From nobody Sun May 3 14:28:05 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=none dis=none) header.from=vates.tech ARC-Seal: i=1; a=rsa-sha256; t=1776877232; cv=none; d=zohomail.com; s=zohoarc; b=l6LMTWIUp/nAzPkP8nRPK5+Wzj3OG5Mny1bJ8xL5Wv3y0wpLpiwwcxtQ0gxR7ptkeh2J48CxIAvu1XQjtQIyjU9JPwgl6IdwM/9YF8+iwdxJNd2vSl370fszj4Uz9U1+Ho8WTBe6VuOCgFWNGNs+PQlqUrK1zxGaN1VWDXs8WfM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776877232; h=Content-Type:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=RYW9LEhTjgrrty/Kgi/iBI7ELi7kv90yjoE0T2nBmwo=; b=Vj1FizVlwNF6dxf9jb6sEAds3lzC/EQAt590eiizoWFWc/0/5Z453r4ojkDuLBIZ/NzQDRVlHmfS89vaTmwuL9JEG1GwEdxMMkAAZojFAtVgtmQtHJ4WCWOg2yiET3IeMh0bZ/2TP1KCUmfwrXYS6jv/+X2A3U24J7i83LuYZEo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1776877231896430.67947743623597; Wed, 22 Apr 2026 10:00:31 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1290937.1570359 (Exim 4.92) (envelope-from ) id 1wFavZ-0001Gv-8r; Wed, 22 Apr 2026 16:59:53 +0000 Received: by outflank-mailman (output) from mailman id 1290937.1570359; Wed, 22 Apr 2026 16:59:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wFavZ-0001Go-5y; Wed, 22 Apr 2026 16:59:53 +0000 Received: by outflank-mailman (input) for mailman id 1290937; Wed, 22 Apr 2026 16:59:51 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wFavX-0001Gi-Cx for xen-devel@lists.xenproject.org; Wed, 22 Apr 2026 16:59:51 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wFavW-001Hpq-Pz for xen-devel@lists.xenproject.org; Wed, 22 Apr 2026 18:59:50 +0200 Received: from [10.42.69.2] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69e8fe7d-2eae-0a2a0a5409dd-0a2a4502a690-16 for ; Wed, 22 Apr 2026 18:59:50 +0200 Received: from [185.255.28.34] (helo=prod-mta-13.swg-srv.net) by tlsNG-720697.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69e8fe86-af86-0a2a45020019-b9ff1c22b50b-3 for ; Wed, 22 Apr 2026 18:59:50 +0200 Received: from mail2.vates.fr ([37.26.189.201] mail2.vates.fr) (Authenticated sender: 8631fc262581453bbf619ec5b2062170/smtp/7773de5a-2839-4720-82ee-e06722ae1d3e) by prod-mta-13.swg-srv.net (ZoneMTA - prod-mta-13) with ESMTPSA id 19db6223737000f373.005 for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 22 Apr 2026 16:59:48 +0000 Received: from localhost.localdomain (88-175-170-134.subs.proxad.net [88.175.170.134]) (Authenticated sender: teddy.astie@vates.tech) by mail2.vates.fr (Postfix) with ESMTPSA id 2E0A9812CF; Wed, 22 Apr 2026 18:59:48 +0200 (CEST) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=vates.tech header.i="@vates.tech" header.h="From:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Feedback-ID" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vates.tech; q=dns/txt; s=selector1; bh=RYW9LEhTjgrrty/Kgi/iBI7ELi7kv90yjoE0T2nBmwo=; h=from:subject:date:message-id:to:cc:mime-version:content-type:feedback-id; b=NvhoYzIQDvS9yJ0ocD/Jm33hoy5MMidIdf9ggu2ulh3p3I766Uno3mz7EM3n1irVF42zijL1g sMX+VD3QgrZwLTlAu2BscANFN3LAXulY27nu08DMnwEB0+DDEkSanVhhyJ//JqdqMd/ygIoLlFQ WqaO9YfYii9yXwPXGohFV6Oq2q9f5uqbnyqKmUYnrM5gr06bMpvyOLF7AXmHzIGbpQ6w1JZ3vDQ c8rR1tvVeWJZZ3sAbMdsGCXiX9q9FEvqCdyOQhq9DJ0USPwtezWRIlzCbRBo75IDsmiUNpmG/3Q plDhd/OdX1yGxTUdQ8so1gSHEDuyOCCvjOBYaFM+gWlQ== X-Zone-Loop: 1cf038f0cfac31ff9d52a162034aab7002f8486a3398 x-campaign-type: default x-transaction-id: 923cbf1c-426c-489d-9b5d-9383b5133609 x-swg-uid: 01-8f7c7fb4-76b1-4cac-a66e-d138f73c7fcb X-Mailer: Sweego Message-ID: <1776877188.8631fc262581453bbf619ec5b2062170.19db6223737000f373@vates.tech> x-swg-bid: 1776877188.8631fc262581453bbf619ec5b2062170.19db6223737000f373 Feedback-ID: default:8631fc262581453bbf619ec5b2062170:Sweego x-campaign-id: default x-client-id: 8631fc262581453bbf619ec5b2062170 X-Originating-IP: [37.26.189.201] From: Teddy Astie To: xen-devel@lists.xenproject.org Cc: Teddy Astie , Andrew Cooper , Anthony PERARD , Michal Orzel , Jan Beulich , Julien Grall , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Stefano Stabellini Subject: [PATCH] x86/amd: Drop allow_unsafe parameter, tune down XSA-9 mitigations Date: Wed, 22 Apr 2026 18:58:06 +0200 MIME-Version: 1.0 X-BM-Disclaimer: Yes Content-Type: multipart/alternative; boundary="-=Part.25f9.4f43d121d0e65c6c.19db6223500.165d7aa55d327c7c=-" X-Bm-Milter-Handled: 4ffbd6c1-ee69-4e1b-aabd-f977039bd3e2 X-Bm-Transport-Timestamp: 1776877188352 X-purgate-ID: tlsNG-720697/1776877190-80B78161-84CD3524/0/0 X-purgate-type: clean X-purgate-size: 5218 X-ZohoMail-DKIM: pass (identity @vates.tech) X-ZM-MESSAGEID: 1776877234449158500 ---=Part.25f9.4f43d121d0e65c6c.19db6223500.165d7aa55d327c7c=- Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" XSA-9 mitigations prevents Xen from properly running if a affected CPU is detected. While the vulnerability has no mitigations (aside not running 64-bits PV guests), it's only outcome is a DoS. There is no real point in preventing Xen from working here and it would be preferable to just log the vulnerability to the user so it can act appropriately. Also reword the errata message regarding that it only affects PV64 guests. Signed-off-by: Teddy Astie --- It's hard to tell whether or not we would want to drop allow_unsafe, but currently, Xen is allowed to boot with XSA-304 mitigations disabled (intentionnaly) which has a similar outcome than this one. From a user standpoint, preventing the system to boot or starting guests is too extreme and would be in practice seen as a bug, even if it's justified policy which can be overriden. docs/misc/xen-command-line.pandoc | 12 ------------ xen/arch/x86/cpu/amd.c | 21 +++++---------------- xen/arch/x86/domain.c | 14 -------------- xen/arch/x86/include/asm/amd.h | 2 -- 4 files changed, 5 insertions(+), 44 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index 6c77129732..04d206f919 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -133,18 +133,6 @@ resume. `s3_mode` instructs Xen to set up the boot time (option `vga=3D`) video mode during S3 resume. =20 -### allow_unsafe (x86) -> `=3D ` - -> Default: `false` - -Force boot on potentially unsafe systems. By default Xen will refuse -to boot on systems with the following errata: - -* AMD Erratum 121. Processors with this erratum are subject to a guest - triggerable Denial of Service. Override only if you trust all of - your PV guests. - ### altp2m (Intel) > `=3D ` =20 diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c index 712734a6e7..f1f4a25754 100644 --- a/xen/arch/x86/cpu/amd.c +++ b/xen/arch/x86/cpu/amd.c @@ -20,10 +20,6 @@ =20 #include "cpu.h" =20 -/* 1 =3D allow, 0 =3D don't allow guest creation, -1 =3D don't allow boot = */ -int8_t __read_mostly opt_allow_unsafe; -boolean_param("allow_unsafe", opt_allow_unsafe); - /* Signal whether the ACPI C1E quirk is required. */ bool __read_mostly amd_acpi_c1e_quirk; bool __ro_after_init amd_legacy_ssbd; @@ -1205,19 +1201,12 @@ static void cf_check init_amd(struct cpuinfo_x86 *c) if (c->family =3D=3D 0x10) __clear_bit(X86_FEATURE_MONITOR, c->x86_capability); =20 - if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121)) - opt_allow_unsafe =3D 1; - else if (opt_allow_unsafe < 0) - panic("Xen will not boot on this CPU for security reasons" - "Pass \"allow_unsafe\" if you're trusting all your" - " (PV) guest kernels.\n"); - else if (!opt_allow_unsafe && c =3D=3D &boot_cpu_data) + if (cpu_has_amd_erratum(c, AMD_ERRATUM_121)) + { printk(KERN_WARNING - "*** Xen will not allow creation of DomU-s on" - " this CPU for security reasons. ***\n" - KERN_WARNING - "*** Pass \"allow_unsafe\" if you're trusting" - " all your (PV) guest kernels. ***\n"); + "*** This CPU is affected with erratum 121" + " 64-bits PV guests are able to cause a DoS (XSA-9) ***\n"); + } =20 if (c->family =3D=3D 0x16 && c->model <=3D 0xf) { if (c =3D=3D &boot_cpu_data) { diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index 1d458f1372..1d3b99cd50 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -833,20 +833,6 @@ int arch_domain_create(struct domain *d, =20 spin_lock_init(&d->arch.e820_lock); =20 - if ( d->domain_id && cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_1= 21) ) - { - if ( !opt_allow_unsafe ) - { - printk(XENLOG_G_ERR - "%pd: will not create domU on this CPU for security rea= sons\n", - d); - return -EPERM; - } - printk(XENLOG_G_WARNING - "%pd: may compromise security on this CPU\n", - d); - } - emflags =3D config->arch.emulation_flags; =20 if ( is_hardware_domain(d) && is_pv_domain(d) ) diff --git a/xen/arch/x86/include/asm/amd.h b/xen/arch/x86/include/asm/amd.h index d21df0741a..d8d9cd175e 100644 --- a/xen/arch/x86/include/asm/amd.h +++ b/xen/arch/x86/include/asm/amd.h @@ -74,8 +74,6 @@ struct cpuinfo_x86; int cpu_has_amd_erratum(const struct cpuinfo_x86 *cpu, int osvw_id, ...); =20 -extern int8_t opt_allow_unsafe; - void fam10h_check_enable_mmcfg(void); void check_enable_amd_mmconf_dmi(void); =20 --=20 2.52.0 --=20 Teddy Astie | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech ---=Part.25f9.4f43d121d0e65c6c.19db6223500.165d7aa55d327c7c=---