Bug 1988104

Summary: [AMD 8.6 bugs] Support protection keys in an AMD EPYC-Milan VM
Product: Red Hat Enterprise Linux 8 Reporter: Terry Bowman (AMD) <tbowman>
Component: qemu-kvmAssignee: Dr. David Alan Gilbert <dgilbert>
qemu-kvm sub component: CPU Models QA Contact: liunana <nanliu>
Status: CLOSED ERRATA Docs Contact: Jiri Herrmann <jherrman>
Severity: unspecified    
Priority: unspecified CC: babu.moger, bhu, dgilbert, jherrman, jinzhao, jon.grimm, juzhang, nanliu, nilal, qzhang, virt-maint, wehuang, wei.huang2
Version: 8.5Keywords: FutureFeature, TestOnly, Triaged
Target Milestone: beta   
Target Release: 8.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 6.2.0 Doc Type: Enhancement
Doc Text:
.VMs with 3rd generation AMD EPYC processors support memory protection keys RHEL 8.6 introduces support for memory protection keys in virtual machines (VMs) that use the 3rd generation AMD EPYC processors, also known as EPYC Milan. As a result, VMs with the `EPYC-Milan` CPU can be secured with a mechanism for enforcing page-based protections, but without requiring modification of the page tables when an application changes protection domains.
 Story Points: ---
Clone Of: 1972419 Environment:
Last Closed: 2022-05-10 13:20:14 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1972419    
Bug Blocks: 1935445    
Attachments:
Description Flags
pkeys-test-results.txt none

Description Terry Bowman (AMD) 2021-07-29 18:38:21 UTC 
+++ This bug was initially created as a clone of Bug #1972419 +++

Description of problem:

Subject: [RFC PATCH 0/7] Support protection keys in an AMD EPYC-Milan VM
Date: Thu, 20 May 2021 15:56:40 +0100
Message-ID: <20210520145647.3483809-1-david.edmondson> (raw)

AMD EPYC-Milan CPUs introduced support for protection keys, previously
available only with Intel CPUs.

AMD chose to place the XSAVE state component for the protection keys
at a different offset in the XSAVE state area than that chosen by
Intel.

To accommodate this, modify QEMU to behave appropriately on AMD
systems, allowing a VM to properly take advantage of the new feature.

Further, avoid manipulating XSAVE state components that are not
present on AMD systems.

The code in patch 6 that changes the CPUID 0x0d leaf is mostly dumped
somewhere that seemed to work - I'm not sure where it really belongs.

David Edmondson (7):
  target/i386: Declare constants for XSAVE offsets
  target/i386: Use constants for XSAVE offsets
  target/i386: Clarify the padding requirements of X86XSaveArea
  target/i386: Prepare for per-vendor X86XSaveArea layout
  target/i386: Introduce AMD X86XSaveArea sub-union
  target/i386: Adjust AMD XSAVE PKRU area offset in CPUID leaf 0xd
  target/i386: Manipulate only AMD XSAVE state on AMD

 target/i386/cpu.c            | 19 +++++----
 target/i386/cpu.h            | 80 ++++++++++++++++++++++++++++--------
 target/i386/kvm/kvm.c        | 57 +++++++++----------------
 target/i386/tcg/fpu_helper.c | 20 ++++++---
 target/i386/xsave_helper.c   | 70 +++++++++++++++++++------------
 5 files changed, 152 insertions(+), 94 deletions(-)


Additional info:
Patchset is [RFC] at https://lore.kernel.org/qemu-devel/20210520145647.3483809-1-david.edmondson@oracle.com/

--- Additional comment from John Ferlan on 2021-07-07 18:50:10 UTC ---

Assigned to Amnon for initial triage per bz process and age of bug created or assigned to virt-maint without triage.
Comment 1 John Ferlan 2021-08-06 20:35:28 UTC 
Dave, assigning to you since you own the cloned from bug 1972419
Comment 2 Dr. David Alan Gilbert 2022-02-10 13:21:06 UTC 
I believe this is already in 8.6 since it uses qemu 6.2 that has this set of patches.
Marking on QA;
Terry: Can you check this on 8.6 please?

(I've been backporting these patches to earlier versions as well, because Milan is hitting crashes even for guests not using protection keys)
Comment 4 liunana 2022-02-23 08:46:44 UTC 
Hi,


Would you please help to set the ITR? Thanks.



Best regards
Liu Nana
Comment 5 Nitesh Narayan Lal 2022-02-23 13:57:59 UTC 
Wei, can you please help by answering Dave's question in comment#2?

Thanks
Comment 6 Terry Bowman (AMD) 2022-03-02 18:07:36 UTC 
Created attachment 1863870 [details]
pkeys-test-results.txt

Results from running tools/testing/selftests/vm/protection_keys_64
Comment 7 Terry Bowman (AMD) 2022-03-02 18:08:36 UTC 
(In reply to Dr. David Alan Gilbert from comment #2)
> I believe this is already in 8.6 since it uses qemu 6.2 that has this set of
> patches.
> Marking on QA;
> Terry: Can you check this on 8.6 please?
> 
> (I've been backporting these patches to earlier versions as well, because
> Milan is hitting crashes even for guests not using protection keys)


Hi David,

Sorry, for the late response. In addition to visually checking I wanted to also test. I attached the results in pkeys-test-results. This is the results from running tools/testing/selftests/vm/protection_keys_64.

Everything passed.

Regards,
Terry
Comment 13 liunana 2022-03-03 02:30:06 UTC 
Add 'OtherQA' and move this bug to verified according to Comment 7.
Comment 23 errata-xmlrpc 2022-05-10 13:20:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1759