Xen project Mailing List

Re: [Xen-devel] [PATCH v1] x86/mm: Suppresses vm_events caused by page-walks

To: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 27 Aug 2018 14:02:19 +0100

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Andrei LUTAS <vlutas@xxxxxxxxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, xen-devel@xxxxxxxxxxxxx, aisaila@xxxxxxxxxxxxxxx

Delivery-date: Mon, 27 Aug 2018 13:02:55 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 27/08/18 13:53, Razvan Cojocaru wrote: > On 8/27/18 3:37 PM, Andrew Cooper wrote: >> On 27/08/18 13:12, Jan Beulich wrote: >>>>> For NPT, isn't there an error code bit telling you whether the >>>>> request was a user or "system" one? If not, some cheating >>>>> would be needed (derive from CPL, accepting that e.g. >>>>> descriptor table accesses would get mis-attributed), but >>>>> that's still not going to involve looking at the PTE flags. >>>> The alternative would be to simply walk (without enforcing any flags, >>>> and so making the pfec walk parameter unnecessary) to the respective >>>> address, and query for _PAGE_ACCESSED and _PAGE_DIRTY only. >>>> >>>> If _PAGE_ACCESSED is not set, set it and exit. >>>> If _PAGE_ACCESSED is set, set _PAGE_DIRTY also and exit. >>> Since it's ambiguous in the NPT case - are you talking about >>> setting the flags in the guest or host page tables? The >>> former, I'm afraid, might not be acceptable (as not always >>> being architecturally correct). In anyway feels as if we'd >>> been here before, in that this reminds me of you meaning >>> to imply from a second walk (with A already set) that it must >>> be a write access. I thought we had settled on such an >>> implication not being generally correct. >> The problem that is trying to be solved is that when operating in >> non-root mode, the cpu pagewalk, when trying to set a guest A/D bit in a >> write-protected EPT page, takes an EPT violation for a write to a >> read-only page. >> >> Manually setting the A/D bits (as appropriate) and restarting the >> instruction is sufficient for it to complete correctly. >> >> At the moment, every time this happens, a request is sent to the >> introspection agent, and the agent calculates that it was due to >> pagetable protection, and instructs Xen to emulate the instruction. >> This accounts for 97% (?) of the VMExits, and is unrelated to any of the >> real protections which introspection is trying to achieve. >> >> What Razvan is looking to do is to have Xen skip the "send to the >> introspection agent" part as an optimisation, because hardware tells Xen >> (as part of the VMExit) when this condition has occurred, and the >> vm_event logic has already asked Xen to try and fix up this condition >> automatically. >> >> What can actually be done depends on how A/D bits behave in real hardware. >> >> Setting access bits for non-leaf entries is definitely fine, and >> speculatively setting the access bit is also explicitly permitted by the >> spec. However, I can't find any comment on speculative dirty bits (from >> either Intel or AMD), and I've not encountered such a behaviour with the >> pagetable work I've been doing. > Thanks for the reply! > > I've forgotten a piece of information that I really should have written > here: we would only set the D bit if A is already set and either the > page is writable (has _PAGE_RW set) or CR0.WP is 0 (the latter case is > admittedly more tricky). How about a new function which works similarly to guest-walk-tables, but only ever sets A/D bits. Given information from hardware, we know the linear address, and that it was a problem with the guest pagetables, from which we explicitly know that it was from writing an A/D bit to a guest PTE. While walking down the levels, set any missing A bits and remember if we set any. If we set A bits, consider ourselves complete and exit back to the guest. If no A bits were set, and the access was a write (which we know from the EPT violation information), then set the leaf D bit. This should be architecturally correct as it is exclusively derived from information provided by the VMExit, and won't cause dirty bits to be written in cases where the hardware wouldn't have written them (speculative or otherwise). It does mean that an instruction which would need to set A and D bits in the walk will take two EPT violations to achieve the end result, but it probably is still quicker than sending the vm_event out. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.