
Cc: John Allen <john.allen@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/cpu.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index deb58670651..f3e9b543682 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -6064,8 +6064,10 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
     } else {
         return ~0;
     }
+
+    switch (w) {
 #ifndef TARGET_X86_64
-    if (w == FEAT_8000_0001_EDX) {
+    case FEAT_8000_0001_EDX:
         /*
          * 32-bit TCG can emulate 64-bit compatibility mode.  If there is no
          * way for userspace to get out of its 32-bit jail, we can leave
@@ -6077,6 +6079,18 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
         r &= ~unavail;
         break;
 #endif
+
+    case FEAT_8000_0007_EBX:
+        if (cpu && !IS_AMD_CPU(&cpu->env)) {
+            /* Disable AMD machine check architecture for Intel CPU.  */
+            r = 0;
+        }
+        break;
+
+    default:
+        break;
+    }
+
     if (cpu && cpu->migratable) {
         r &= x86_cpu_get_migratable_flags(w);
     }
-- 
2.45.2
Re: [PATCH 2/2] target/i386: drop AMD machine check bits from Intel CPUID
Posted by Xiaoyao Li 4 months, 4 weeks ago
On 6/27/2024 10:06 PM, Paolo Bonzini wrote:
> The recent addition of the SUCCOR bit to kvm_arch_get_supported_cpuid()
> causes the bit to be visible when "-cpu host" VMs are started on Intel
> processors.
> 
> While this should in principle be harmless, it's not tidy and we don't
> even know for sure that it doesn't cause any guest OS to take unexpected
> paths.  Since x86_cpu_get_supported_feature_word() can return different
> different values depending on the guest, adjust it to hide the SUCCOR

superfluous different

> bit if the guest has non-AMD vendor.

It seems to adjust it based on vendor in kvm_arch_get_supported_cpuid() 
is better than in x86_cpu_get_supported_feature_word(). Otherwise 
kvm_arch_get_supported_cpuid() still returns "risky" value for Intel VMs.

> 
> Suggested-by: Xiaoyao Li <xiaoyao.li@intel.com>
> Cc: John Allen <john.allen@amd.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>   target/i386/cpu.c | 16 +++++++++++++++-
>   1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index deb58670651..f3e9b543682 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -6064,8 +6064,10 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
>       } else {
>           return ~0;
>       }
> +
> +    switch (w) {
>   #ifndef TARGET_X86_64
> -    if (w == FEAT_8000_0001_EDX) {
> +    case FEAT_8000_0001_EDX:
>           /*
>            * 32-bit TCG can emulate 64-bit compatibility mode.  If there is no
>            * way for userspace to get out of its 32-bit jail, we can leave
> @@ -6077,6 +6079,18 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
>           r &= ~unavail;
>           break;
>   #endif
> +
> +    case FEAT_8000_0007_EBX:
> +        if (cpu && !IS_AMD_CPU(&cpu->env)) {
> +            /* Disable AMD machine check architecture for Intel CPU.  */
> +            r = 0;
> +        }
> +        break;
> +
> +    default:
> +        break;
> +    }
> +
>       if (cpu && cpu->migratable) {
>           r &= x86_cpu_get_migratable_flags(w);
>       }
Re: [PATCH 2/2] target/i386: drop AMD machine check bits from Intel CPUID
Posted by Paolo Bonzini 4 months, 4 weeks ago
Il ven 28 giu 2024, 10:32 Xiaoyao Li <xiaoyao.li@intel.com> ha scritto:

> On 6/27/2024 10:06 PM, Paolo Bonzini wrote:
> > The recent addition of the SUCCOR bit to kvm_arch_get_supported_cpuid()
> > causes the bit to be visible when "-cpu host" VMs are started on Intel
> > processors.
> >
> > While this should in principle be harmless, it's not tidy and we don't
> > even know for sure that it doesn't cause any guest OS to take unexpected
> > paths.  Since x86_cpu_get_supported_feature_word() can return different
> > different values depending on the guest, adjust it to hide the SUCCOR
>
> superfluous different
>
> > bit if the guest has non-AMD vendor.
>
> It seems to adjust it based on vendor in kvm_arch_get_supported_cpuid()
> is better than in x86_cpu_get_supported_feature_word(). Otherwise
> kvm_arch_get_supported_cpuid() still returns "risky" value for Intel VMs.
>

But the cpuid bit is only invalid for Intel *guest* vendor, not host. It is
not a problem to have it if you run on Intel host but have a guest model
with AMD vendor.

I will check if there are other callers of kvm_arch_get_supported_cpuid(),
or callers of x86_cpu_get_supported_feature_word() with NULL cpu, that
might care about the difference.

Paolo

>
> > Suggested-by: Xiaoyao Li <xiaoyao.li@intel.com>
> > Cc: John Allen <john.allen@amd.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > ---
> >   target/i386/cpu.c | 16 +++++++++++++++-
> >   1 file changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> > index deb58670651..f3e9b543682 100644
> > --- a/target/i386/cpu.c
> > +++ b/target/i386/cpu.c
> > @@ -6064,8 +6064,10 @@ uint64_t
> x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
> >       } else {
> >           return ~0;
> >       }
> > +
> > +    switch (w) {
> >   #ifndef TARGET_X86_64
> > -    if (w == FEAT_8000_0001_EDX) {
> > +    case FEAT_8000_0001_EDX:
> >           /*
> >            * 32-bit TCG can emulate 64-bit compatibility mode.  If there
> is no
> >            * way for userspace to get out of its 32-bit jail, we can
> leave
> > @@ -6077,6 +6079,18 @@ uint64_t
> x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w)
> >           r &= ~unavail;
> >           break;
> >   #endif
> > +
> > +    case FEAT_8000_0007_EBX:
> > +        if (cpu && !IS_AMD_CPU(&cpu->env)) {
> > +            /* Disable AMD machine check architecture for Intel CPU.  */
> > +            r = 0;
> > +        }
> > +        break;
> > +
> > +    default:
> > +        break;
> > +    }
> > +
> >       if (cpu && cpu->migratable) {
> >           r &= x86_cpu_get_migratable_flags(w);
> >       }
>
>
Re: [PATCH 2/2] target/i386: drop AMD machine check bits from Intel CPUID
Posted by Zhao Liu 4 months, 3 weeks ago
On Fri, Jun 28, 2024 at 03:23:11PM +0200, Paolo Bonzini wrote:
> Date: Fri, 28 Jun 2024 15:23:11 +0200
> From: Paolo Bonzini <pbonzini@redhat.com>
> Subject: Re: [PATCH 2/2] target/i386: drop AMD machine check bits from
>  Intel CPUID
> 
> Il ven 28 giu 2024, 10:32 Xiaoyao Li <xiaoyao.li@intel.com> ha scritto:
> 
> > On 6/27/2024 10:06 PM, Paolo Bonzini wrote:
> > > The recent addition of the SUCCOR bit to kvm_arch_get_supported_cpuid()
> > > causes the bit to be visible when "-cpu host" VMs are started on Intel
> > > processors.
> > >
> > > While this should in principle be harmless, it's not tidy and we don't
> > > even know for sure that it doesn't cause any guest OS to take unexpected
> > > paths.  Since x86_cpu_get_supported_feature_word() can return different
> > > different values depending on the guest, adjust it to hide the SUCCOR
> >
> > superfluous different
> >
> > > bit if the guest has non-AMD vendor.
> >
> > It seems to adjust it based on vendor in kvm_arch_get_supported_cpuid()
> > is better than in x86_cpu_get_supported_feature_word(). Otherwise
> > kvm_arch_get_supported_cpuid() still returns "risky" value for Intel VMs.
> >
> 
> But the cpuid bit is only invalid for Intel *guest* vendor, not host. It is
> not a problem to have it if you run on Intel host but have a guest model
> with AMD vendor.
> 
> I will check if there are other callers of kvm_arch_get_supported_cpuid(),
> or callers of x86_cpu_get_supported_feature_word() with NULL cpu, that
> might care about the difference.

Another example is CPUID_EXT3_TOPOEXT, though it's a no_autoenable_flags,
it can be set by "-cpu host,+topoext" on Intel platforms.

For this case, we have recognized that that the host/max CPU should only
contain vender specific features, and I think it would be hard to expand
such a rule afterwards, especially since there's other x86 vender like
zhaoxin who implement a subset of Intel/AMD:

https://lore.kernel.org/qemu-devel/d4c0dae5-b9d5-4deb-b300-78492ab11ed8@zhaoxin.com/#t

What about a new flag "host_bare_metal_check" in FeatureWordInfo? Then
if a feature is marked as "host_bare_metal_check", in addition to the
current checks in x86_cpu_get_supported_feature_word(), bare-metal CPUID
check is also needed (by host_cpuid()) for "host" CPU.

-Zhao
Re: [PATCH 2/2] target/i386: drop AMD machine check bits from Intel CPUID
Posted by Paolo Bonzini 4 months, 3 weeks ago
On Mon, Jul 1, 2024 at 6:08 AM Zhao Liu <zhao1.liu@intel.com> wrote:
> > > It seems to adjust it based on vendor in kvm_arch_get_supported_cpuid()
> > > is better than in x86_cpu_get_supported_feature_word(). Otherwise
> > > kvm_arch_get_supported_cpuid() still returns "risky" value for Intel VMs.
> >
> > But the cpuid bit is only invalid for Intel *guest* vendor, not host. It is
> > not a problem to have it if you run on Intel host but have a guest model
> > with AMD vendor.
> >
> > I will check if there are other callers of kvm_arch_get_supported_cpuid(),
> > or callers of x86_cpu_get_supported_feature_word() with NULL cpu, that
> > might care about the difference.
>
> Another example is CPUID_EXT3_TOPOEXT, though it's a no_autoenable_flags,
> it can be set by "-cpu host,+topoext" on Intel platforms.

That was done by commit 7210a02c585 ("i386: Disable TOPOEXT by default
on "-cpu host"", 2018-08-16) which however does not explain what the
bug was. It talks about missing or inconsistent cache topology
information, but that's not precise enough to decide what the problem
was.

> For this case, we have recognized that that the host/max CPU should only
> contain vender specific features, and I think it would be hard to expand
> such a rule afterwards, especially since there's other x86 vender like
> zhaoxin who implement a subset of Intel/AMD:
>
> What about a new flag "host_bare_metal_check" in FeatureWordInfo? Then
> if a feature is marked as "host_bare_metal_check", in addition to the
> current checks in x86_cpu_get_supported_feature_word(), bare-metal CPUID
> check is also needed (by host_cpuid()) for "host" CPU.

I don't see why it's needed. The bare metal vendor is not visible to
the guest, therefore it should have no bearing on whether a bit is
included in CPUID.

Paolo