From 93d2ff782f14a8064aafe20a29f61ec21b400d4c Mon Sep 17 00:00:00 2001 From: Kashyap Chamarthy Date: Mon, 20 May 2019 17:33:38 +0200 Subject: [PATCH] hw: cpu: Rework the directory layout; add missing traits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The main motivation for this change is to: (a) add missing CPU flags (including those flags that provide mitigation for the recent CVE flaws) as 'traits'; and (b) adjust and clean up the layout of the 'hw/cpu/' directory. To that end, the following are the set of changes in this patch. (*) Introduce a new cpu/x86 directory; and vendor-specific files: amd.py and intel.py; with __init__.py containing the *common* stuff: - hw/cpu/x86/amd.py -- AMD-only traits. - hw/cpu/x86/intel.py -- Intel-only traits. - hw/cpu/x86/__init__.py -- Common traits for both AMD and Intel. - hw/cpu/x86.py -- Two things: (a) move the contents of this file into x86/__init__.py, which is its new location; this move preserves the integrity of the string trait names and Python paths, as they were before; and (b) given point (a), remove the now no longer needed hw/cpu/x86.py. (Justification: We are removing this file to maintain consistency with the way it's done througout the 'os-traits' repository.) - hw/cpu/amd.py -- Deprecate the contents of this file with a comment; and copy them into hw/cpu/x86/amd.py, which is its new location. Comparison between the old and the new layouts of os_traits/hw/cpu/: Old Layout New Layout ---------- ---------- cpu/ cpu/ ├── aarch64.py ├── aarch64.py ├── amd.py ├── amd.py [DEPRECATED] ├── __init__.py ├── __init__.py └── x86.py └── x86/    ├── amd.py    ├── __init__.py    └── intel.py (*) Add various missing CPU flags to x86/intel.py, x86/amd.py and to x86/__intel__.py. (*) Copy, and deprecate with a comment, flags from cpu/x86.py, i.e.. "VMX" (Intel) and "SVM" (AMD), into corresponding vendor-specific files. References ---------- [1] Thread start: http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006281.html -- On reporting CPU flags that provide mitiation (to CVE flaws) as Nova 'traits' [2] Thread conclusion: http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006364.html Closes-Bug: #1830948 Change-Id: I1c9a72d19ef9dadfb931efa3894867099974bcc7 Signed-off-by: Kashyap Chamarthy --- os_traits/hw/cpu/amd.py | 14 +++++++++- os_traits/hw/cpu/{x86.py => x86/__init__.py} | 20 +++++++++++++++ os_traits/hw/cpu/x86/amd.py | 27 ++++++++++++++++++++ os_traits/hw/cpu/x86/intel.py | 27 ++++++++++++++++++++ 4 files changed, 87 insertions(+), 1 deletion(-) rename os_traits/hw/cpu/{x86.py => x86/__init__.py} (62%) create mode 100644 os_traits/hw/cpu/x86/amd.py create mode 100644 os_traits/hw/cpu/x86/intel.py diff --git a/os_traits/hw/cpu/amd.py b/os_traits/hw/cpu/amd.py index 1d95ade..88e3cf5 100644 --- a/os_traits/hw/cpu/amd.py +++ b/os_traits/hw/cpu/amd.py @@ -14,6 +14,18 @@ TRAITS = [ - # ref: https://developer.amd.com/sev/ + # ref: https://docs.openstack.org/os-traits/latest/contributor/index.html#trait-lifecycle-policy # noqa + # NOTE(kchamart): This file is deprecated. The 'SEV' trait is + # AMD-only, so it is copied to hw/cpu/amd.py; it is retained here + # not to cause Placement breakage. All AMD-only traits are being + # tracked under: hw/cpu/x86/amd.py. And the traits common to both + # AMD _and_ Intel are being tracked here: hw/cpu/x86/__init__.py. + # + # NOTE(aspiers): This trait was never used for anything, since the + # first bit of SEV code to use an SEV trait will land after this + # https://review.opendev.org/#/c/638680/ which has an explicit + # 'Depends-On' against the change I1c9a72d19ef ("hw: cpu: Rework the + # directory layout; add missing traits"), and is actually blocked + # until I1c9a72d19ef merges *and* gets released. 'SEV', ] diff --git a/os_traits/hw/cpu/x86.py b/os_traits/hw/cpu/x86/__init__.py similarity index 62% rename from os_traits/hw/cpu/x86.py rename to os_traits/hw/cpu/x86/__init__.py index 895c0b3..d8c3d9a 100644 --- a/os_traits/hw/cpu/x86.py +++ b/os_traits/hw/cpu/x86/__init__.py @@ -59,7 +59,27 @@ TRAITS = [ # ref: https://en.wikipedia.org/wiki/Advanced_Synchronization_Facility 'ASF', # ref: https://en.wikipedia.org/wiki/VT-x + # NOTE(kchamart): The 'VMX' trait is Intel-only, and does not belong + # in this file (which is supposed to be a "common" file for all + # x86-related). But we need to retain it here forever to not cause + # Placement breakage. 'VMX', # ref: https://en.wikipedia.org/wiki/AMD-V + # NOTE(kchamart): The 'SVM' trait is AMD-only, and does not belong + # in this "common" file. But we need to retain it here forever to + # not cause Placement breakage. 'SVM', + # ref: https://git.qemu.org/?p=qemu.git;a=blob;f=docs/qemu-cpu-models.texi + # Recommended to allow guest OS to use 1 GB size memory pages. Not + # included by default in any of the Intel and AMD CPU models. So + # this should be explicitly turned on for all Intel and AMD CPU + # models. + 'PDPE1GB', + # ref: https://git.qemu.org/?p=qemu.git;a=blob;f=docs/qemu-cpu-models.texi + # Required to enable stronger Spectre v2 (CVE-2017-5715) fixes in + # some operating systems. This flag must be explicitly turned on + # for *all* Intel and AMD CPU models. (Prerequisite: host CPU + # microcode needs to support this feature before it can be used for + # guest CPUs). + 'STIBP', ] diff --git a/os_traits/hw/cpu/x86/amd.py b/os_traits/hw/cpu/x86/amd.py new file mode 100644 index 0000000..2137189 --- /dev/null +++ b/os_traits/hw/cpu/x86/amd.py @@ -0,0 +1,27 @@ +# -*- coding: utf-8 -*- + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +TRAITS = [ + # ref: http://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html # noqa + 'SEV', + # ref: https://en.wikipedia.org/wiki/AMD-V + 'SVM', + # ref: https://git.qemu.org/?p=qemu.git;a=blob;f=docs/qemu-cpu-models.texi + # (Important CPU features for AMD x86 hosts) + 'IBPB', + 'NO_SSB', + 'SSBD', + 'VIRT_SSBD', +] diff --git a/os_traits/hw/cpu/x86/intel.py b/os_traits/hw/cpu/x86/intel.py new file mode 100644 index 0000000..11097d5 --- /dev/null +++ b/os_traits/hw/cpu/x86/intel.py @@ -0,0 +1,27 @@ +# -*- coding: utf-8 -*- + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +TRAITS = [ + # Required as mitigation for "MDS" (Microarchitectural Data + # Sampling) security flaws + 'MD_CLEAR', + # ref: https://git.qemu.org/?p=qemu.git;a=blob;f=docs/qemu-cpu-models.texi + # (Important CPU features for Intel x86 hosts) + 'PCID', + 'SPEC_CTRL', + 'SSBD', + # ref: https://en.wikipedia.org/wiki/VT-x + 'VMX', +]