2018-03-07 16:10+0100, Paolo Bonzini: > On 07/03/2018 15:56, Radim Krčmář wrote: > > The MSR_F10H_DECFG default is questionable -- MSR_F10H_DECFG is an > > architectural MSR, so we'd be changing the guest under the sight of > > existing userspaces. > > A potential security risk if they migrate the guest to a CPU that > > doesn't serialize LFENCE. ARCH_CAPABILITIES are at least hidden by a > > new CPUID bit. > > Good point. Perhaps we should add a KVM-specific CPUID bit for > serializing LFENCE. I reckon it wouldn't help much in the wild: we'd need userspace changes (at least for QEMU) and at that point, userspace can as well just implement MSR_F10H_DECFG and use an unmodified guest. We can't easily intercept LFENCE to emulate the feature either, so it seems like a waste of effort to me.
