Xen project Mailing List

[PATCH 1/4] x86: Reject CPU policies with vendors other than the host's

From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>

Date: Thu, 22 Jan 2026 17:49:37 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WMxox3x+9Ts/m2y8FFHLB2sq78zjecLlHbq/Xxc18Ig=; b=kb5QLyFihtx+GBZbkrU1q8UND0jrIMBKAQaaAe2xHLe9Vmqh/tQbIF9sNQALx0fiv22Ihff9G0O8g7pP5qWzR4GSEG8BSzVXn6EU+5LkaFSdwHek+4BQfCCzW3xqbHBvKnvgodzAOmQyTaajhUWsLolbr1F1PfA8tTTfvc9OC6cmQH/hpVfzW/Q6AWZGHteQzSJxKdeG07RrxQD13XtdmTW9lxKVUXGtoDYgyn7gNbTDAmTXWP1M5PDScrH33FYcqbPAraYHFeyVVT1bcYc1j3cC/MRfn8VHgHkM5gALjER/b5cBIGaZx6Cs9yoVtZAyHAmGZ1v4qT5gA/Xu8gFp2A==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=G2IRoyudhXNiNfHOskV+igGQTAmeb5Jh1b6MEkk8D5taKEyZV7CH1NW0yPRKvgC80QKCtWYhqUMMnVJR3q+rT5mQajrCmCIKNQklknPxzjtGP19XqL7zraER0HqTDgBlm3NKOBjX0Ey/6+UwLigkPgyp2No7M+eoTqTAE+UcEzYsGroqTASQyTg1oKWi1Gc/2dcKWdfexnTDvn5riUu6A8Kq6R8FK5g+DaNgtgt5/APbHFu0PuFg0keV8mZZGhOVNGZiqphEl0NR9ZYz+jgXDQIFA4sJQCfcWq5qRtH5nSanrd2gYb4wUgazbhAcfJ1udt26oSDTRIjZ0KCAlynzyA==

Cc: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Community Manager <community.manager@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Thu, 22 Jan 2026 16:50:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

While in principle it's possible to have a vendor virtualising another, this is fairly tricky in practice and comes with the world's supply of security issues. Reject any CPU policy with vendors not matching the host's. Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx> --- CHANGELOG.md | 4 ++++ xen/lib/x86/policy.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18f3d10f20..eae2f961c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Xenoprofile support. Oprofile themselves removed support for Xen in 2014 prior to the version 1.0 release, and there has been no development since before then in Xen. + - Cross-vendor support. Refuse to start domains whose CPU vendor differs + from the host so that security mitigations stay consistent. Cross-vendor + setups have been unreliable and not practical since 2017 with the advent of + speculation security. - Removed xenpm tool on non-x86 platforms as it doesn't actually provide anything useful outside of x86. diff --git a/xen/lib/x86/policy.c b/xen/lib/x86/policy.c index f033d22785..4c0c5386ea 100644 --- a/xen/lib/x86/policy.c +++ b/xen/lib/x86/policy.c @@ -15,7 +15,8 @@ int x86_cpu_policies_are_compatible(const struct cpu_policy *host, #define FAIL_MSR(m) \ do { e.msr = (m); goto out; } while ( 0 ) - if ( guest->basic.max_leaf > host->basic.max_leaf ) + if ( (guest->basic.max_leaf > host->basic.max_leaf) || + (guest->x86_vendor != host->x86_vendor) ) FAIL_CPUID(0, NA); if ( guest->feat.max_subleaf > host->feat.max_subleaf ) -- 2.43.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.