BMI Gaming

Intel Preparing Virtual IA32_SPEC_CTRL Support For The Linux Kernel – Phoronix

Show Your Support: This site is primarily supported by advertisements. Ads are what have allowed this site to be maintained on a daily basis for the past 18+ years. We do our best to ensure only clean, relevant ads are shown, when any nasty ads are detected, we work to remove them ASAP. If you would like to view the site without ads while still supporting our work, please consider our ad-free Phoronix Premium.

Intel on Sunday posted a set of Linux patches implementing SPEC CTRL virtualization support for this VMX feature with new Intel CPUs to help with migrating virtual machines to hosts with different CPU microarchitectures where their security mitigations may be different.

The virtual IA32_SPEC_CTRL feature allows the VMM to fix some bits of the IA32_SPEC_CTRL MSR even when the model specific register is pass throughed to a guest. This new feature appears to primarily benefit handling of VMs when migrating between hosts with CPUs of different micro-architectures where the required security mitigations may be different.

The Intel patch series explains:

### Use cases of virtual IA32_SPEC_CTRL

Software mitigations like Retpoline and software BHB-clearing sequence depend on CPU microarchitectures. And guest cannot know exactly the underlying microarchitecture. When a guest is migrated between processors of different microarchitectures, software mitigations which work perfectly on previous microachitecture may be not effective on the new one. To fix the problem, some hardware mitigations should be used in conjunction with software mitigations. Using virtual IA32_SPEC_CTRL, VMM can enforce hardware mitigations transparently to guests and avoid those hardware mitigations being accidentally disabled when guest changes IA32_SPEC_CTRL MSR.

### Intention of this series

This series adds the capability of enforcing hardware mitigations for guests transparently and efficiently (i.e., without intercepting IA32_SPEC_CTRL MSR accesses) to kvm. The capability can be used to solve the VM migration issue in a pool consisting of processors of different microarchitectures.

More details via this patch series that is getting the virtual IA32_SPEC_CTRL support wired up into the Linux kernel and specifically the KVM code.

Linux

,

Leave a Reply

Your email address will not be published. Required fields are marked *