On Wed, Oct 08, 2025 at 01:25:57PM -0700, Jon Kohler wrote: > Newer Intel hardware (Sapphire Rapids and higher) sets multiple MDS > immunity bits in MSR_IA32_ARCH_CAPABILITIES but lacks the hardware-level > MSR_ARCH_CAP_FB_CLEAR (bit 17): > ARCH_CAP_MDS_NO > ARCH_CAP_TAA_NO > ARCH_CAP_PSDP_NO > ARCH_CAP_FBSDP_NO > ARCH_CAP_SBDR_SSDP_NO > > This prevents VMs with fb-clear=on from migrating from older hardware > (Cascade Lake, Ice Lake) to newer hardware, limiting live migration > capabilities. Note fb-clear was first introduced in v8.1.0 [1]. > > Expose MSR_ARCH_CAP_FB_CLEAR for MDS-invulnerable systems to enable > seamless migration between hardware generations.
LGTM, thanks!
