On Fri, Mar 06, 2020 at 09:41:43 +0100, Christian Ehrhardt wrote: > One of the mitigation methods for TAA[1] is to disable TSX > support on the host system. Linux added a mechanism to disable > TSX globally through the kernel command line, and many Linux > distributions now default to tsx=off. This makes existing CPU > models that have HLE and RTM enabled not usable anymore. > > Add new versions of all CPU models that have the HLE and RTM > features enabled, that can be used when TSX is disabled in the > host system. > > On systems disabling the features without those types defined > in cpu-maps users end up without modern CPU types in the list > of usable CPUs to use in the likes of virsh domcapabilities > or tools higher in the stack like virt-manager. > > This adds: > -Cascadelake-Server-noTSX > -Icelake-Client-noTSX > -Icelake-Server-noTSX > -Skylake-Server-noTSX-IBRS > -Skylake-Client-noTSX-IBRS > > Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function) > and commit v4.2.0-rc2-4-g02fa60d101 (names) > > References: > > [1] TAA, TSX asynchronous Abort: > https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort > https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html > > Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1853200 > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > src/cpu_map/Makefile.inc.am | 5 ++ > src/cpu_map/index.xml | 5 ++ > src/cpu_map/x86_Cascadelake-Server-noTSX.xml | 78 ++++++++++++++++ > src/cpu_map/x86_Icelake-Client-noTSX.xml | 81 +++++++++++++++++ > src/cpu_map/x86_Icelake-Server-noTSX.xml | 90 +++++++++++++++++++ > src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 73 +++++++++++++++ > src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 75 ++++++++++++++++ > 7 files changed, 407 insertions(+) > create mode 100644 src/cpu_map/x86_Cascadelake-Server-noTSX.xml > create mode 100644 src/cpu_map/x86_Icelake-Client-noTSX.xml > create mode 100644 src/cpu_map/x86_Icelake-Server-noTSX.xml > create mode 100644 src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml > create mode 100644 src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml ... > diff --git a/src/cpu_map/x86_Cascadelake-Server-noTSX.xml b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml > new file mode 100644 > index 0000000000..4a979739e2 > --- /dev/null > +++ b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml > @@ -0,0 +1,78 @@ > +<cpus> > + <model name='Cascadelake-Server'> 'Cascadelake-Server-noTSX' ... > diff --git a/src/cpu_map/x86_Icelake-Client-noTSX.xml b/src/cpu_map/x86_Icelake-Client-noTSX.xml > new file mode 100644 > index 0000000000..4feb9cef2d > --- /dev/null > +++ b/src/cpu_map/x86_Icelake-Client-noTSX.xml > @@ -0,0 +1,81 @@ > +<cpus> > + <model name='Icelake-Client'> 'Icelake-Client-noTSX' ... > diff --git a/src/cpu_map/x86_Icelake-Server-noTSX.xml b/src/cpu_map/x86_Icelake-Server-noTSX.xml > new file mode 100644 > index 0000000000..76ae713a4d > --- /dev/null > +++ b/src/cpu_map/x86_Icelake-Server-noTSX.xml > @@ -0,0 +1,90 @@ > +<cpus> > + <model name='Icelake-Server'> 'Icelake-Server-noTSX' ... > diff --git a/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml > new file mode 100644 > index 0000000000..5fa4a733c6 > --- /dev/null > +++ b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml > @@ -0,0 +1,73 @@ > +<cpus> > + <model name='Skylake-Client-IBRS'> 'Skylake-Client-noTSX-IBRS' ... > diff --git a/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml > new file mode 100644 > index 0000000000..cb65474767 > --- /dev/null > +++ b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml > @@ -0,0 +1,75 @@ > +<cpus> > + <model name='Skylake-Server-IBRS'> 'Skylake-Server-noTSX-IBRS' ... Running make check would reveal all these issues because every single test which involves parsing the cpu_map was failing due to multiple definitions of the same CPU model. And since this patch is adding several CPU models which are already supported by QEMU since 4.2.0, you need to update several existing test files for domaincapstest too. You can use VIR_TEST_REGENERATE_OUTPUT=1 tests/domaincapstest to regenerate the files. Just make sure you review the changes before adding them to this commit. Regenerating the test files will also be needed for cputest because I just pushed the "cputest: Add data for Intel(R) Core(TM) i7-8550U CPU without TSX". Doing so will nicely show that the computed host CPU model (in x86_64-cpuid-Core-i7-8550U-host.xml file) is Skylake-Client-noTSX-IBRS rather than Broadwell-noTSX-IBRS. However, the CPU used for host-model (and reported in domain capabilities) as shown in x86_64-cpuid-Core-i7-8550U-guest.xml and x86_64-cpuid-Core-i7-8550U-json.xml will change from Skylake-Client-IBRS to Skylake-Client-noTSX-IBRS. As I said in my previous reply to this patch, I think these two CPU definitions should keep using the old Skylake-Client-IBRS model to make sure any domain with host-model CPU will always use the CPU models without noTSX for better compatibility between current and future version of libvirt. This change should be in a separate patch, but in single series with the current patch. Jirka
