1988104 – [AMD 8.6 bugs] Support protection keys in an AMD EPYC-Milan VM

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1988104 - [AMD 8.6 bugs] Support protection keys in an AMD EPYC-Milan VM

Summary: [AMD 8.6 bugs] Support protection keys in an AMD EPYC-Milan VM

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	8.6
Assignee:	Dr. David Alan Gilbert
QA Contact:	liunana
Docs Contact:	Jiri Herrmann
URL:
Whiteboard:
Depends On:	1972419
Blocks:	1935445
TreeView+	depends on / blocked

Reported:	2021-07-29 18:38 UTC by Terry Bowman (AMD)
Modified:	2023-03-14 14:26 UTC (History)
CC List:	13 users (show)
Fixed In Version:	6.2.0
Doc Type:	Enhancement
Doc Text:	.VMs with 3rd generation AMD EPYC processors support memory protection keys RHEL 8.6 introduces support for memory protection keys in virtual machines (VMs) that use the 3rd generation AMD EPYC processors, also known as EPYC Milan. As a result, VMs with the `EPYC-Milan` CPU can be secured with a mechanism for enforcing page-based protections, but without requiring modification of the page tables when an application changes protection domains.
Clone Of:	1972419
Environment:
Last Closed:	2022-05-10 13:20:14 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
pkeys-test-results.txt (53.62 KB, text/plain) 2022-03-02 18:07 UTC, Terry Bowman (AMD)	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:1759	0	None	None	None	2022-05-10 13:21:17 UTC

Description Terry Bowman (AMD) 2021-07-29 18:38:21 UTC

+++ This bug was initially created as a clone of Bug #1972419 +++

Description of problem:

Subject: [RFC PATCH 0/7] Support protection keys in an AMD EPYC-Milan VM
Date: Thu, 20 May 2021 15:56:40 +0100
Message-ID: <20210520145647.3483809-1-david.edmondson> (raw)

AMD EPYC-Milan CPUs introduced support for protection keys, previously
available only with Intel CPUs.

AMD chose to place the XSAVE state component for the protection keys
at a different offset in the XSAVE state area than that chosen by
Intel.

To accommodate this, modify QEMU to behave appropriately on AMD
systems, allowing a VM to properly take advantage of the new feature.

Further, avoid manipulating XSAVE state components that are not
present on AMD systems.

The code in patch 6 that changes the CPUID 0x0d leaf is mostly dumped
somewhere that seemed to work - I'm not sure where it really belongs.

David Edmondson (7):
  target/i386: Declare constants for XSAVE offsets
  target/i386: Use constants for XSAVE offsets
  target/i386: Clarify the padding requirements of X86XSaveArea
  target/i386: Prepare for per-vendor X86XSaveArea layout
  target/i386: Introduce AMD X86XSaveArea sub-union
  target/i386: Adjust AMD XSAVE PKRU area offset in CPUID leaf 0xd
  target/i386: Manipulate only AMD XSAVE state on AMD

 target/i386/cpu.c            | 19 +++++----
 target/i386/cpu.h            | 80 ++++++++++++++++++++++++++++--------
 target/i386/kvm/kvm.c        | 57 +++++++++----------------
 target/i386/tcg/fpu_helper.c | 20 ++++++---
 target/i386/xsave_helper.c   | 70 +++++++++++++++++++------------
 5 files changed, 152 insertions(+), 94 deletions(-)

Additional info:
Patchset is [RFC] at https://lore.kernel.org/qemu-devel/20210520145647.3483809-1-david.edmondson@oracle.com/

--- Additional comment from John Ferlan on 2021-07-07 18:50:10 UTC ---

Assigned to Amnon for initial triage per bz process and age of bug created or assigned to virt-maint without triage.

Comment 1 John Ferlan 2021-08-06 20:35:28 UTC

Dave, assigning to you since you own the cloned from bug 1972419

Comment 2 Dr. David Alan Gilbert 2022-02-10 13:21:06 UTC

I believe this is already in 8.6 since it uses qemu 6.2 that has this set of patches.
Marking on QA;
Terry: Can you check this on 8.6 please?

(I've been backporting these patches to earlier versions as well, because Milan is hitting crashes even for guests not using protection keys)

Comment 4 liunana 2022-02-23 08:46:44 UTC

Hi,


Would you please help to set the ITR? Thanks.



Best regards
Liu Nana

Comment 5 Nitesh Narayan Lal 2022-02-23 13:57:59 UTC

Wei, can you please help by answering Dave's question in comment#2?

Thanks

Comment 6 Terry Bowman (AMD) 2022-03-02 18:07:36 UTC

Created attachment 1863870 [details]
pkeys-test-results.txt

Results from running tools/testing/selftests/vm/protection_keys_64

Comment 7 Terry Bowman (AMD) 2022-03-02 18:08:36 UTC

(In reply to Dr. David Alan Gilbert from comment #2)
> I believe this is already in 8.6 since it uses qemu 6.2 that has this set of
> patches.
> Marking on QA;
> Terry: Can you check this on 8.6 please?
> 
> (I've been backporting these patches to earlier versions as well, because
> Milan is hitting crashes even for guests not using protection keys)


Hi David,

Sorry, for the late response. In addition to visually checking I wanted to also test. I attached the results in pkeys-test-results. This is the results from running tools/testing/selftests/vm/protection_keys_64.

Everything passed.

Regards,
Terry

Comment 13 liunana 2022-03-03 02:30:06 UTC

Add 'OtherQA' and move this bug to verified according to Comment 7.

Comment 23 errata-xmlrpc 2022-05-10 13:20:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1759

Note You need to log in before you can comment on or make changes to this bug.