RE: [PATCH v2] target/i386: Restore TSX features with taa-no
>-Original Message- >From: Li, Xiaoyao >Sent: Friday, July 15, 2022 9:14 AM >To: Paolo Bonzini ; Duan, Zhenzhong >; qemu-devel@nongnu.org >Cc: ehabk...@redhat.com; Ma, XiangfeiX ; >Christopherson,, Sean >Subject: Re: [PATCH v2] target/i386: Restore TSX features with taa-no > >On 7/14/2022 3:59 PM, Paolo Bonzini wrote: >> On 7/14/22 07:36, Zhenzhong Duan wrote: >>> On ICX-2S2 host, when run L2 guest with both L1/L2 using >>> Icelake-Server-v3 >>> or above, we got below warning: >>> >>> "warning: host doesn't support requested feature: MSR(10AH).taa-no >>> [bit 8]" >>> >>> This is because L1 KVM doesn't expose taa-no to L2 if RTM is >>> disabled, then starting L2 qemu triggers the warning. >>> >>> Fix it by restoring TSX features in Icelake-Server-v3, which may also >>> help guest performance if host isn't susceptible to TSX Async Abort >>> (TAA) vulnerabilities. >>> >>> Fixes: d965dc35592d ("target/i386: Add ARCH_CAPABILITIES related bits >>> into Icelake-Server CPU model") >>> Tested-by: Xiangfei Ma >>> Signed-off-by: Zhenzhong Duan >>> --- >>> v2: Rewrite commit message >> >> Why wouldn't the fix be (in an Icelake-Server-v4 model) to remove taa-no? > >Production Icelake silicon should have the taa-no set, that's the reason taa-no >was added in v3 model. > >When taa-no presents, it's safe to bring TSX features back. > >I'm wondering if we need a new version (v7) for this change. Ping. Any further suggestion on which way to go ahead? Thanks Zhenzhong
Re: [PATCH v2] target/i386: Restore TSX features with taa-no
On 7/14/2022 3:59 PM, Paolo Bonzini wrote: On 7/14/22 07:36, Zhenzhong Duan wrote: On ICX-2S2 host, when run L2 guest with both L1/L2 using Icelake-Server-v3 or above, we got below warning: "warning: host doesn't support requested feature: MSR(10AH).taa-no [bit 8]" This is because L1 KVM doesn't expose taa-no to L2 if RTM is disabled, then starting L2 qemu triggers the warning. Fix it by restoring TSX features in Icelake-Server-v3, which may also help guest performance if host isn't susceptible to TSX Async Abort (TAA) vulnerabilities. Fixes: d965dc35592d ("target/i386: Add ARCH_CAPABILITIES related bits into Icelake-Server CPU model") Tested-by: Xiangfei Ma Signed-off-by: Zhenzhong Duan --- v2: Rewrite commit message Why wouldn't the fix be (in an Icelake-Server-v4 model) to remove taa-no? Production Icelake silicon should have the taa-no set, that's the reason taa-no was added in v3 model. When taa-no presents, it's safe to bring TSX features back. I'm wondering if we need a new version (v7) for this change. Paolo target/i386/cpu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 14f681e998cc..25ef972a3eed 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -3423,6 +3423,9 @@ static const X86CPUDefinition builtin_x86_defs[] = { { .version = 3, .props = (PropValue[]) { + /* Restore TSX features removed by -v2 above */ + { "hle", "on" }, + { "rtm", "on" }, { "arch-capabilities", "on" }, { "rdctl-no", "on" }, { "ibrs-all", "on" },
RE: [PATCH v2] target/i386: Restore TSX features with taa-no
>-Original Message- >From: Paolo Bonzini On Behalf Of Paolo Bonzini >Sent: Thursday, July 14, 2022 3:59 PM >To: Duan, Zhenzhong ; qemu- >de...@nongnu.org >Cc: ehabk...@redhat.com; Ma, XiangfeiX ; Li, >Xiaoyao ; Christopherson,, Sean >Subject: Re: [PATCH v2] target/i386: Restore TSX features with taa-no > >On 7/14/22 07:36, Zhenzhong Duan wrote: >> On ICX-2S2 host, when run L2 guest with both L1/L2 using >> Icelake-Server-v3 or above, we got below warning: >> >> "warning: host doesn't support requested feature: MSR(10AH).taa-no [bit >8]" >> >> This is because L1 KVM doesn't expose taa-no to L2 if RTM is disabled, >> then starting L2 qemu triggers the warning. >> >> Fix it by restoring TSX features in Icelake-Server-v3, which may also >> help guest performance if host isn't susceptible to TSX Async Abort >> (TAA) vulnerabilities. >> >> Fixes: d965dc35592d ("target/i386: Add ARCH_CAPABILITIES related bits >> into Icelake-Server CPU model") >> Tested-by: Xiangfei Ma >> Signed-off-by: Zhenzhong Duan >> --- >> v2: Rewrite commit message > >Why wouldn't the fix be (in an Icelake-Server-v4 model) to remove taa-no? This way we don't have a versioned model enabling both TSX and taa-no. In currently implementation, TSX is disabled in Icelake-Server-v2 and above. And taa-no is enabled in Icelake-Server-v3 and above. If hardware supports taa-no mitigation, I thought it's better to expose it to guest together with TSX so that guest knows it's secure to use TSX? Thanks Zhenzhong > >Paolo > >> target/i386/cpu.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/target/i386/cpu.c b/target/i386/cpu.c index >> 14f681e998cc..25ef972a3eed 100644 >> --- a/target/i386/cpu.c >> +++ b/target/i386/cpu.c >> @@ -3423,6 +3423,9 @@ static const X86CPUDefinition builtin_x86_defs[] >= { >> { >> .version = 3, >> .props = (PropValue[]) { >> +/* Restore TSX features removed by -v2 above */ >> +{ "hle", "on" }, >> +{ "rtm", "on" }, >> { "arch-capabilities", "on" }, >> { "rdctl-no", "on" }, >> { "ibrs-all", "on" },
Re: [PATCH v2] target/i386: Restore TSX features with taa-no
On 7/14/22 07:36, Zhenzhong Duan wrote: On ICX-2S2 host, when run L2 guest with both L1/L2 using Icelake-Server-v3 or above, we got below warning: "warning: host doesn't support requested feature: MSR(10AH).taa-no [bit 8]" This is because L1 KVM doesn't expose taa-no to L2 if RTM is disabled, then starting L2 qemu triggers the warning. Fix it by restoring TSX features in Icelake-Server-v3, which may also help guest performance if host isn't susceptible to TSX Async Abort (TAA) vulnerabilities. Fixes: d965dc35592d ("target/i386: Add ARCH_CAPABILITIES related bits into Icelake-Server CPU model") Tested-by: Xiangfei Ma Signed-off-by: Zhenzhong Duan --- v2: Rewrite commit message Why wouldn't the fix be (in an Icelake-Server-v4 model) to remove taa-no? Paolo target/i386/cpu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 14f681e998cc..25ef972a3eed 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -3423,6 +3423,9 @@ static const X86CPUDefinition builtin_x86_defs[] = { { .version = 3, .props = (PropValue[]) { +/* Restore TSX features removed by -v2 above */ +{ "hle", "on" }, +{ "rtm", "on" }, { "arch-capabilities", "on" }, { "rdctl-no", "on" }, { "ibrs-all", "on" },
[PATCH v2] target/i386: Restore TSX features with taa-no
On ICX-2S2 host, when run L2 guest with both L1/L2 using Icelake-Server-v3 or above, we got below warning: "warning: host doesn't support requested feature: MSR(10AH).taa-no [bit 8]" This is because L1 KVM doesn't expose taa-no to L2 if RTM is disabled, then starting L2 qemu triggers the warning. Fix it by restoring TSX features in Icelake-Server-v3, which may also help guest performance if host isn't susceptible to TSX Async Abort (TAA) vulnerabilities. Fixes: d965dc35592d ("target/i386: Add ARCH_CAPABILITIES related bits into Icelake-Server CPU model") Tested-by: Xiangfei Ma Signed-off-by: Zhenzhong Duan --- v2: Rewrite commit message target/i386/cpu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 14f681e998cc..25ef972a3eed 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -3423,6 +3423,9 @@ static const X86CPUDefinition builtin_x86_defs[] = { { .version = 3, .props = (PropValue[]) { +/* Restore TSX features removed by -v2 above */ +{ "hle", "on" }, +{ "rtm", "on" }, { "arch-capabilities", "on" }, { "rdctl-no", "on" }, { "ibrs-all", "on" }, -- 2.25.1