From 485b1d256bcb0874bcde0223727c159b6837e6f8 Mon Sep 17 00:00:00 2001 From: Eduardo Habkost Date: Fri, 25 Jan 2019 20:06:05 -0200 Subject: [PATCH 1/5] i386: kvm: Disable arch_capabilities if MSR can't be set KVM has two bugs in the handling of MSR_IA32_ARCH_CAPABILITIES: 1) Linux commit commit 1eaafe91a0df ("kvm: x86: IA32_ARCH_CAPABILITIES is always supported") makes GET_SUPPORTED_CPUID return arch_capabilities even if running on SVM. This makes "-cpu host,migratable=off" incorrectly expose arch_capabilities on CPUID on AMD hosts (where the MSR is not emulated by KVM). 2) KVM_GET_MSR_INDEX_LIST does not return MSR_IA32_ARCH_CAPABILITIES if the MSR is not supported by the host CPU. This makes QEMU not initialize the MSR properly at kvm_put_msrs() on those hosts. Work around both bugs on the QEMU side, by checking if the MSR was returned by KVM_GET_MSR_INDEX_LIST before returning the feature flag on kvm_arch_get_supported_cpuid(). This has the unfortunate side effect of making arch_capabilities unavailable on hosts without hardware support for the MSR until bug #2 is fixed on KVM, but I can't see another way to work around bug #1 without that side effect. Signed-off-by: Eduardo Habkost Message-Id: <20190125220606.4864-2-ehabkost@redhat.com> Signed-off-by: Eduardo Habkost --- target/i386/kvm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/target/i386/kvm.c b/target/i386/kvm.c index beae1b99da..3b29ce5c0d 100644 --- a/target/i386/kvm.c +++ b/target/i386/kvm.c @@ -389,6 +389,15 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function, if (host_tsx_blacklisted()) { ret &= ~(CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_HLE); } + } else if (function == 7 && index == 0 && reg == R_EDX) { + /* + * Linux v4.17-v4.20 incorrectly return ARCH_CAPABILITIES on SVM hosts. + * We can detect the bug by checking if MSR_IA32_ARCH_CAPABILITIES is + * returned by KVM_GET_MSR_INDEX_LIST. + */ + if (!has_msr_arch_capabs) { + ret &= ~CPUID_7_0_EDX_ARCH_CAPABILITIES; + } } else if (function == 0x80000001 && reg == R_ECX) { /* * It's safe to enable TOPOEXT even if it's not returned by From 014018e19b3c54dd1bf5072bc912ceffea40abe8 Mon Sep 17 00:00:00 2001 From: Eduardo Habkost Date: Fri, 25 Jan 2019 20:06:06 -0200 Subject: [PATCH 2/5] i386: Make arch_capabilities migratable Now that kvm_arch_get_supported_cpuid() will only return arch_capabilities if QEMU is able to initialize the MSR properly, we know that the feature is safely migratable. Signed-off-by: Eduardo Habkost Message-Id: <20190125220606.4864-3-ehabkost@redhat.com> Signed-off-by: Eduardo Habkost --- target/i386/cpu.c | 1 - 1 file changed, 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index d90c01a059..9d3a20eac4 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1089,7 +1089,6 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { .reg = R_EDX, }, .tcg_features = TCG_7_0_EDX_FEATURES, - .unmigratable_flags = CPUID_7_0_EDX_ARCH_CAPABILITIES, }, [FEAT_8000_0007_EDX] = { .type = CPUID_FEATURE_WORD, From bb4928c7cafe50ab2137a0034e350ef1bfa044d9 Mon Sep 17 00:00:00 2001 From: Eduardo Habkost Date: Tue, 19 Mar 2019 17:05:15 -0300 Subject: [PATCH 3/5] i386: Disable OSPKE on CPU model definitions Currently, the Cascadelake-Server, Icelake-Client, and Icelake-Server are always generating the following warning: qemu-system-x86_64: warning: \ host doesn't support requested feature: CPUID.07H:ECX [bit 4] This happens because OSPKE was never returned by GET_SUPPORTED_CPUID or x86_cpu_get_supported_feature_word(). OSPKE is a runtime flag automatically set by the KVM module or by TCG code, was always cleared by x86_cpu_filter_features(), and was not supposed to appear on the CPU model table. Remove the OSPKE flag from the CPU model table entries, to avoid the bogus warning and avoid returning invalid feature data on query-cpu-* QMP commands. As OSPKE was always cleared by x86_cpu_filter_features(), this won't have any guest-visible impact. Include a test case that should detect the problem if we introduce a similar bug again. Fixes: c7a88b52f62b ("i386: Add new model of Cascadelake-Server") Fixes: 8a11c62da914 ("i386: Add new CPU model Icelake-{Server,Client}") Cc: Tao Xu Cc: Robert Hoo Signed-off-by: Eduardo Habkost Message-Id: <20190319200515.14999-1-ehabkost@redhat.com> Signed-off-by: Eduardo Habkost --- target/i386/cpu.c | 6 +++--- tests/acceptance/cpu_queries.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 tests/acceptance/cpu_queries.py diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 9d3a20eac4..d6bb57d210 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -2532,7 +2532,7 @@ static X86CPUDefinition builtin_x86_defs[] = { CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD | CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT, .features[FEAT_7_0_ECX] = - CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_OSPKE | + CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_AVX512VNNI, .features[FEAT_7_0_EDX] = CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, @@ -2585,7 +2585,7 @@ static X86CPUDefinition builtin_x86_defs[] = { CPUID_7_0_EBX_SMAP, .features[FEAT_7_0_ECX] = CPUID_7_0_ECX_VBMI | CPUID_7_0_ECX_UMIP | CPUID_7_0_ECX_PKU | - CPUID_7_0_ECX_OSPKE | CPUID_7_0_ECX_VBMI2 | CPUID_7_0_ECX_GFNI | + CPUID_7_0_ECX_VBMI2 | CPUID_7_0_ECX_GFNI | CPUID_7_0_ECX_VAES | CPUID_7_0_ECX_VPCLMULQDQ | CPUID_7_0_ECX_AVX512VNNI | CPUID_7_0_ECX_AVX512BITALG | CPUID_7_0_ECX_AVX512_VPOPCNTDQ, @@ -2643,7 +2643,7 @@ static X86CPUDefinition builtin_x86_defs[] = { CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT, .features[FEAT_7_0_ECX] = CPUID_7_0_ECX_VBMI | CPUID_7_0_ECX_UMIP | CPUID_7_0_ECX_PKU | - CPUID_7_0_ECX_OSPKE | CPUID_7_0_ECX_VBMI2 | CPUID_7_0_ECX_GFNI | + CPUID_7_0_ECX_VBMI2 | CPUID_7_0_ECX_GFNI | CPUID_7_0_ECX_VAES | CPUID_7_0_ECX_VPCLMULQDQ | CPUID_7_0_ECX_AVX512VNNI | CPUID_7_0_ECX_AVX512BITALG | CPUID_7_0_ECX_AVX512_VPOPCNTDQ | CPUID_7_0_ECX_LA57, diff --git a/tests/acceptance/cpu_queries.py b/tests/acceptance/cpu_queries.py new file mode 100644 index 0000000000..e71edec39f --- /dev/null +++ b/tests/acceptance/cpu_queries.py @@ -0,0 +1,33 @@ +# Sanity check of query-cpu-* results +# +# Copyright (c) 2019 Red Hat, Inc. +# +# Author: +# Eduardo Habkost +# +# This work is licensed under the terms of the GNU GPL, version 2 or +# later. See the COPYING file in the top-level directory. + +import logging + +from avocado_qemu import Test + +class QueryCPUModelExpansion(Test): + """ + Run query-cpu-model-expansion for each CPU model, and validate results + """ + + def test(self): + self.vm.set_machine('none') + self.vm.add_args('-S') + self.vm.launch() + + cpus = self.vm.command('query-cpu-definitions') + for c in cpus: + print(repr(c)) + self.assertNotIn('', c['unavailable-features'], c['name']) + + for c in cpus: + model = {'name': c['name']} + e = self.vm.command('query-cpu-model-expansion', model=model, type='full') + self.assertEquals(e['model']['name'], c['name']) From 174a78a8a5c0cf421236fe14efc5559717f050df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 7 Mar 2019 12:18:37 +0000 Subject: [PATCH 4/5] docs: clarify that spec-ctrl is only needed for Spectre v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The docs currently say that the spec-ctrl feature is needed for both Spectre variants, but it is only used to address Spectre v2. Also remove the note about retpolines. The guest OS is usually treated as a blackbox from host mgmt pov, so it won't have knowledge about use of retpolines and thus should unconditionally expose spec-ctrl, allowing the guest to decide whether to use it or not. Signed-off-by: Daniel P. Berrangé Message-Id: <20190307121838.6345-2-berrange@redhat.com> Signed-off-by: Eduardo Habkost --- docs/qemu-cpu-models.texi | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi index 1b72584161..0ce528806d 100644 --- a/docs/qemu-cpu-models.texi +++ b/docs/qemu-cpu-models.texi @@ -158,8 +158,7 @@ support this feature. @item @code{spec-ctrl} -Required to enable the Spectre (CVE-2017-5753 and CVE-2017-5715) fix, -in cases where retpolines are not sufficient. +Required to enable the Spectre v2 (CVE-2017-5715) fix. Included by default in Intel CPU models with -IBRS suffix. @@ -249,8 +248,7 @@ included if using "Host passthrough" or "Host model". @item @code{ibpb} -Required to enable the Spectre (CVE-2017-5753 and CVE-2017-5715) fix, -in cases where retpolines are not sufficient. +Required to enable the Spectre v2 (CVE-2017-5715) fix. Included by default in AMD CPU models with -IBPB suffix. From 21ee4787e53367590f284915bf4c30c684e65bdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 7 Mar 2019 12:18:38 +0000 Subject: [PATCH 5/5] docs: add note about stibp CPU feature for spectre v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While the stibp CPU feature is not commonly used by guest OS for spectre mitigation due to its performance impact, it is none the less best practice to expose it to all guest OS. This allows the guest OS to decide whether to make use or it. Signed-off-by: Daniel P. Berrangé Message-Id: <20190307121838.6345-3-berrange@redhat.com> Signed-off-by: Eduardo Habkost --- docs/qemu-cpu-models.texi | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi index 0ce528806d..23c11dc86f 100644 --- a/docs/qemu-cpu-models.texi +++ b/docs/qemu-cpu-models.texi @@ -168,6 +168,17 @@ Requires the host CPU microcode to support this feature before it can be used for guest CPUs. +@item @code{stibp} + +Required to enable stronger Spectre v2 (CVE-2017-5715) fixes in some +operating systems. + +Must be explicitly turned on for all Intel CPU models. + +Requires the host CPU microcode to support this feature before it +can be used for guest CPUs. + + @item @code{ssbd} Required to enable the CVE-2018-3639 fix @@ -258,6 +269,17 @@ Requires the host CPU microcode to support this feature before it can be used for guest CPUs. +@item @code{stibp} + +Required to enable stronger Spectre v2 (CVE-2017-5715) fixes in some +operating systems. + +Must be explicitly turned on for all AMD CPU models. + +Requires the host CPU microcode to support this feature before it +can be used for guest CPUs. + + @item @code{virt-ssbd} Required to enable the CVE-2018-3639 fix