On Mon, Oct 23, 2023 at 10:43 AM Gerrit Slomma <gerrit.slomma@xxxxxxxxxxxx> wrote: > > Why? > As Sean pointed out if you have older CPUs that don't support a specific > instruction set you need to restrict the capabilities in order to > support live migration. The x86 hardware virtualization facilities do not allow the hypervisor to restrict capabilities a la carte. Some capabilities do have a "gatekeeper," like a CR4 bit or an XCR0 bit, which, when clear, will induce an exception if that capability is used. However, many capabilities do not. Take the SERIALIZE instruction, for example. It should raise #UD on platforms older than Sapphire Rapids, but if your virtual machine is masquerading as an older microarchitecture on a Sapphire Rapids host, you will find that the SERIALIZE instruction is available, does not raise #UD, and works just as it does on bare metal. As a result, there is no way for a virtual CPU to masquerade as an older microarchitecture when running on Sapphire Rapids. It can come close enough to be acceptable for a heterogenous migration pool, but it's still a virtualization hole.
