[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v5 1/5] x86: Reject CPU policies with vendors other than the host's

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
  • Date: Fri, 13 Mar 2026 12:27:24 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=citrix.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=k7jeo7FjACy6+3xAmpUGqOgAc/b1qt2HxxFvx8aSx5U=; b=JiOC/ddw7NhZuelGqlUb5FGR19+I+UFEjK/GJYvpDwOF1cVR2WVTeGA/cRZVal6vrKza/L44KvZx8u2FCu+WGe6UxgeQsMBW+Kp1ppSXj8HQV4Vb8yyFW4IzcGnjQYlj1UfPZE5I8YwYMpvt0xGmwUG8iYQmFYb+0O7cDePV0ak8TVURUHe9YgU57WpJm2D5JRXqrl1nv7VdIkyMkN87wZztS4FlpMYUBDvnyPkhWKuoCpGVTCAm0nlGVriwi3+w1ZGZRruCUCGqE7rWguUN44VMyBwOaHJsD/O9cXI17IhjcIvzpMY1A+1nDOJOSAjCq4VWaaNyTVRAHDUWsdH11g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ISx8sNcd4K1X5/YRgiDM9Gl0no0EYtAViZxW08zqm8/8LDHfLuLiGsVTaKCh6S0azxCw72fR5DxFlI0XZ3f3c0LwCuCpdFv4hdZHxAnBs38Z1MZ43G9Fh9cRBpygUtM28EXqzir7mXfy3qdb6+nhPoNzlie8fdvxDk3TSVmPvsQboEpbwiWIg8U6IBBy5laweZvP4rCv3PmfY6jmkzGNy9GZX3aOHTfZM2QJh7d4O31hDdSO7ytDQAQu/mFndDUqIgk7MPW2xGvqyGNe2SrhLSTdAwCW2YBzymrimXOcNQexDcLYWzM2cjwngtbuhwAarHVhjLWPAvxTLwVSkr/ZNg==
  • Cc: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Community Manager <community.manager@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>
  • Delivery-date: Fri, 13 Mar 2026 11:27:43 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu Mar 12, 2026 at 10:01 PM CET, Andrew Cooper wrote:
> On 12/03/2026 11:21 am, Alejandro Vallejo wrote:
>> While in principle it's possible to have a vendor virtualising another,
>> this is fairly tricky in practice and comes with the world's supply of
>> security issues.
>>
>> Reject any CPU policy with vendors not matching the host's.
>>
>> Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
>> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
>> ---
>>  CHANGELOG.md                             |  5 +++++
>>  tools/tests/cpu-policy/test-cpu-policy.c | 27 ++++++++++++++++++++++++
>>  xen/arch/x86/lib/cpu-policy/policy.c     |  5 ++++-
>>  3 files changed, 36 insertions(+), 1 deletion(-)
>>
>> diff --git a/CHANGELOG.md b/CHANGELOG.md
>> index c191e504aba..90ba5da69e4 100644
>> --- a/CHANGELOG.md
>> +++ b/CHANGELOG.md
>> @@ -23,6 +23,11 @@ The format is based on [Keep a 
>> Changelog](https://keepachangelog.com/en/1.0.0/)
>>     - Xenoprofile support.  Oprofile themselves removed support for Xen in 
>> 2014
>>       prior to the version 1.0 release, and there has been no development 
>> since
>>       before then in Xen.
>> +   - Domains can no longer run on a system with CPUs of a vendor different 
>> from
>> +     the one they were initially launched on. This affects live migrations 
>> and
>> +     save/restore workflows across mixed-vendor hosts. Cross-vendor 
>> emulation
>> +     has always been unreliable, but since 2017 with the advent of 
>> speculation
>> +     security it became unsustainably so.
>
> c/s 0f1cb96e9785294f149ab3c7feb90c0eb9daeede was when it got added to Xen.
>
> I'm certain there's a whitepaper somewhere from AMD about this, but I
> can't locate it.  It was partly marketing about how you could buy AMD
> hardware (which was cheaper) and live-migrate your Intel VMs without
> interruption.  It would have been nice to find for posterity.
>
> For the changelog, can I suggest this:
>
> diff --git a/CHANGELOG.md b/CHANGELOG.md
> index c191e504aba9..377711d40953 100644
> --- a/CHANGELOG.md
> +++ b/CHANGELOG.md
> @@ -23,6 +23,12 @@ The format is based on [Keep a 
> Changelog](https://keepachangelog.com/en/1.0.0/)
>     - Xenoprofile support.  Oprofile themselves removed support for Xen in 
> 2014
>       prior to the version 1.0 release, and there has been no development 
> since
>       before then in Xen.
> +   - Cross-vendor support; guests can now only be configured as the same
> +     vendor as the host CPU.  When added back in 2009, with enough trickery
> +     Intel and AMD CPUs could be made to be compatible enough to live migrate
> +     a guest, but the vendors have been diverging since then in ways that Xen
> +     cannot compensate for, and the advent of speculative security issues has
> +     put to rest any possibility of this being a viable option.
>  
>   - Removed xenpm tool on non-x86 platforms as it doesn't actually provide
>     anything useful outside of x86.
>
>
> which is closer to the style of the surrounding bullet points.  Also
> s/domain/guest/ which is a subtle but important distinction made by the
> Security Team when discussing configurations.

Sure on both accounts. I don't mind the contents so long as there is any.

Should I consider these on the "doable on commit" camp? Or do you want a v6?

Cheers,
Alejandro

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.