[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2][4.15?] x86/shadow: suppress "fast fault path" optimization when running virtualized

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 8 Mar 2021 14:47:03 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e4GaBLhRKn0ImMER2Gu5f4y+Opc7r9KicYRYk/z1cfk=; b=hXaxvWMqoNGwG17XCFlgcwSffHhE8A/xz5JfgFKq70STtYnLjpre/ZvIdVbjgsVXNEZtU3bJVF23WJjJxbNaunH2rSFjnBejXkdIM59LcWH8ZpR/jy/wNINbgMXneDVuD/hyjdyunZhe8J+BLzEm8CczH7hqeoJnblDdU+3MwFMG/4971UwiFvp8wBAx5c7iVv0Khq5MmSA8mrpQSBKqUD/fCs5UR0up/v0WFKTrPgNBwf2LSfvrR+V33UWhO4e4qU0Fkh0yBVLa5w01YWxkhpVD0Qv0MINZTGAugqCE7VKC04CB66ktRFMxZvTcsWfyWUOGu79jJs+xihz2X+PFiA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T3LTbmjZL2gpK5K6NmRPLsp+nCez1K94tLIp6a1686hPonmsnr9zLf+Ela04kdfaHf3vRm4kF6a3QKEOba5j+iYU8dR48q0k/S+o0jxw0/ShQR3qbCGUNL6LTEWGoKd6JtHTQQVwrt+IrCWPaBfce+J9p0z26Wj8tN33aEQZOgg/qNGaB7Z4TvYQm61fV08iL2YglfxAlQRw52ShpOQZw+7jPMPqJ+JDDsI6jM0G9Hx4e49BliGEbS/5iS8dww6ZW2ClH76gVHa8yPvRfNHE5G6v3s8t3TEgCIH7CEqzshhKsXJLgCWVW2MyBchUuzMsY3XKxvbpJ+tWiZse1tO8Mw==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>
  • Delivery-date: Mon, 08 Mar 2021 14:47:34 +0000
  • Ironport-sdr: EXBsyg/ePDMnJH5t3evzpqmz54fMtiTQpAj+ifj2RBJ0KjkOGqK2CYpK1he6KnQtEan+TGE9QF vO1PAybi6pvD5xgnV5XQL49AudPuSx80gWRkX9ESK+6XFScPaYjpfa3icoki1teHPPuW74COps T7guhze9ZhVZEwnuVPBr3j37VZFwE4HSAS5DeeXpDYxH5RBXboklnCsQdHSpABi97vjnOALL0u G3+9HzIsGQIe1uT0PFtfLnRFobXNYuhSGoXj9a4AQ7T9FUQqzfue9V1lKRTxurGIaQVCeHOY54 YLo=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 08/03/2021 14:29, Jan Beulich wrote:
> On 08.03.2021 14:59, Andrew Cooper wrote:
>> On 08/03/2021 13:51, Jan Beulich wrote:
>>> On 08.03.2021 14:47, Andrew Cooper wrote:
>>>> On 08/03/2021 09:25, Tim Deegan wrote:
>>>>> At 16:37 +0100 on 05 Mar (1614962224), Jan Beulich wrote:
>>>>>> We can't make correctness of our own behavior dependent upon a
>>>>>> hypervisor underneath us correctly telling us the true physical address
>>>>>> with hardware uses. Without knowing this, we can't be certain reserved
>>>>>> bit faults can actually be observed. Therefore, besides evaluating the
>>>>>> number of address bits when deciding whether to use the optimization,
>>>>>> also check whether we're running virtualized ourselves.
>>>>>>
>>>>>> Requested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>>> Acked-by: Tim Deegan <tim@xxxxxxx>
>>>>>
>>>>> I would consider this to be a bug in the underlying hypervisor, but I
>>>>> agree than in practice it won't be safe to rely on it being correct.
>>>> I'd argue against this being a hypervisor bug.  If anything, it is a
>>>> weakness in how x86 virtualisation works.
>>>>
>>>> For booting on a single host, then yes - vMAXPHYSADDR really ought to be
>>>> the same as MAXPHYSADDR, and is what happens in the common case.
>>>>
>>>> For booting in a heterogeneous pool, the only safe value is the min of
>>>> MAXPHYSADDR across the resource pool.  Anything higher, and the VM will
>>>> malfunction (get #PF[rsvd] for apparently-legal PTEs) on the smallest
>>>> pool member(s).
>>> Except that min isn't safe either - the guest may then expect reserved
>>> bit faults where none surface.
>> Such a guest is buggy, and in clear violation of the rules set out in
>> the architecture.  All reserved behaviour is subject to change in the
>> future.
>>
>> Any software (Xen included) deliberately choosing to depend on the
>> specifics of reserved behaviour, get to keep all resulting pieces.
> While I could understand what you're saying when considering our
> prior unconditional relying on getting reserved bit faults, are you
> suggesting the recently adjusted behavior is still "in clear
> violation of the rules set out in the architecture"? And hence are
> you suggesting we should have outright dropped that optimization?

Strictly speaking, we shouldn't use reserved bits at all.  That is the
most compatible option available.

Given that we have chosen to use reserved bits, it is our responsibility
for ensuring that they are safe to use.  That is why we elect not to use
them when virtualised (for this bug), or on native when we think they
won't work (the previous change for IceLake).

>From that point of view, I think we're fine.  We're (knowingly)
operating outside of the rules, and now taking appropriate precautions
to cover the corner cases we are aware of.

The behaviour of already-shipped CPUs, while not architecturally
guarenteed, is known and can reasonably be depended upon.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.