While in principle it's possible to have a vendor virtualising another, this is fairly tricky in practice and comes with the world's supply of security issues.
Reject any CPU policy with vendors not matching the host's. Signed-off-by: Alejandro Vallejo <[email protected]> --- v3: * Check vendor_e{b,c,d}x rather than x86_vendor. * Added unit tests for pass/fail cases. * They cover a success and a failure on a comparison of an unknown vendor. --- CHANGELOG.md | 5 +++++ tools/tests/cpu-policy/test-cpu-policy.c | 27 ++++++++++++++++++++++++ xen/lib/x86/policy.c | 5 ++++- 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18f3d10f20..426c0bce67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Xenoprofile support. Oprofile themselves removed support for Xen in 2014 prior to the version 1.0 release, and there has been no development since before then in Xen. + - Domains can no longer run on a CPU vendor if they were initially launched + on a different CPU vendor. This affects live migrations and save/restore + workflows accross mixed-vendor hosts. Cross-vendor emulation has always + been unreliable, but since 2017 with the advent of speculation security it + became unsustainably so. - Removed xenpm tool on non-x86 platforms as it doesn't actually provide anything useful outside of x86. diff --git a/tools/tests/cpu-policy/test-cpu-policy.c b/tools/tests/cpu-policy/test-cpu-policy.c index 301df2c002..88a9a26e8f 100644 --- a/tools/tests/cpu-policy/test-cpu-policy.c +++ b/tools/tests/cpu-policy/test-cpu-policy.c @@ -586,6 +586,19 @@ static void test_is_compatible_success(void) .platform_info.cpuid_faulting = true, }, }, + { + .name = "Host CPU vendor == Guest CPU vendor (both unknown)", + .host = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 1, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + .guest = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 1, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + }, }; struct cpu_policy_errors no_errors = INIT_CPU_POLICY_ERRORS; @@ -629,6 +642,20 @@ static void test_is_compatible_failure(void) }, .e = { -1, -1, 0xce }, }, + { + .name = "Host CPU vendor != Guest CPU vendor (both unknown)", + .host = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 1, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + .guest = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 2, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + .e = { 0, -1, -1 }, + }, }; printf("Testing policy compatibility failure:\n"); diff --git a/xen/lib/x86/policy.c b/xen/lib/x86/policy.c index f033d22785..f991b1f3a9 100644 --- a/xen/lib/x86/policy.c +++ b/xen/lib/x86/policy.c @@ -15,7 +15,10 @@ int x86_cpu_policies_are_compatible(const struct cpu_policy *host, #define FAIL_MSR(m) \ do { e.msr = (m); goto out; } while ( 0 ) - if ( guest->basic.max_leaf > host->basic.max_leaf ) + if ( (guest->basic.vendor_ebx != host->basic.vendor_ebx) || + (guest->basic.vendor_ecx != host->basic.vendor_ecx) || + (guest->basic.vendor_edx != host->basic.vendor_edx) || + (guest->basic.max_leaf > host->basic.max_leaf) ) FAIL_CPUID(0, NA); if ( guest->feat.max_subleaf > host->feat.max_subleaf ) -- 2.43.0
