Xen project Mailing List

Re: [PATCH 1/3] x86/hvm: Introduce experimental guest CET support

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 27 Apr 2021 18:39:21 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GP2X3wJy5OPcWXes3uQygbAiRP0GWy1p9/edshS9LOc=; b=k3luw9ihxQMfb+adWqUpaP9s8pZMACBTLD9LtaFHbUfHddbn7BY3HaO7DHfWhxzxIUYWsyJWUsic9w1NqotDy+yI/5rjiyIUFkUomsSIBZYh8oOa06a+p8MV4nILI/pTBuFRRgq37rYPpLDl5LSj5LoNtp8VrDyuvd/IawVs2Enox94tfKWer4XTwx49bPb1oQ1YuC4ToJKumh+Ih16H2B5AiD0U2dOVNfrR+BSFSt3pWhk4YWpVAqa417fySSRZqnQkV0y8SCPp4YiAturogKiqAihZyeerkiH9VBMdz2mq/DZr6yo+1kct0PNkoXPBS3AryF3MpHpa2cYxRdkaCQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CPAZtyJlVUTO7DAXboVJL80RS6/yJvbgk6WpJrLlmFqaJa7rnc+zrzu20pPNWEV+yL4xEnH+xSlown+/4ftmyPvFPq6HF32LtxCXZ5FnKiPJlxb318fgpAAd9BdFF1eEeuXZQ+O97hj5TtnbSjVBMfltaSg/b92AsMlW4o7sjww+l7x/QBkY/Lrb4jUrX401Xanc5PbN1ZsOWMzt0qOMjF6C7yLZ8mFZ1/Nq/C2NIZYbdjrhdhAFyIooT7qOi9gtqTzlpUmnKHW3NmggVOFsQpCT1Hg5uSlMMXy/uv9/Vxs4HRITvGCaLP1c2vL7qqR+0bels3DURWbKzgGTmuH2nA==

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 27 Apr 2021 17:40:03 +0000

Ironport-hdrordr: A9a23:4lFleaDd0CIYcMLlHegdtMeALOonbusQ8zAX/mhLY1h8btGYm8 eynP4SyB/zj3IrVGs9nM2bUZPsfVr1zrQwxYUKJ7+tUE3duGWuJJx/9oeK+VfdMgXE3Kpm2a 9kGpIUNPTZB1J3lNu/xQG+HcopztXvytHSuc715R5WPGJXQotn6Bp0DRveN0VwShVPC5ZRLu vn2uNsoT28dXMLKvmqH3VtZZmPm/TntrLDJSQHCRku9RWUgVqThILSPhCE0n4lIlRy6Jg492 ytqW3Ez4Wl98q20xrNk1LUhq4m4OfJ7vtmKIiyhtMOKjPq4zzYKLhJf7GZpjg6rKWOxT8R4b /xiiwtNchy9H/dF1vdyXSC5yDa3Dkj8HPkw1OD6EGT2PDRfi4wCMZKmOtiA3nkwncgp9113e Zq2G+UpvNsfHf9tRn9/NTBWlVWkFO1qxMZ4IsupkFYOLF/VJZh6agkuG9FGpYJGyz3rKo9Fv N1Mc3a7PFKNXuHcnHwpABUsZKRd0V2Oi3DblkJu8ST3TQTtmt+1VEkyMsWmWpF3I4hSqND+/ /PPs1T5fBzZ/5TSZg4KPYKQMOxBGCIawnLKniuLVPuE7xCHH7RtZjt4vEQ6PuxcJIFiLs+8a 6xEG9whCoXQQbDGMeO1JpE/lTmW2OmRwngzclY+tx3obv5SL33MTCSSVwnnse6ys9vQPHzar KWAtZ7EvXjJWzhFcJixAvlQaRfLnEYTYkUt78AKhezi/OODrevmv3Qcf7VKraoOy0jQHnDDn wKWyW2IM1B60usS2LpmRS5YQKoRmXPubZLVITK9ekaz4YAcqdWtBIOtFi/7saXbTtYsqI3e0 N6KKj9kryyoHS3+Wqg1RQrBjNtSmJupJnwWXJDogEHd2nud6wYhtmZcWdOmGecKgRnVMPQGg 5Hr1Fx8aa6RqbgghwKOpaCCCa3nnETrHWFQ9MggaWF/97iYY59JI0hQrZNGQLCEAFVlQ5mpH xYUhINQlbSG1rV+OOYpa1RINuaVtFnxC+3PMZfqBvkxDihjPBqYkFeYhmDfoq8hx00Sz9dm1 trmpVv/IaoqHKIMmswgOMxLVtWTn+YaYg2QzitbJlIm7ztZQF7RXqLgzvfkB0oZm/27Swp9x PcBDCOasfXGUZGp3xU5Lzn9155bQymDjZNQ2E/votnGWvcvHFvleeNe6qoymOULkAP2+cHLV j+EHAvCxIrw9C8zxiOnjmeUX0g25U1J+TYZY5TOo37yzeoKIeSk7sBEOIR9JF5NMr2uutOVe 6EYQeaIHf5DOwusjbl7koNKW1xqHM+l+nv1wCg5G+k3GQnCf6XOU94XdggUqShxnmhQ+zN3I RyjNozs+f1OmLtasSewaWSazJYMBvcrWO/UulAk+EfgYsi8L9oW5XLWzrB039KmA8zK8r5j0 sSSqV26rKpAP4YQ+UCPyZCulY5ntWGK0Um9hHsCuglZFc3kjvVOciK77egk8tcPmSR4A/rfV +R/C1W862bA2+N1bsGB7kxJmoTYk4m83hm9P6DcYqVCAjCTZAywHOqdnumNLlaQ+yZHL9VqB Bw6dSBhfWWeCr1wxq4h0oNHotet2K8BdqvCweNE/NS+9O0OV6QkrKnifTD/QvfWH++cQAEno VLekwbc9RbhjQjhIMx1DKuSqafmDNXr3JOpTd9llDs3YC64GDUWUFeWDep/KlrYQ==

Ironport-sdr: o6SIMkhNQNFbAnx6ADbpi2t/MsuxE3KeB78qjUbMSrjsv5S/NT20q1LKmGRUVRGNRfKwyNOYYw VOcofYOlY/3FbhoshOXoUov6gQsdf0ydMY9YVeSlAM/j7uoFw5n7X8OAwz+awzz49kCsoxe6Wm tUzRanoS7NFVlb3bFziYP3RxZQiVelfQhU4a7T/6f6tbQ0lZh+3/ddnZZZHj+PvRjyYeFrjT70 9nxP3785y5KejGuNBxLZ7O3E8S9ISg8EptGQGNfGY1loT9ExG/QMSSBA2NbRnWaZ0MFol31uNK Lbo=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 27/04/2021 16:47, Jan Beulich wrote: > On 26.04.2021 19:54, Andrew Cooper wrote: >> For now, let VMs opt into using CET by setting cet_ss/ibt in the CPUID >> policy. Also extend cr4 handling to permit CR4.CET being set, along with >> logic to interlock CR4.CET and CR0.WP. >> >> Everything else will malfunction for now, but this will help adding support >> incrementally - there is a lot to do before CET will work properly. >> >> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Acked-by: Jan Beulich <jbeulich@xxxxxxxx> > > Just one consideration: > >> --- a/xen/include/public/arch-x86/cpufeatureset.h >> +++ b/xen/include/public/arch-x86/cpufeatureset.h >> @@ -232,7 +232,7 @@ XEN_CPUFEATURE(UMIP, 6*32+ 2) /*S User Mode >> Instruction Prevention */ >> XEN_CPUFEATURE(PKU, 6*32+ 3) /*H Protection Keys for Userspace */ >> XEN_CPUFEATURE(OSPKE, 6*32+ 4) /*! OS Protection Keys Enable */ >> XEN_CPUFEATURE(AVX512_VBMI2, 6*32+ 6) /*A Additional AVX-512 Vector Byte >> Manipulation Instrs */ >> -XEN_CPUFEATURE(CET_SS, 6*32+ 7) /* CET - Shadow Stacks */ >> +XEN_CPUFEATURE(CET_SS, 6*32+ 7) /*h CET - Shadow Stacks */ >> XEN_CPUFEATURE(GFNI, 6*32+ 8) /*A Galois Field Instrs */ >> XEN_CPUFEATURE(VAES, 6*32+ 9) /*A Vector AES Instrs */ >> XEN_CPUFEATURE(VPCLMULQDQ, 6*32+10) /*A Vector Carry-less >> Multiplication Instrs */ >> @@ -267,7 +267,7 @@ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* >> MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. >> XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural >> buffers */ >> XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ >> XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ >> -XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking >> */ >> +XEN_CPUFEATURE(CET_IBT, 9*32+20) /*h CET - Indirect Branch Tracking >> */ >> XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by >> Intel) */ >> XEN_CPUFEATURE(STIBP, 9*32+27) /*A STIBP */ >> XEN_CPUFEATURE(L1D_FLUSH, 9*32+28) /*S MSR_FLUSH_CMD and L1D flush. */ > If by the time 4.16 finishes up the various todo items haven't been > taken care of, should we take note to undo these markings? I would > have suggested allowing them for debug builds only, but that's kind > of ugly to achieve in a public header. TBH, I still don't think this should be a public header. If I would have forseen how much of a PITA is it, I would have argued harder against it. It is, at best, tools-only (via SYSCTL_get_featureset), and I don't intend that interface to survive the tools ABI stabilisation work, as it has been fully superseded by the cpu_policy interfaces and libx86. As for the max markings themselves, I'm not sure they ought to be debug-only. Its important aspect of making guest support "tech preview" to ensure the logic works irrespective of CONFIG_DEBUG, and I think it is entirely fine for an experimental feature to be of status "your VM will explode if you enable this right now", even if that spills over into 4.17. In reality, once we've got {U,S}_CET context switching working at the Xen level, and {RD,WR}MSR plumbing done, it ought to be safe to people to turn on an experiment with. At this point, we're in the position of "expected to work correctly in a subset of usecases". I'd ideally like to get to this point before 4.16 releases, but that will be very subject to other work. All the emulator work is for cases that a VM won't encounter by default (Task Switch too, as Minix in the Intel Management Engine is the only known 32-bit CET-SS implementation). Obviously, we want to get the checklist complete before enabling by default, but give the complexities in the emulator, I suspect we'll have a long gap between "believed can be used safely in a subset of cases", and "believed safe to use in general", and a long list of people happy to use it in a "doesn't work under introspection yet" state. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.