Re: [PATCH v4] hw/ppc/spapr_hcall: Return host mitigation characteristics in KVM mode

[Shivaprasad G Bhat]

On 9/16/25 11:47 AM, Gautam Menghani wrote:

Currently, on a P10 KVM guest, the mitigations seen in the output of
"lscpu" command are different from the host. The reason for this
behaviour is that when the KVM guest makes the "h_get_cpu_characteristics"
hcall, QEMU does not consider the data it received from the host via the
KVM_PPC_GET_CPU_CHAR ioctl, and just uses the values present in
spapr->eff.caps[], which in turn just contain the default values set in
spapr_machine_class_init().

Fix this behaviour by making sure that h_get_cpu_characteristics()
returns the data received from the KVM ioctl for a KVM guest.

Mitigation status seen in lscpu output:
1. P10 LPAR (host)
$ lscpu | grep -i mitigation
Vulnerability Spectre v1:             Mitigation; __user pointer sanitization, 
ori31 speculation barrier enabled
Vulnerability Spectre v2:             Mitigation; Software count cache flush 
(hardware accelerated), Software link stack flush

<snip>

[1]: https://ozlabs.org/~anton/junkcode/null_syscall.c

Signed-off-by: Gautam Menghani <gau...@linux.ibm.com>
---
v1 -> v2:
Handle the case where KVM_PPC_GET_CPU_CHAR ioctl fails

v2 -> v3:
Add the lscpu output in the patch description

v3 -> v4:
Fix QEMU CI build failure

  hw/ppc/spapr_hcall.c | 10 ++++++++++
  target/ppc/kvm.c     | 27 +++++++++++++++++++--------
  target/ppc/kvm_ppc.h |  1 +
  3 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/hw/ppc/spapr_hcall.c b/hw/ppc/spapr_hcall.c
index 1e936f35e4..7d695ffc93 100644
--- a/hw/ppc/spapr_hcall.c
+++ b/hw/ppc/spapr_hcall.c
@@ -1415,6 +1415,16 @@ static target_ulong h_get_cpu_characteristics(PowerPCCPU 
*cpu,
      uint8_t count_cache_flush_assist = spapr_get_cap(spapr,
                                                       SPAPR_CAP_CCF_ASSIST);

+ #ifdef CONFIG_KVM

+    struct kvm_ppc_cpu_char c = kvmppc_get_cpu_chars();

Callingkvmppc_get_cpu_char() before kvm_enabled() below looks

counter intuitive. May be move it inside and handle the error checks

accordingly. I don't see any side effects of it here in this patch though.

Thanks,

Shivaprasad

+
+    if (kvm_enabled() && c.character) {
+        args[0] = c.character;
+        args[1] = c.behaviour;
+        return H_SUCCESS;
+    }
+    #endif
+
      switch (safe_cache) {
      case SPAPR_CAP_WORKAROUND:
          characteristics |= H_CPU_CHAR_L1D_FLUSH_ORI30;
diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index 015658049e..28dcf62f58 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -93,6 +93,7 @@ static int cap_fwnmi;
  static int cap_rpt_invalidate;
  static int cap_ail_mode_3;
  static int cap_dawr1;
+static struct kvm_ppc_cpu_char cpu_chars = {0};

<snip>