target/i386: introduce ITS_NO to several models

[PATCH 5/5] target/i386: introduce ClearwaterForest-v2 to expose ITS_NO

Posted by Jon Kohler 1 week ago

Expose ITS_NO by default, as users using Clearwater Forest and higher
CPU models would not be able to live migrate to lower CPU hosts due to
missing features. In that case, they would not be vulnerable to ITS.

its-no was originally added on [1], but needs to be exposed on the
individual CPU models for the guests to see by default.

Note: Version 1 already exposes ARCH_CAP_BHI_NO, which would already
mark the CPU as invulnerable to ITS (at least in Linux); however,
expose ITS_NO for completeness.

[1] 74978391b2da ("target/i386: Make ITS_NO available to guests")

Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Jon Kohler <jon@nutanix.com>
---
 target/i386/cpu.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index a522805233..9b66a19b7b 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -5589,6 +5589,14 @@ static const X86CPUDefinition builtin_x86_defs[] = {
         .model_id = "Intel Xeon Processor (ClearwaterForest)",
         .versions = (X86CPUVersionDefinition[]) {
             { .version = 1 },
+            {
+                .version = 2,
+                .note = "with ITS_NO",
+                .props = (PropValue[]) {
+                    { "its-no", "on" },
+                    { /* end of list */ },
+                }
+            },
             { /* end of list */ },
         },
     },
-- 
2.43.0

[PATCH 1/5] target/i386: Add MSR_IA32_ARCH_CAPABILITIES ITS_NO
[PATCH 2/5] target/i386: introduce SapphireRapids-v5 to expose ITS_NO
[PATCH 3/5] target/i386: introduce GraniteRapids-v4 to expose ITS_NO
[PATCH 4/5] target/i386: introduce SierraForest-v4 to expose ITS_NO
[PATCH 5/5] target/i386: introduce ClearwaterForest-v2 to expose ITS_NO