[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 1/5] x86: Reject CPU policies with vendors other than the host's

  • To: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Thu, 12 Mar 2026 21:01:08 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gfT1ETw5Og2ImKkH6+AgTkKWLROrF18UPYPwKSrpohQ=; b=Lzo+2olsIBcIWmQFNw4odbf0S5p0MiJ1c2TmU6RmoiuUCoX8zUgMrvlbs2dBDe4aBnIo+72tHxXAnxv4SUyLgN3+Fej9Bw7quOiRGmwoNS4Y4nZaKKNCO0O4ElqyN7ulVUOlmP7Ac7bvYS9jgS1o9VuzNiXii2zsK0aXNb+PbWWEZE8kgAZgLrvF47JwYa+0F2FlHfoeNN4UjBVrHaQ8K2HZxxkXReDFEgvE44inuR6S+D+kF5qb5qREwf/11y9obhrt57UMfiufvHYhBRBJWPW1iWHnYKtP01kHgCgqyeuo1Fwkb38O9+mrqxelx0R6nWx7kRVnoKztJj3viz0XoQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HQi54E4rNaAlR9LFArbSco/aTdj+hlGGnWa2pnBOQvXA/eLr5E2eWZMG2JgizIUgc/lpQZSWr1I0G79+2+ylekk+9XCUCNyT4b0a2c7GD9ZNLPqmNEm4SAwNs2p5tWyn1sV0qZ1NTuqyzH6rlwDKwV95NQ1jAbgUHykQ4C8W4XcSg8R42qrqpQ4uh8A9D4MMS85SnejRvk0E+NGwQL+GNS18xHYAMx2qUnTlin73jZPAQLeKF6t7eqjrhl7+b3RxD9Q/QDlRPp/QolGOG9CWKalE+RTgaDrEAMIHkEIutvGT0kqR36bciHAwpCJR8xlRS2DRoEAMHfVGdLmN5uKYUg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Community Manager <community.manager@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • Delivery-date: Thu, 12 Mar 2026 21:01:24 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 12/03/2026 11:21 am, Alejandro Vallejo wrote:
> While in principle it's possible to have a vendor virtualising another,
> this is fairly tricky in practice and comes with the world's supply of
> security issues.
>
> Reject any CPU policy with vendors not matching the host's.
>
> Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
>  CHANGELOG.md                             |  5 +++++
>  tools/tests/cpu-policy/test-cpu-policy.c | 27 ++++++++++++++++++++++++
>  xen/arch/x86/lib/cpu-policy/policy.c     |  5 ++++-
>  3 files changed, 36 insertions(+), 1 deletion(-)
>
> diff --git a/CHANGELOG.md b/CHANGELOG.md
> index c191e504aba..90ba5da69e4 100644
> --- a/CHANGELOG.md
> +++ b/CHANGELOG.md
> @@ -23,6 +23,11 @@ The format is based on [Keep a 
> Changelog](https://keepachangelog.com/en/1.0.0/)
>     - Xenoprofile support.  Oprofile themselves removed support for Xen in 
> 2014
>       prior to the version 1.0 release, and there has been no development 
> since
>       before then in Xen.
> +   - Domains can no longer run on a system with CPUs of a vendor different 
> from
> +     the one they were initially launched on. This affects live migrations 
> and
> +     save/restore workflows across mixed-vendor hosts. Cross-vendor emulation
> +     has always been unreliable, but since 2017 with the advent of 
> speculation
> +     security it became unsustainably so.

c/s 0f1cb96e9785294f149ab3c7feb90c0eb9daeede was when it got added to Xen.

I'm certain there's a whitepaper somewhere from AMD about this, but I
can't locate it.  It was partly marketing about how you could buy AMD
hardware (which was cheaper) and live-migrate your Intel VMs without
interruption.  It would have been nice to find for posterity.

For the changelog, can I suggest this:

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c191e504aba9..377711d40953 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,12 @@ The format is based on [Keep a 
Changelog](https://keepachangelog.com/en/1.0.0/)
    - Xenoprofile support.  Oprofile themselves removed support for Xen in 2014
      prior to the version 1.0 release, and there has been no development since
      before then in Xen.
+   - Cross-vendor support; guests can now only be configured as the same
+     vendor as the host CPU.  When added back in 2009, with enough trickery
+     Intel and AMD CPUs could be made to be compatible enough to live migrate
+     a guest, but the vendors have been diverging since then in ways that Xen
+     cannot compensate for, and the advent of speculative security issues has
+     put to rest any possibility of this being a viable option.
 
  - Removed xenpm tool on non-x86 platforms as it doesn't actually provide
    anything useful outside of x86.


which is closer to the style of the surrounding bullet points.  Also
s/domain/guest/ which is a subtle but important distinction made by the
Security Team when discussing configurations.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.