[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/4] x86: Reject CPU policies with vendors other than the host's

  • To: Teddy Astie <teddy.astie@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
  • Date: Fri, 23 Jan 2026 12:30:33 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=vates.tech smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=All5rhqj5Rzs0kQTv90z7MbhvCo4QWprTk/QfjbAQbk=; b=xXT+nlkUxlt0Fw7JD0RxkrJhTPbqu38PVTVfBAhra6UPXCYqmMfxiYZH4gBQ8TElk4S+4xSi6blWoO1//wtR8NkKHEoTE3qcikRAgXAOvLAtwiW2zwJjPiRImwOVvvFgiEATXMPl3wscr8UF3yCPCP//DZb2sbbLDPKG6yMd4JuwZhMn5sIsOhDRi+kreDqshDmAai1OKG2IMFT82a0622mZc2kxOlqOVOt6WHaNNL/wCpz47wTSIDqQOPFigFtEI3gCD8EmXfv2Nl04IQE/jKBxWFlLNKr7+RAdk1SAY2k61uhic1aJXvbI+GzOJbvzW4EiwcrRGiRAjvES8Yld6Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=a475LqwRHy64zRa0FR3ObDc5DT5sy5925/E+YJE/e8rUSj2NzF3GL671dku7ZQhnaJWUpDYwXMYe84fEt8CV4q1T0zUkRNhJdUXM8r5Y0j0pYI5tAco3r6PeXLYUmCkHhALQ0oosEoobl3ui58GtdY+zsEcoyNC3kMVSsxkgBTFjfbm/BK2bjlNmjATXaSfAAFPcATDMiHnWrhKnxl0VFrL1++HqJmpuETjAh6J4TKezX29G/GLtm47edF3pwzJKNSErSjLBBb7YjwM0rG4q2InJmzd0OzUZhM9JPysu3MBIMrNQ+k1kY7c1UmXfF2oj5JzJhKS4/cIWNfIpCVhvvw==
  • Cc: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Community Manager <community.manager@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Fri, 23 Jan 2026 11:30:54 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu Jan 22, 2026 at 6:13 PM CET, Teddy Astie wrote:
> Le 22/01/2026 à 17:51, Alejandro Vallejo a écrit :
>> While in principle it's possible to have a vendor virtualising another,
>> this is fairly tricky in practice and comes with the world's supply of
>> security issues.
>> 
>> Reject any CPU policy with vendors not matching the host's.
>> > Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
>> ---
>>   CHANGELOG.md         | 4 ++++
>>   xen/lib/x86/policy.c | 3 ++-
>>   2 files changed, 6 insertions(+), 1 deletion(-)
>> 
>> diff --git a/CHANGELOG.md b/CHANGELOG.md
>> index 18f3d10f20..eae2f961c7 100644
>> --- a/CHANGELOG.md
>> +++ b/CHANGELOG.md
>> @@ -22,6 +22,10 @@ The format is based on [Keep a 
>> Changelog](https://keepachangelog.com/en/1.0.0/)
>>      - Xenoprofile support.  Oprofile themselves removed support for Xen in 
>> 2014
>>        prior to the version 1.0 release, and there has been no development 
>> since
>>        before then in Xen.
>> +   - Cross-vendor support.  Refuse to start domains whose CPU vendor 
>> differs> +     from the host so that security mitigations stay consistent. 
> Cross-vendor

???

>> +     setups have been unreliable and not practical since 2017 with the 
>> advent of
>> +     speculation security.
>>   
>
> I don't really like the wording, it sounds like guest will suddenly stop 
> to work for some reason. AFAIK, in the Xen Project only suspend/resume 
> logic is going to be affected, and we probably want to reflect on that 
> instead.

You also won't be able to start a cross vendor VM, which you can do by
manually picking the CPUID leaves in xl.cfg. Though you're right that for the
overwhelming majority of affected users this would manifest as not being able to
restore a saved VM (or not being able to live-migrate, which is effectively the
same thing for this purpose). It's unlikely anyone abuses xl the way I
described.

I'll reword it differently to note the overwhelmingly most affected workflow.

>
>>    - Removed xenpm tool on non-x86 platforms as it doesn't actually provide
>>      anything useful outside of x86.
>> diff --git a/xen/lib/x86/policy.c b/xen/lib/x86/policy.c
>> index f033d22785..4c0c5386ea 100644
>> --- a/xen/lib/x86/policy.c
>> +++ b/xen/lib/x86/policy.c
>> @@ -15,7 +15,8 @@ int x86_cpu_policies_are_compatible(const struct 
>> cpu_policy *host,
>>   #define FAIL_MSR(m) \
>>       do { e.msr = (m); goto out; } while ( 0 )
>>   
>> -    if ( guest->basic.max_leaf > host->basic.max_leaf )
>> +    if ( (guest->basic.max_leaf >  host->basic.max_leaf) ||
>> +         (guest->x86_vendor     != host->x86_vendor) )
>>           FAIL_CPUID(0, NA);
>>   
>>       if ( guest->feat.max_subleaf > host->feat.max_subleaf )
>
>
>
> --
> Teddy Astie | Vates XCP-ng Developer
>
> XCP-ng & Xen Orchestra - Vates solutions
>
> web: https://vates.tech

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.