On Tue, Nov 05, 2019 at 11:37:50AM -0800, Sean Christopherson wrote: > On Tue, Nov 05, 2019 at 05:17:37PM +0100, Vitaly Kuznetsov wrote: > > Virtualized guests may pick a different strategy to mitigate hardware > > vulnerabilities when it comes to hyper-threading: disable SMT completely, > > use core scheduling, or, for example, opt in for STIBP. Making the > > decision, however, requires an extra bit of information which is currently > > missing: does the topology the guest see match hardware or if it is 'fake' > > and two vCPUs which look like different cores from guest's perspective can > > actually be scheduled on the same physical core. Disabling SMT or doing > > core scheduling only makes sense when the topology is trustworthy. > > > > Add two feature bits to KVM: KVM_FEATURE_TRUSTWORTHY_SMT with the meaning > > that KVM_HINTS_TRUSTWORTHY_SMT bit answers the question if the exposed SMT > > topology is actually trustworthy. It would, of course, be possible to get > > away with a single bit (e.g. 'KVM_FEATURE_FAKE_SMT') and not lose backwards > > compatibility but the current approach looks more straightforward. > > I'd stay away from "trustworthy", especially if this is controlled by > userspace. Whether or not the hint is trustworthy is purely up to the > guest. Right now it doesn't really matter, but that will change as we > start moving pieces of the host out of the guest's TCB. > > It may make sense to split the two (or even three?) cases, e.g. > KVM_FEATURE_NO_SMT and KVM_FEATURE_ACCURATE_TOPOLOGY. KVM can easily > enforce NO_SMT _today_, i.e. allow it to be set if and only if SMT is > truly disabled. Verifying that the topology exposed to the guest is legit > is a completely different beast. Scratch the ACCURATE_TOPOLOGY idea, I doubt there's a real use case for setting ACCURATE_TOPOLOGY and not KVM_HINTS_REALTIME. A feature flag to state that SMT is disabled seems simple and useful.
