On Tue, Feb 20, 2018 at 03:46:57PM +0100, Paolo Bonzini wrote:
> On 20/02/2018 15:08, Van De Ven, Arjan wrote:
> >>>> For bonus points: What should happen to a VM that is live migrated
> >>>> from one hypervisor to another, and the hypervisors have different
> >>>> IBRS support?
> >>> Doctor Doctor it hurts when I do this....
> >>> Migration tends to only work between HV's that are relatively
> >>> homogeneous, that's nothing new...
> >> No Arjan, this is just wrong. Well, I suppose it's right in the present
> >> tense with the IBRS mess on Skylake, but it's _not_ been true until last
> >> year.
> > I meant software wise. You're not going to live migrate from xen to
> > kvm or backwards. or between very radically different versions of the
> > kvm stack.
> Forwards migration to a radically newer version certainly happens. So
> when the source hypervisor was too old to tell the VM about IBRS_ALL,
> for example, migration should work properly and the VM should perform
> well on the destination hypervisor.
To add a bit more to this, Intel just updated their IA32_ARCH_CAPABILITIES_MSR
to have a new bit to sample to figure out whether you need IBRS or not
Virtual Machine CPU Identification:
"To remedy this situation, an operating system running as a VM can query bit 2
of the IA32_ARCH_CAPABILITIES MSR, known as “RSB Alternate” (RSBA). When RSBA
is set, it indicates that the VM may run on a processor vulnerable to exploits
of Empty RSB conditions regardless of the processor’s
DisplayFamily/DisplayModel signature, and that the operating system should
deploy appropriate mitigations. Virtual machine managers (VMM) may set RSBA via
MSR interception to indicate that a virtual machine might run at some time in
the future on a vulnerable processor."
New bit.. but not mentioned in the:
Paolo, is there some form of callback inside of the guest when KVM guests are
(It exists under Xen, but I don't see it under KVM?)
> Backwards migration to older hypervisors also happens sometimes, but in
> general it creates more userspace than kernel issues.