[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 for-4.15] x86/msr: introduce an option for HVM relaxed rdmsr behavior


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Fri, 5 Mar 2021 10:15:24 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=STPnH53ZsQpCKQ9ZN7EFp5JtlTRdLtQXi0k0FIJDNpo=; b=cqKuR8tDSbVQSUhiF6KVymWMf6ketbN2Z8WRMWFiqek/+/4rQENX9GX4z5GribYRUwtZoo3nflB/2w7BYLxsdjzLMWrULfwejkaFNsGOEX6T5u5giy150cWT7LVN7AwRofRo9vYbGpg+J92gZH9r/w0lM5gxKTI1sJohANdWzZBZQ3sh2GFY+QyJllynMBz04sFUO+3kBRfcmuKp5bMeXh2F4360rIaT53fgnbkkoElzn4YKT9usuloQEg4Fwenv9Egb4jI8msjXfXMJ4Vkq3No2P+rBAozeqhel+rHTtyRIxptduD+KcgyLTGqWxdjYUAYmSgD8l28dyh7iGwue1A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jdvgrkap3HRD13M81sY20CQAkeQpBrzilcYQ+QF5s4WC+6fzZr+zUbhwOmOLpeJoUqyJyeGxEbSsb1Opsbog0b/KmaTbZVrAD2ZgTG7eB8WpjZPwHlucHOhBS1a1zCNlg45VnsiZHyQ/2OkqvKy24ANLomnkAzgb/a/aphSQXsSB+1Gz8rOiuhebl5H7hBfhNgqg13BFssBAGKK4LDVgeuvsV7vAp9XLdXqCM42Xq2IQJrcFtEcjG+wbZX9OJMRpBIW7ubtbqS9FhnDWprKcxLaMTHPxqYtoprSCMCTbqNatDOyLwQgM3FV5AOIBYKJRIiIkxXmDgc1DfeOz8Dhwhw==
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, "Wei Liu" <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
  • Delivery-date: Fri, 05 Mar 2021 09:15:49 +0000
  • Ironport-sdr: WZxMw46G7MlCecjbeiNHYDAqKc1c6lUoLDWzfrO+zkb8wkmanAGwnZ5LYyy+fl4OAYfPryqXf1 brsdoNTHMYeVdWFlx3x2emwq3INhdjkp5qsCLBMm4+jmXCn/E1/Jdnls58k6geFg/Py+Bpvaww nRyVD4CmQAsYCK2p0sZpiyNKPftiHFNp1uG32Ji/xFAiRULK8mYihBOLLUiSME3hUf8DNSJWHH 2OVM56DUYgB2YH7yhW4cEfGReElebH2pAYovAiVOUY5QLEblxVNdmNH/Ekx8zBOpbthhsDyu0r H0w=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Mar 05, 2021 at 12:06:19AM +0000, Andrew Cooper wrote:
> On 04/03/2021 14:47, Roger Pau Monne wrote:
> > Introduce an option to allow selecting a less strict behaviour for
> > rdmsr accesses targeting a MSR not explicitly handled by Xen. Since
> > commit 84e848fd7a162f669 accesses to MSRs not explicitly handled by
> > Xen result in the injection of a #GP to the guest. This is a behavior
> > change since previously a #GP was only injected if accessing the MSR
> > on the real hardware will also trigger a #GP.
> >
> > This commit attempts to offer a fallback option similar to the
> > previous behavior. Note however that the value of the underlying MSR
> > is never leaked to the guest, as the newly introduced option only
> > changes whether a #GP is injected or not.
> >
> > Long term the plan is to properly handle all the MSRs, so the option
> > introduced here should be considered a temporary resort for OSes that
> > don't work properly with the new MSR policy. Any OS that requires this
> > option to be enabled should be reported to
> > xen-devel@xxxxxxxxxxxxxxxxxxxx.
> >
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > ---
> > Changes since v1:
> >  - Only apply the option to HVM guests.
> >  - Only apply the special handling to MSR reads.
> >  - Sanitize the newly introduced flags field.
> >  - Print a warning message when the option is used.
> > ---
> > Cc: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
> > ---
> > Boris, could you please test with Solaris to see if this fixes the
> > issue?
> >
> > I wonder whether we need to to enable this option by default for
> > guests being migrated from previous Xen versions? Maybe that's not
> > required as the option is helpful mostly for early boot I would
> > assume, afterwards an OS should already have the #GP handler setup
> > when accessing MSRs.
> 
> We know when building a domain whether it is a migrate or not, but don't
> recall any version information existing at an appropriate point in the
> migration stream to do this easily.
> 
> We can buffer the stream forward and peek at the libxc domain header,
> which does have the source hypervisor version, but that is going to be
> very invasive to implement.

I need to look at this more closely to have an opinion. Instead of
figuring out if the source version is older maybe we could add
something to the 4.15 stream in a suitable position to detect whether
the source is new enough?

> >
> > From a release PoV the biggest risk would be breaking some of the
> > existing MSR functionality. I think that's a necessary risk in order
> > to offer such fallback option, or else we might discover after the
> > release that guests that worked on Xen 4.14 don't work anymore in Xen
> > 4.15.
> 
> Much as I'd prefer not to have this, I agree with the sentiment that we
> should have an "emergency undo" which people can use, and carry it for
> at least a short while.
> 
> However, to be useful for the purpose of unbreaking VMs, it must change
> both the read and write behaviour, because both are potential
> compatibility concerns (without reintroducing the information leak).

I think I was confused here and assumed the previous behavior would
check the written value to match the current underlying value before
injecting a #GP. That's not the case.

I can expand this patch to include the write side, I just thought
having the rad side only would be enough to cover for the unhandled
MSRs accesses.

> 
> > ---
> >  docs/man/xl.cfg.5.pod.in          | 17 +++++++++++++++++
> >  tools/include/libxl.h             |  8 ++++++++
> >  tools/libs/light/libxl_types.idl  |  2 ++
> >  tools/libs/light/libxl_x86.c      |  4 ++++
> >  tools/xl/xl_parse.c               |  7 +++++++
> >  xen/arch/x86/domain.c             | 10 ++++++++++
> >  xen/arch/x86/hvm/svm/svm.c        |  6 ++++++
> >  xen/arch/x86/hvm/vmx/vmx.c        |  7 +++++++
> >  xen/include/asm-x86/hvm/domain.h  |  3 +++
> >  xen/include/public/arch-x86/xen.h |  8 ++++++++
> 
> This needs changes to the Ocaml bindings as well.  I guess I'll add that
> to the todo list.

Hm, would be better if someone else did those, as I don't know
anything about Ocaml. I can try however in the next version, maybe
it's trivial to add.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.