File xsa435-0-55.patch of Package xen.31135
From: Andrew Cooper <andrew.cooper3@citrix.com>
Origin: https://github.com/xenserver/xen.pg/blob/XS-8.3.x/patches/max-featureset-compat.patch
--- a/tools/libxc/xc_cpuid_x86.c
+++ b/tools/libxc/xc_cpuid_x86.c
@@ -55,8 +55,8 @@ int xc_get_cpu_levelling_caps(xc_interfa
return ret;
}
-int xc_get_cpu_featureset(xc_interface *xch, uint32_t index,
- uint32_t *nr_features, uint32_t *featureset)
+static int xc_get_cpu_featureset_(xc_interface *xch, uint32_t index,
+ uint32_t *nr_features, uint32_t *featureset)
{
DECLARE_SYSCTL;
DECLARE_HYPERCALL_BOUNCE(featureset,
@@ -82,6 +82,128 @@ int xc_get_cpu_featureset(xc_interface *
return ret;
}
+int xc_get_cpu_featureset(xc_interface *xch, uint32_t index,
+ uint32_t *nr, uint32_t *fs)
+{
+ uint32_t raw_fs[FEATURESET_NR_ENTRIES] = {}, raw_nr = ARRAY_SIZE(raw_fs);
+ uint32_t host_fs[FEATURESET_NR_ENTRIES] = {}, host_nr = ARRAY_SIZE(host_fs);
+ unsigned int vendor;
+ int ret;
+
+ if ( index != XEN_SYSCTL_cpu_featureset_pv_max &&
+ index != XEN_SYSCTL_cpu_featureset_hvm_max )
+ return xc_get_cpu_featureset_(xch, index, nr, fs);
+
+ /*
+ * Fake up a *_max featureset. Obtain the raw, host, and pv/hvm default.
+ *
+ * This is used by xenopsd to pass to the toolstack of the incoming
+ * domain, to allow it to establish migration safety.
+ */
+ ret = xc_get_cpu_featureset_(
+ xch, XEN_SYSCTL_cpu_featureset_raw, &raw_nr, raw_fs);
+ if ( ret && errno != ENOBUFS )
+ return ret;
+
+ ret = xc_get_cpu_featureset_(
+ xch, XEN_SYSCTL_cpu_featureset_host, &host_nr, host_fs);
+ if ( ret && errno != ENOBUFS )
+ return ret;
+
+ ret = xc_get_cpu_featureset_(xch, index, nr, fs);
+ if ( ret )
+ return ret;
+
+ /*
+ * Advertise HTT, x2APIC and CMP_LEGACY. They all impact topology,
+ * unconditionally leak into PV guests, and are fully emulated for HVM.
+ */
+ set_bit(X86_FEATURE_HTT, fs);
+ set_bit(X86_FEATURE_X2APIC, fs);
+ set_bit(X86_FEATURE_CMP_LEGACY, fs);
+
+ /*
+ * Feed HLE/RTM in from the host policy. We can safely migrate in VMs
+ * which saw HLE/RTM, even if the RTM is disabled for errata/security
+ * reasons.
+ */
+ clear_bit(X86_FEATURE_HLE, fs);
+ if ( test_bit(X86_FEATURE_HLE, host_fs) )
+ set_bit(X86_FEATURE_HLE, fs);
+
+ clear_bit(X86_FEATURE_RTM, fs);
+ if ( test_bit(X86_FEATURE_RTM, host_fs) )
+ set_bit(X86_FEATURE_RTM, fs);
+
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+ * adverse performance impact on the CLWB instruction on SKX/CLX/CPX.
+ *
+ * We hid CLWB in the host policy to stop Xen using it, but VMs which
+ * have previously seen the CLWB feature can safely run on this CPU.
+ */
+ if ( test_bit(X86_FEATURE_CLWB, raw_fs) &&
+ !test_bit(X86_FEATURE_CLWB, host_fs) )
+ set_bit(X86_FEATURE_CLWB, fs);
+
+ /* if ( index == XEN_SYSCTL_cpu_featureset_hvm_max ) */
+ {
+ struct cpuid_leaf l;
+
+ cpuid_leaf(0, &l);
+ vendor = x86_cpuid_lookup_vendor(l.b, l.c, l.d);
+
+ /*
+ * MPX has been removed from newer Intel hardware. Therefore, we hide
+ * it by default, but can still accept any VMs which saw it, if
+ * hardware is MPX-capable.
+ */
+ if ( index == XEN_SYSCTL_cpu_featureset_hvm_max &&
+ test_bit(X86_FEATURE_MPX, host_fs) )
+ set_bit(X86_FEATURE_MPX, fs);
+
+ switch ( vendor )
+ {
+ case X86_VENDOR_AMD:
+ case X86_VENDOR_HYGON:
+ /*
+ * In order to mitigate Spectre, AMD dropped the LWP feature in
+ * microcode, to make space for MSR_PRED_CMD. No one used LWP, but it
+ * was visible to guests at the time.
+ */
+ if ( index == XEN_SYSCTL_cpu_featureset_hvm_max )
+ set_bit(X86_FEATURE_LWP, fs);
+ break;
+
+ case X86_VENDOR_INTEL:
+ /*
+ * MSR_ARCH_CAPS is just feature data, and we can offer it to guests
+ * unconditionally, although limit it to Intel systems as it is highly
+ * uarch-specific.
+ *
+ * In particular, the RSBA and RRSBA bits mean "you might migrate to a
+ * system where RSB underflow uses alternative predictors (a.k.a
+ * Retpoline not safe)", so these need to be visible to a guest in all
+ * cases, even when it's only some other server in the pool which
+ * suffers the identified behaviour.
+ *
+ * We can always run any VM which has previously (or will
+ * subsequently) run on hardware where Retpoline is not safe.
+ * Note:
+ * - The dependency logic may hide RRSBA for other reasons.
+ * - The max policy does not constitute a sensible configuration to
+ * run a guest in.
+ */
+ set_bit(X86_FEATURE_ARCH_CAPS, fs);
+ set_bit(X86_FEATURE_RSBA, fs);
+ set_bit(X86_FEATURE_RRSBA, fs);
+ break;
+ }
+ }
+
+ return 0;
+}
+
uint32_t xc_get_cpu_featureset_size(void)
{
return FEATURESET_NR_ENTRIES;