fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

i386/kvm: Expose ARCH_CAP_FB_CLEAR when invulnerable to MDS

Browse source 
Newer Intel hardware (Sapphire Rapids and higher) sets multiple MDS
immunity bits in MSR_IA32_ARCH_CAPABILITIES but lacks the hardware-level
MSR_ARCH_CAP_FB_CLEAR (bit 17):
    ARCH_CAP_MDS_NO
    ARCH_CAP_TAA_NO
    ARCH_CAP_PSDP_NO
    ARCH_CAP_FBSDP_NO
    ARCH_CAP_SBDR_SSDP_NO

This prevents VMs with fb-clear=on from migrating from older hardware
(Cascade Lake, Ice Lake) to newer hardware, limiting live migration
capabilities. Note fb-clear was first introduced in v8.1.0 [1].

Expose MSR_ARCH_CAP_FB_CLEAR for MDS-invulnerable systems to enable
seamless migration between hardware generations.

Note: There is no impact when a guest migrates to newer hardware as
the existing bit combinations already mark the host as MMIO-immune and
disable FB_CLEAR operations in the kernel (see Linux's
arch_cap_mmio_immune() and vmx_update_fb_clear_dis()). See kernel side
discussion for [2] for additional context.

[1] 22e1094ca8 ("target/i386: add support for FB_CLEAR feature")
[2] https://patchwork.kernel.org/project/kvm/patch/20250401044931.793203-1-jon@nutanix.com/

Cc: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Jon Kohler <jon@nutanix.com>
Link: https://lore.kernel.org/r/20251008202557.4141285-1-jon@nutanix.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Jon Kohler 2025-10-08 13:25:57 -07:00 committed by Paolo Bonzini
parent df9a3372dd
commit 00001a22d1
1 changed files with 17 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

17
target/i386/kvm/kvm.c
View file

@ -653,6 +653,23 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index)
must_be_one = (uint32_t)value;
can_be_one = (uint32_t)(value >> 32);
return can_be_one & ~must_be_one;
case MSR_IA32_ARCH_CAPABILITIES:
/*
* Special handling for fb-clear bit in ARCH_CAPABILITIES MSR.
* KVM will only report the bit if it is enabled in the host,
* but, for live migration capability purposes, we want to
* expose the bit to the guest even if it is disabled in the
* host, as long as the host itself is not vulnerable to
* the issue that the fb-clear bit is meant to mitigate.
*/
if ((value & MSR_ARCH_CAP_MDS_NO) &&
(value & MSR_ARCH_CAP_TAA_NO) &&
(value & MSR_ARCH_CAP_SBDR_SSDP_NO) &&
(value & MSR_ARCH_CAP_FBSDP_NO) &&
(value & MSR_ARCH_CAP_PSDP_NO)) {
value |= MSR_ARCH_CAP_FB_CLEAR;
}
return value;
default:
return value;