\Intel defined the virtual MSRs for software mitigations for all platforms.
+ ARCH_CAP_VIRTUAL_ENUM)
static u64 kvm_get_arch_capabilities(void)
{
@@ -1607,6 +1611,13 @@ static u64 kvm_get_arch_capabilities(void)
*/
data |= ARCH_CAP_PSCHANGE_MC_NO;
+ /*
+ * Virtual MSRs can allow guests to notify VMM whether or not
+ * they are using specific software mitigation, allowing a VMM
+ * to enable there hardware control only where necessary.
+ */
+ data |= ARCH_CAP_VIRTUAL_ENUM;
IMO, this is: data &= ARCH_CAP_VIRTUAL_ENUM; because it requires
platform support.
KVM should be unconditionally opened it for the software mitigation in migration pools.
For example migration from the old platform to the new platform.
Please check the Software Mitigations in Migration Pools section in documents:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
Refer to the above comments.
+kvm_msr_entry *msr)
/*
* If we're doing cache flushes (either "always" or "cond")
* we will do one whenever the guest does a vmlaunch/vmresume.
@@ -1657,6 +1668,9 @@ static int kvm_get_msr_feature(struct
case MSR_IA32_UCODE_REV:
rdmsrl_safe(msr->index, &msr->data);
break;
+ case MSR_VIRTUAL_ENUMERATION:
+ msr->data = VIRT_ENUM_MITIGATION_CTRL_SUPPORT;
Need to check bit 63 of host MSR_ARCH_CAPABILITIES before expose the
feature.
Thanks
Chen
+ break;
default:
return static_call(kvm_x86_get_msr_feature)(msr);
}