[PATCH] cpu_map: Add more -noTSX x86 CPU models

Jiri Denemark jdenemar at redhat.com
Mon Mar 9 16:00:10 UTC 2020 

On Fri, Mar 06, 2020 at 09:41:43 +0100, Christian Ehrhardt wrote:
> One of the mitigation methods for TAA[1] is to disable TSX
> support on the host system.  Linux added a mechanism to disable
> TSX globally through the kernel command line, and many Linux
> distributions now default to tsx=off.  This makes existing CPU
> models that have HLE and RTM enabled not usable anymore.
> 
> Add new versions of all CPU models that have the HLE and RTM
> features enabled, that can be used when TSX is disabled in the
> host system.
> 
> On systems disabling the features without those types defined
> in cpu-maps users end up without modern CPU types in the list
> of usable CPUs to use in the likes of virsh domcapabilities
> or tools higher in the stack like virt-manager.
> 
> This adds:
> -Cascadelake-Server-noTSX
> -Icelake-Client-noTSX
> -Icelake-Server-noTSX
> -Skylake-Server-noTSX-IBRS
> -Skylake-Client-noTSX-IBRS
> 
> Introduced in QEMU by commit v4.2.0-rc2-3-g9ab2237f19 (function)
>                   and commit v4.2.0-rc2-4-g02fa60d101 (names)
> 
> References:
> 
>     [1] TAA, TSX asynchronous Abort:
>         https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
>         https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
> 
> Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1853200
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
>  src/cpu_map/Makefile.inc.am                   |  5 ++
>  src/cpu_map/index.xml                         |  5 ++
>  src/cpu_map/x86_Cascadelake-Server-noTSX.xml  | 78 ++++++++++++++++
>  src/cpu_map/x86_Icelake-Client-noTSX.xml      | 81 +++++++++++++++++
>  src/cpu_map/x86_Icelake-Server-noTSX.xml      | 90 +++++++++++++++++++
>  src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml | 73 +++++++++++++++
>  src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml | 75 ++++++++++++++++
>  7 files changed, 407 insertions(+)
>  create mode 100644 src/cpu_map/x86_Cascadelake-Server-noTSX.xml
>  create mode 100644 src/cpu_map/x86_Icelake-Client-noTSX.xml
>  create mode 100644 src/cpu_map/x86_Icelake-Server-noTSX.xml
>  create mode 100644 src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
>  create mode 100644 src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
...
> diff --git a/src/cpu_map/x86_Cascadelake-Server-noTSX.xml b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
> new file mode 100644
> index 0000000000..4a979739e2
> --- /dev/null
> +++ b/src/cpu_map/x86_Cascadelake-Server-noTSX.xml
> @@ -0,0 +1,78 @@
> +<cpus>
> +  <model name='Cascadelake-Server'>

'Cascadelake-Server-noTSX'

...
> diff --git a/src/cpu_map/x86_Icelake-Client-noTSX.xml b/src/cpu_map/x86_Icelake-Client-noTSX.xml
> new file mode 100644
> index 0000000000..4feb9cef2d
> --- /dev/null
> +++ b/src/cpu_map/x86_Icelake-Client-noTSX.xml
> @@ -0,0 +1,81 @@
> +<cpus>
> +  <model name='Icelake-Client'>

'Icelake-Client-noTSX'

...
> diff --git a/src/cpu_map/x86_Icelake-Server-noTSX.xml b/src/cpu_map/x86_Icelake-Server-noTSX.xml
> new file mode 100644
> index 0000000000..76ae713a4d
> --- /dev/null
> +++ b/src/cpu_map/x86_Icelake-Server-noTSX.xml
> @@ -0,0 +1,90 @@
> +<cpus>
> +  <model name='Icelake-Server'>

'Icelake-Server-noTSX'

...
> diff --git a/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
> new file mode 100644
> index 0000000000..5fa4a733c6
> --- /dev/null
> +++ b/src/cpu_map/x86_Skylake-Client-noTSX-IBRS.xml
> @@ -0,0 +1,73 @@
> +<cpus>
> +  <model name='Skylake-Client-IBRS'>

'Skylake-Client-noTSX-IBRS'

...
> diff --git a/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
> new file mode 100644
> index 0000000000..cb65474767
> --- /dev/null
> +++ b/src/cpu_map/x86_Skylake-Server-noTSX-IBRS.xml
> @@ -0,0 +1,75 @@
> +<cpus>
> +  <model name='Skylake-Server-IBRS'>

'Skylake-Server-noTSX-IBRS'

...

Running make check would reveal all these issues because every single
test which involves parsing the cpu_map was failing due to multiple
definitions of the same CPU model.

And since this patch is adding several CPU models which are already
supported by QEMU since 4.2.0, you need to update several existing test
files for domaincapstest too. You can use

    VIR_TEST_REGENERATE_OUTPUT=1 tests/domaincapstest

to regenerate the files. Just make sure you review the changes before
adding them to this commit.

Regenerating the test files will also be needed for cputest because I
just pushed the "cputest: Add data for Intel(R) Core(TM) i7-8550U CPU
without TSX". Doing so will nicely show that the computed host CPU model
(in x86_64-cpuid-Core-i7-8550U-host.xml file) is
Skylake-Client-noTSX-IBRS rather than Broadwell-noTSX-IBRS.

However, the CPU used for host-model (and reported in domain
capabilities) as shown in x86_64-cpuid-Core-i7-8550U-guest.xml and
x86_64-cpuid-Core-i7-8550U-json.xml will change from Skylake-Client-IBRS
to Skylake-Client-noTSX-IBRS. As I said in my previous reply to this
patch, I think these two CPU definitions should keep using the old
Skylake-Client-IBRS model to make sure any domain with host-model CPU
will always use the CPU models without noTSX for better compatibility
between current and future version of libvirt. This change should be in
a separate patch, but in single series with the current patch.

Jirka

More information about the libvir-list mailing list