On Tue, Jul 07, 2020 at 02:35:59PM +0300, Maxim Levitsky wrote: > On Tue, 2020-07-07 at 01:14 -0700, Sean Christopherson wrote: > > Aren't you supposed to be on vacation? :-) > > > > On Tue, Jul 07, 2020 at 10:04:22AM +0200, Paolo Bonzini wrote: > > > On 07/07/20 08:11, Sean Christopherson wrote: > > > > One oddity with this whole thing is that by passing through the MSR, KVM is > > > > allowing the guest to write bits it doesn't know about, which is definitely > > > > not normal. It also means the guest could write bits that the host VMM > > > > can't. > > > > > > That's true. However, the main purpose of the kvm_spec_ctrl_valid_bits > > > check is to ensure that host-initiated writes are valid; this way, you > > > don't get a #GP on the next vmentry's WRMSR to MSR_IA32_SPEC_CTRL. > > > Checking the guest CPUID bit is not even necessary. > > > > Right, what I'm saying is that rather than try and decipher specs to > > determine what bits are supported, just throw the value at hardware and > > go from there. That's effectively what we end up doing for the guest writes > > anyways. > > > > Actually, the current behavior will break migration if there are ever legal > > bits that KVM doesn't recognize, e.g. guest writes a value that KVM doesn't > > allow and then migration fails when the destination tries to stuff the value > > into KVM. > > After thinking about this, I am thinking that we should apply similiar logic > as done with the 'cpu-pm' related features. > This way the user can choose between passing through the IA32_SPEC_CTRL, > (and in this case, we can since the user choose it, pass it right away, and thus > avoid using kvm_spec_ctrl_valid_bits completely), and between correctness, > in which case we can always emulate this msr, and therefore check all the bits, > both regard to guest and host supported values. > Does this makes sense, or do you think that this is overkill? It doesn't really work because the host doesn't have a priori knowledge of whether or not the guest will use IA32_SPEC_CTRL. For PM stuff, there's no meaningful overhead in exposing capabilities and the features more or less ubiquitous, i.e. odds are very good the guest will use the exposed features and there's no penalty if it doesn't.