[cpuid] properly mask out all AVX-512 features

Before we were only masking AVX-512 features found on a Broadwell.
We should disable all know AVX-512 features to make sure that when
moving to a newer x86_64 platform the c3 & t2 templates are still
showing the same features.

Also set the xsave area size to 0 for AVX-512 instructions.

Signed-off-by: Andreea Florescu <[email protected]>

Author: andreeaflorescu

cpuid/src/cpu_leaf.rs

@@ -129,37 +129,59 @@ pub mod leaf_0x7 {
             pub const RDT_A_SHIFT: u32 = 15;
             // AVX-512 Foundation instructions
             pub const AVX512F_SHIFT: u32 = 16;
+            // AVX-512 Doubleword and Quadword Instructions
+            pub const AVX512DQ_SHIFT: u32 = 17;
             pub const RDSEED_SHIFT: u32 = 18;
             pub const ADX_SHIFT: u32 = 19;
             // 20 = SMAP (Supervisor-Mode Access Prevention)
-            // 21 & 22 reserved
+            // AVX512IFMA = AVX-512 Integer Fused Multiply-Add Instructions
+            pub const AVX512IFMA_SHIFT: u32 = 21;
+            // 21 = PCOMMIT intruction
             // 23 = CLFLUSH_OPT (flushing multiple cache lines in parallel within a single logical processor)
             // 24 = CLWB (Cache Line Write Back)
             // PT = Intel Processor Trace
             pub const PT_SHIFT: u32 = 25;
-            // AVX512CD = AVX512 Conflict Detection
+            // AVX512PF = AVX512 Prefetch Instructions
+            pub const AVX512PF_SHIFT: u32 = 26;
+            // AVX512ER = AVX-512 Exponential and Reciprocal Instructions
+            pub const AVX512ER_SHIFT: u32 = 27;
+            // AVX512CD = AVX-512 Conflict Detection Instructions
             pub const AVX512CD_SHIFT: u32 = 28;
             // Intel Secure Hash Algorithm Extensions
             pub const SHA_SHIFT: u32 = 29;
-            // 30 - 32 reserved
+            // AVX-512 Byte and Word Instructions
+            pub const AVX512BW_SHIFT: u32 = 30;
+            // AVX-512 Vector Length Extensions
+            pub const AVX512VL_SHIFT: u32 = 31;
         }
 
         pub mod ecx {
             // 0 = PREFETCHWT1 (move data closer to the processor in anticipation of future use)
-            // 1 = reserved
+            // AVX512_VBMI = AVX-512 Vector Byte Manipulation Instructions
+            pub const AVX512_VBMI_SHIFT: u32 = 1;
             // 2 = UMIP (User Mode Instruction Prevention)
             // 3 = PKU (Protection Keys for user-mode pages)
             // 4 = OSPKE (If 1, OS has set CR4.PKE to enable protection keys)
-            // 5- 16 reserved
+            // 5 = WAITPKG
+            // 7-6 reserved
+            // 8 = GFNI
+            // 13-09 reserved
+            // AVX512_VPOPCNTDQ = Vector population count instruction (Intel® Xeon Phi™ only.)
+            pub const AVX512_VPOPCNTDQ_SHIFT: u32 = 14;
             // 21 - 17 = The value of MAWAU used by the BNDLDX and BNDSTX instructions in 64-bit mode.
-            pub const RDPID_SHIFT: u32 = 22; // Read Processor ID
-                                             // 23 - 29 reserved
-                                             // SGX_LC = SGX Launch Configuration
+            // Read Processor ID
+            pub const RDPID_SHIFT: u32 = 22;
+            // 23 - 29 reserved
+            // SGX_LC = SGX Launch Configuration
             pub const SGX_LC_SHIFT: u32 = 30;
             // 31 reserved
         }
 
         pub mod edx {
+            // AVX-512 4-register Neural Network Instructions
+            pub const AVX512_4VNNIW_SHIFT: u32 = 2;
+            // AVX-512 4-register Multiply Accumulation Single precision
+            pub const AVX512_4FMAPS_SHIFT: u32 = 3;
             pub const ARCH_CAPABILITIES_BITINDEX: u32 = 29;
         }
     }
@@ -201,6 +223,17 @@ pub mod leaf_0xb {
     }
 }
 
+// Processor Extended State Enumeration Sub-leaves
+pub mod leaf_0xd {
+    pub const LEAF_NUM: u32 = 0xd;
+
+    pub mod eax {
+        use bit_helper::BitRange;
+
+        pub const AVX512_STATE_BITRANGE: BitRange = bit_range!(7, 5);
+    }
+}
+
 pub mod leaf_0x80000000 {
     pub const LEAF_NUM: u32 = 0x8000_0000;
 

cpuid/src/template/c3.rs

@@ -1,6 +1,7 @@
 // Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+use bit_helper::BitHelper;
 use cpu_leaf::*;
 use kvm_bindings::kvm_cpuid_entry2;
 
@@ -66,16 +67,34 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_M_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_A_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512F_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512DQ_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDSEED_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::ADX_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512IFMA_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::PT_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512PF_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512ER_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512CD_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::SHA_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512BW_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512VL_SHIFT);
 
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VBMI_SHIFT);
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VPOPCNTDQ_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::RDPID_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::SGX_LC_SHIFT);
+
+                    entry.edx &= !(1 << leaf_0x7::index0::edx::AVX512_4VNNIW_SHIFT);
+                    entry.edx &= !(1 << leaf_0x7::index0::edx::AVX512_4FMAPS_SHIFT);
                 }
             }
+            leaf_0xd::LEAF_NUM => {
+                // AVX-512 instructions are masked out with the C3 template so the size in bytes
+                // of the save area should be 0 (or invalid).
+                entry
+                    .eax
+                    .write_bits_in_range(&leaf_0xd::eax::AVX512_STATE_BITRANGE, 0);
+            }
             leaf_0x80000001::LEAF_NUM => {
                 entry.ecx &= !(1 << leaf_0x80000001::ecx::PREFETCH_SHIFT);
                 entry.ecx &= !(1 << leaf_0x80000001::ecx::LZCNT_SHIFT);

cpuid/src/template/t2.rs

@@ -1,6 +1,7 @@
 // Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+use bit_helper::BitHelper;
 use cpu_leaf::*;
 use kvm_bindings::kvm_cpuid_entry2;
 
@@ -59,16 +60,34 @@ pub fn set_cpuid_entries(entries: &mut [kvm_cpuid_entry2]) {
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_M_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDT_A_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512F_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512DQ_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::RDSEED_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::ADX_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512IFMA_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::PT_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512PF_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512ER_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512CD_SHIFT);
                     entry.ebx &= !(1 << leaf_0x7::index0::ebx::SHA_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512BW_SHIFT);
+                    entry.ebx &= !(1 << leaf_0x7::index0::ebx::AVX512VL_SHIFT);
 
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VBMI_SHIFT);
+                    entry.ecx &= !(1 << leaf_0x7::index0::ecx::AVX512_VPOPCNTDQ_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::RDPID_SHIFT);
                     entry.ecx &= !(1 << leaf_0x7::index0::ecx::SGX_LC_SHIFT);
+
+                    entry.edx &= !(1 << leaf_0x7::index0::edx::AVX512_4VNNIW_SHIFT);
+                    entry.edx &= !(1 << leaf_0x7::index0::edx::AVX512_4FMAPS_SHIFT);
                 }
             }
+            leaf_0xd::LEAF_NUM => {
+                // AVX-512 instructions are masked out with the T2 template so the size in bytes
+                // of the save area should be 0 (or invalid).
+                entry
+                    .eax
+                    .write_bits_in_range(&leaf_0xd::eax::AVX512_STATE_BITRANGE, 0);
+            }
             leaf_0x80000001::LEAF_NUM => {
                 entry.ecx &= !(1 << leaf_0x80000001::ecx::PREFETCH_SHIFT);
                 entry.edx &= !(1 << leaf_0x80000001::edx::PDPE1GB_SHIFT);

tests/integration_tests/functional/test_cpu_features.py

@@ -301,3 +301,46 @@ def test_brand_string(test_microvm_with_ssh, network_config):
             expected_guest_brand_string += " @ " + mo.group(0)
 
     assert guest_brand_string == expected_guest_brand_string
+
+
+@pytest.mark.skipif(
+    platform.machine() != "x86_64",
+    reason="AVX features are only available on x86_64"
+)
+@pytest.mark.parametrize("cpu_template", ["T2", "C3"])
+def test_avx_disabled(test_microvm_with_ssh, network_config, cpu_template):
+    """Check that AVX2 & AVX512 instructions are disabled.
+
+    This is a rather dummy test for checking that no AVX2 or AVX512
+    instructions are exposed. It is a first step into checking the t2 & c3
+    templates. In a next iteration we should check **all** cpuid entries, not
+    just the AVX family instructions. We can achieve this with a template
+    containing all features on a t2/c3 instance and check that the cpuid in
+    the guest is an exact match of the template.
+    """
+    test_microvm = test_microvm_with_ssh
+    test_microvm.spawn()
+
+    test_microvm.basic_config(vcpu_count=1)
+    # Set the template to T2.
+    response = test_microvm.machine_cfg.put(
+        vcpu_count=1,
+        mem_size_mib=256,
+        ht_enabled=False,
+        cpu_template=cpu_template,
+    )
+    assert test_microvm.api_session.is_status_no_content(response.status_code)
+    _tap, _, _ = test_microvm.ssh_network_config(network_config, '1')
+    test_microvm.start()
+
+    ssh_connection = net_tools.SSHConnection(test_microvm.ssh_config)
+    guest_cmd = "cat /proc/cpuinfo | grep 'flags' | head -1"
+    _, stdout, stderr = ssh_connection.execute_command(guest_cmd)
+    assert stderr.read().decode("utf-8") == ''
+
+    cpu_flags_output = stdout.readline().decode('utf-8').rstrip()
+    # On C3 there's no AVX2. Check that it is masked out.
+    if cpu_template == "C3":
+        assert not "avx2" in cpu_flags_output
+    # Check that AVX-512 is masked out with both C3 and T2 templates
+    assert not "avx512" in cpu_flags_output