[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 for-4.15] x86/msr: introduce an option for compatible MSR behavior selection


  • To: Roger Pau Monne <roger.pau@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 9 Mar 2021 19:13:26 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JfO6ef3wgV/TbuhMnJL6aV6osA8DxyC8z9uW1C6WK+Y=; b=Hk9J7KovVzqdiGKPl0FSP9vKVw5jmHVm+sXbFi+QXkHz7uZlLEeM2CCPFuW47qLO2B+zwbMUs7bygc5UK4/G8OkewIlqGVtPH0Tz8PQV9VWvm4Cd/hP0+3UDN4QyTFlGjZLp3hy2ReTD+wKW8fDItYhmLPIXuUl72bPy8HuxxQlea1lXHldJRM9tr/WTT7KycJo0xruSeIRWtWut/dYSFvKyr8QXIvYGS3EiMxYuAYWA5dkdA2ICGcUbyivioXC2f0soGLr4H5JCWEGTq3nGBWES1BHdaYeGJPQs0D8U62reKM/M2cZqhawp/w/xIwZQzBcpxeh0TmfuNBKM3/NdDQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jPbjplJdwLL8w4B8uJRzEMlWKtmBstzrE98T4fj1l4iZvJh8MJLnB5WParKZpoNBVaVSyQF3cvSocb9yHEXP69KcoVKCTuCHERX1b3pViPg0WpWIgDjJKjk8qqm1Fbt8UWy80aoGuAf1XuxLDyOLsE8V86a5zRaBpacM223wydBK942pXlmbNSx+RFJZhkyPTbumOK0zoBdeIfRCPQtrfsqwlwVe0cPC+C9CGOUM2gags86quq7XZbhghGTNQX1KhL55kFVlEXJpyROjmVPD83rBeBAySlH3KyADE+K011n0OfMOn1vCxQPT3/XmJ6ugTGLqMIVsdDbmvxBW2VizRg==
  • Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
  • Delivery-date: Tue, 09 Mar 2021 19:14:12 +0000
  • Ironport-sdr: bjq88UMO4fEqz0qyNMaqW6uBk0fQUEXWI/QedXLDZAMuaC3N4O3XII36aoYpD26RqczYEF/GLl dSt9Hi6W+a/PeyIzmv01anGTmC8PGPMBF2+rDdqQcK/mBRzR1xCBDeUq4/uFzZNQacuGd08MKQ XXAaBXPACbWVGf+IDYdIrnugCMKF+dNkhKsgSjL3fNLx5jTkBD51brhLgOKgHSHhlgYzvH7sme htGe5mIh1ArhVaD5OGPuI9Xxc1cbEJ9/EWRUvetfge9He4foRKNU38TP/fE+1hT4n2FlMsJOBc n/4=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 09/03/2021 10:56, Roger Pau Monne wrote:
> Introduce an option to allow selecting a behavior similar to the pre
> Xen 4.15 one for accesses to MSRs not explicitly handled. Since commit
> 84e848fd7a162f669 and 322ec7c89f6640e accesses to MSRs not explicitly
> handled by Xen result in the injection of a #GP to the guest. This
> is a behavior change since previously a #GP was only injected if
> accessing the MSR on the real hardware would also trigger a #GP, or if
> the attempted to be set bits wouldn't match the hardware values (for
> PV).
>
> This seems to be problematic for some guests, so introduce an option
> to fallback to this kind of legacy behavior without leaking the
> underlying MSR values to the guest.
>
> When the option is set, for both PV and HVM don't inject a #GP to the
> guest on MSR read if reading the underlying MSR doesn't result in a
> #GP, do the same for writes and simply discard the value to be written
> on that case.
>
> Note that for guests restored or migrated from previous Xen versions
> the option is enabled by default, in order to keep a compatible
> MSR behavior. Such compatibility is done at the libxl layer, to avoid
> higher-level toolstacks from having to know the details about this flag.
>
> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Thankyou for doing this.  By and large, Reviewed-by: Andrew Cooper
<andrew.cooper3@xxxxxxxxxx>, subject to some pandoc syntax fixes below.

However, I think it is worth saying explicitly that the reasons behind
the changes in 84e848fd7a162f669 and 322ec7c89f6640e (not leaking
hardware MSRs, and not breaking #GP-probing) are still legitimate, and
this influences the change in behaviour between msr_relaxed and 4.14
(i.e. read-as-zero rather than leaking).

> diff --git a/docs/misc/xen-command-line.pandoc 
> b/docs/misc/xen-command-line.pandoc
> index 4737c92bfe..6cf61a5c57 100644
> --- a/docs/misc/xen-command-line.pandoc
> +++ b/docs/misc/xen-command-line.pandoc
> @@ -740,7 +740,7 @@ Specify the bit width of the DMA heap.
>  
>  ### dom0
>      = List of [ pv | pvh, shadow=<bool>, verbose=<bool>,
> -                cpuid-faulting=<bool> ]
> +                cpuid-faulting=<bool>, msr-relaxed=<bool> ]
>  
>      Applicability: x86
>  
> @@ -789,6 +789,21 @@ Controls for how dom0 is constructed on x86 systems.
>      restore the pre-4.13 behaviour.  If specifying `no-cpuid-faulting` fixes
>      an issue in dom0, please report a bug.
>  
> +*   msr-relaxed: Select whether to use a relaxed behavior for accesses to 
> MSRs
> +    not explicitly handled by Xen instead of injecting a #GP to dom0.
> +    Such access mode will force Xen to replicate the behavior from the 
> hardware
> +    it's currently running on in order to decide whether a #GP is injected to
> +    dom0 for MSR reads.  Note that dom0 is never allowed to read the value of
> +    unhandled MSRs, this option only changes whether a #GP might be injected
> +    or not.  For writes a #GP won't be injected as long as reading the
> +    underlying MSR doesn't result in a #GP.

I don't find this overly clear to follow, and it also misses stating the
default explicitly.  How about:

---8<---
The `msr-relaxed` boolean is an interim option, and defaults to false.

In Xen 4.15, the default behaviour for unhandled MSRs has been changed,
to avoid leaking host data into guests, and to avoid breaking guest
logic which uses \#GP probing to identify the availability of MSRs.

However, this new stricter behaviour has the possibility to break
guests, and a more 4.14-like behaviour can be selected by specifying
`dom0=msr-relaxed`.

If using this option is necessary to fix an issue, please report a bug.
---8<---

Other pending Sphinx work is drawing together the "how to contact us"
information, so the various "please report a bug"s through this document
will turn into links.

> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index 23bbb6e8c1..d217c223b0 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -749,6 +749,7 @@ static struct domain *__init create_dom0(const module_t 
> *image,
>          .max_grant_frames = -1,
>          .max_maptrack_frames = -1,
>          .max_vcpus = dom0_max_vcpus(),
> +        .arch.domain_flags = opt_dom0_msr_relaxed ? XEN_X86_MSR_RELAXED : 0,

Can I request

.arch = {
    .domain_flags = opt_dom0_msr_relaxed ? XEN_X86_MSR_RELAXED : 0,
},

please, to reduce the patch complexity of further additions inside .arch.

> diff --git a/xen/include/public/arch-x86/xen.h 
> b/xen/include/public/arch-x86/xen.h
> index 629cb2ba40..f9d0e33b94 100644
> --- a/xen/include/public/arch-x86/xen.h
> +++ b/xen/include/public/arch-x86/xen.h
> @@ -304,6 +304,14 @@ struct xen_arch_domainconfig {
>                                       XEN_X86_EMU_PIT | XEN_X86_EMU_USE_PIRQ 
> |\
>                                       XEN_X86_EMU_VPCI)
>      uint32_t emulation_flags;
> +
> +/*
> + * Select whether to use a relaxed behavior for accesses to MSRs not 
> explicitly
> + * handled by Xen instead of injecting a #GP to the guest. Note this option
> + * doesn't allow the guest to read or write to the underlying MSR.
> + */
> +#define XEN_X86_MSR_RELAXED (1u << 0)
> +    uint32_t domain_flags;

The domain prefix is somewhat redundant, given the name of the structure
or the hypercall it is used for.  OTOH, 'flags' on its own probably
isn't ok.  Thoughts on misc_flags?

~Andrew




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.