Xen project Mailing List

Re: [PATCH 1/4] x86: Reject CPU policies with vendors other than the host's

To: "Alejandro Vallejo" <alejandro.garciavallejo@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: "Teddy Astie" <teddy.astie@xxxxxxxxxx>

Date: Thu, 22 Jan 2026 17:13:25 +0000

Cc: "Oleksii Kurochko" <oleksii.kurochko@xxxxxxxxx>, "Community Manager" <community.manager@xxxxxxxxxxxxxx>, "Jan Beulich" <jbeulich@xxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, "Roger Pau Monné" <roger.pau@xxxxxxxxxx>

Delivery-date: Thu, 22 Jan 2026 17:13:32 +0000

Feedback-id: 30504962:30504962.20260122:md

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Le 22/01/2026 à 17:51, Alejandro Vallejo a écrit : > While in principle it's possible to have a vendor virtualising another, > this is fairly tricky in practice and comes with the world's supply of > security issues. > > Reject any CPU policy with vendors not matching the host's. > > Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx> > --- > CHANGELOG.md | 4 ++++ > xen/lib/x86/policy.c | 3 ++- > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/CHANGELOG.md b/CHANGELOG.md > index 18f3d10f20..eae2f961c7 100644 > --- a/CHANGELOG.md > +++ b/CHANGELOG.md > @@ -22,6 +22,10 @@ The format is based on [Keep a > Changelog](https://keepachangelog.com/en/1.0.0/) > - Xenoprofile support. Oprofile themselves removed support for Xen in > 2014 > prior to the version 1.0 release, and there has been no development > since > before then in Xen. > + - Cross-vendor support. Refuse to start domains whose CPU vendor > differs> + from the host so that security mitigations stay consistent. Cross-vendor > + setups have been unreliable and not practical since 2017 with the > advent of > + speculation security. > I don't really like the wording, it sounds like guest will suddenly stop to work for some reason. AFAIK, in the Xen Project only suspend/resume logic is going to be affected, and we probably want to reflect on that instead. > - Removed xenpm tool on non-x86 platforms as it doesn't actually provide > anything useful outside of x86. > diff --git a/xen/lib/x86/policy.c b/xen/lib/x86/policy.c > index f033d22785..4c0c5386ea 100644 > --- a/xen/lib/x86/policy.c > +++ b/xen/lib/x86/policy.c > @@ -15,7 +15,8 @@ int x86_cpu_policies_are_compatible(const struct cpu_policy > *host, > #define FAIL_MSR(m) \ > do { e.msr = (m); goto out; } while ( 0 ) > > - if ( guest->basic.max_leaf > host->basic.max_leaf ) > + if ( (guest->basic.max_leaf > host->basic.max_leaf) || > + (guest->x86_vendor != host->x86_vendor) ) > FAIL_CPUID(0, NA); > > if ( guest->feat.max_subleaf > host->feat.max_subleaf ) -- Teddy Astie | Vates XCP-ng Developer XCP-ng & Xen Orchestra - Vates solutions web: https://vates.tech

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.