On Sunday, February 9, 2020 at 3:19:34 PM UTC, Claudia wrote: > > > marmarek: > > This is a very bad idea to "fix" it. Those missing/changed CPUID bits > later on will cause issues. > > And given most of the microcode updates recently are about speculative > execution, missing those > > features will make the host vulnerable to those issues again. There are > multiple ways it can > > manifest - from crashes when Xen uses (now not present) CPU feature, to > silent failures when Xen > > tries to use some feature and assume it protects the system, while it > does not in practice. > > > > For this particular case (microcode included in BIOS newer than in OS), > I see two options: make > > BIOS (coreboot, right?) apply microcode update on resume too, or include > newer microcode in OS. > > I want to make one thing clear: I am **not** suggesting this check be > removed altogether. I am suggesting adding an **optional**, even > undocumented, override parameter which defaults to the **current behavior** > which is to panic. > > I've found the patch to be quite stable so far. Unpatched is guaranteed to > cause a crash (xen > panic) at resume; patched so far has not caused any noticeable stability > issues for the four of us > using it, afaik. Just saying. > > Has anyone tried utilizing the xen command line options to mask bits in the cpuid, in particular section 1.2.35 cpuid_mask_ecx)?
The man page below says that "Settings applied here take effect globally, including for Xen and all guests." This *might* mean it is applied *before* the resume from sleep CPU bit checks (but I'm not promising anything, as I have not traced through the source). And also "*Warning: This option is not fully effective on Family 15h processors or later.*" https://xenbits.xen.org/docs/4.13-testing/misc/xen-command-line.html Excerpted: ``` 1.2.34 cpuid_mask_cpu = fam_0f_rev_[cdefg] | fam_10_rev_[bc] | fam_11_rev_b Applicability: AMD If none of the other *cpuid_mask_** options are given, Xen has a set of pre-configured masks to make the current processor appear to be family/revision specified. See below for general information on masking. *Warning: This option is not fully effective on Family 15h processors or later.* 1.2.35 cpuid_mask_ecx 1.2.36 cpuid_mask_edx 1.2.37 cpuid_mask_ext_ecx 1.2.38 cpuid_mask_ext_edx 1.2.39 cpuid_mask_l7s0_eax 1.2.40 cpuid_mask_l7s0_ebx 1.2.41 cpuid_mask_thermal_ecx 1.2.42 cpuid_mask_xsave_eax = <integer> Applicability: x86. Default: ~0 (all bits set) The availability of these options are model specific. Some processors don't support any of them, and no processor supports all of them. Xen will ignore options on processors which are lacking support. These options can be used to alter the features visible via the CPUID instruction. Settings applied here take effect globally, including for Xen and all guests. Note: Since Xen 4.7, it is no longer necessary to mask a host to create migration safety in heterogeneous scenarios. All necessary CPUID settings should be provided in the VM configuration file. Furthermore, it is recommended not to use this option, as doing so causes an unnecessary reduction of features at Xen's disposal to manage guests. ``` -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/808b8f43-2501-4419-a710-f9cd2bb65235%40googlegroups.com.
