|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH 2/2] x86/vmx: implement Notify VM Exit
On Thu, May 19, 2022 at 12:10:24AM +0000, Andrew Cooper wrote:
> On 17/05/2022 14:21, Roger Pau Monne wrote:
> > Under certain conditions guests can get the CPU stuck in an infinite
> > loop without the possibility of an interrupt window to occur.
>
> instruction boundary.
>
> It's trivial to create an infinite loop without an interrupt window :)
>
> Also, I'd probably phrase that as an unbounded loop, because not all
> problem cases are truly infinite.
>
> > This
> > was the case with the scenarios described in XSA-156.
>
> Case in point, both of these can be broken by something else (another
> vCPU, or coherent DMA write) editing the IDT and e.g. making the #AC/#DB
> vectors not present, which will yield #NP instead.
>
> >
> > Make use of the Notify VM Exit mechanism, that will trigger a VM Exit
> > if no interrupt window occurs for a specified amount of time. Note
> > that using the Notify VM Exit avoids having to trap #AC and #DB
> > exceptions, as Xen is guaranteed to get a VM Exit even if the guest
> > puts the CPU in a loop without an interrupt window, as such disable
> > the intercepts if the feature is available and enabled.
> >
> > Setting the notify VM exit window to 0 is safe because there's a
> > threshold added by the hardware in order to have a sane window value.
> >
> > Suggested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > ---
> > This change enables the notify VM exit by default, KVM however doesn't
> > seem to enable it by default, and there's the following note in the
> > commit message:
> >
> > "- There's a possibility, however small, that a notify VM exit happens
> > with VM_CONTEXT_INVALID set in exit qualification. In this case, the
> > vcpu can no longer run. To avoid killing a well-behaved guest, set
> > notify window as -1 to disable this feature by default."
> >
> > It's not obviously clear to me whether the comment was meant to be:
> > "There's a possibility, however small, that a notify VM exit _wrongly_
> > happens with VM_CONTEXT_INVALID".
>
> TBH, I read that as a get-out clause for "we have no idea what to set
> for a default window", and it's not a decision reasonable to defer to
> users, because they have even less of an idea than us.
>
> All CPUs with Notify VM Exit have the TSC crystal information in CPUID,
> so I'd suggest that we trust CPUID to be accurate, and program for maybe
> 10us? That's 1/3 of a default timeslice.
>
>
>
> > It's also not clear whether such wrong hardware behavior only affects
> > a specific set of hardware, in a way that we could avoid enabling
> > notify VM exit there.
> >
> > There's a discussion in one of the Linux patches that 128K might be
> > the safer value in order to prevent false positives, but I have no
> > formal confirmation about this. Maybe our Intel maintainers can
> > provide some more feedback on a suitable notify VM exit window
> > value.
> >
> > I've tested with 0 (the proposed default in the patch) and I don't
> > seem to be able to trigger notify VM exits under normal guest
> > operation. Note that even in that case the guest won't be destroyed
> > unless the context is corrupt.
>
> Huh... There's nothing in the manual about that, but obviously hardware
> has some minimum safe value if 0 appears to work in practice.
Got the tip from looking at the KVM patch submission for notify VM
exit implementation.
Seeing your suggestion above to use 10us and your reply here, I'm
unsure whether you are fine with using 0.
> > diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c
> > index d388e6729c..5685a5523e 100644
> > --- a/xen/arch/x86/hvm/vmx/vmcs.c
> > +++ b/xen/arch/x86/hvm/vmx/vmcs.c
> > @@ -67,6 +67,9 @@ integer_param("ple_gap", ple_gap);
> > static unsigned int __read_mostly ple_window = 4096;
> > integer_param("ple_window", ple_window);
> >
> > +static int __read_mostly vm_notify_window;
> > +integer_param("vm-notify-window", vm_notify_window);
>
> Part of me is loath to keep on adding new top-level options for this.
>
> I was about to suggest having a vmx= option, but I've just noticed that
> ple_{window,gap} are wired up to cmdline options on Intel, and fixed
> constants on AMD.
Do we want to make this VMX specific? The problem affects both Intel
and AMD, so I would think it's possible for AMD to introduce a similar
solution in the future and hence we might want to share
"vm-notify-window". That however raises questions as to whether AMD
will also allow specifying a window, and whether it will be in crystal
clock units.
> Thoughts on a suitable name?
vmx and svm would seem fine to me.
> > @@ -1333,6 +1338,19 @@ static int construct_vmcs(struct vcpu *v)
> > rc = vmx_add_msr(v, MSR_FLUSH_CMD, FLUSH_CMD_L1D,
> > VMX_MSR_GUEST_LOADONLY);
> >
> > + if ( cpu_has_vmx_notify_vm_exiting && vm_notify_window >= 0 )
> > + {
> > + __vmwrite(NOTIFY_WINDOW, vm_notify_window);
> > + /*
> > + * Disable #AC and #DB interception: by using VM Notify Xen is
> > + * guaranteed to get a VM exit even if the guest manages to lock
> > the
> > + * CPU.
> > + */
> > + v->arch.hvm.vmx.exception_bitmap &= ~((1U << TRAP_debug) |
> > + (1U <<
> > TRAP_alignment_check));
> > + vmx_update_exception_bitmap(v);
>
> IIRC, it's not quite this easy. There are conditions, e.g. attaching
> gdbsx, where #DB interception wants turning on/off dynamically, and the
> logic got simplified to nothing following XSA-156, so will need
> reintroducing.
>
> AMD Milan (Zen3) actually has NoNestedDataBp in CPUID.80000021.eax[0]
> which allows us to not intercept #DB, so perhaps that might offer an
> easier way of adjusting the interception logic. (Or maybe not. I can't
> remember).
OK, will look into it.
> > + }
> > +
> > out:
> > vmx_vmcs_exit(v);
> >
> > diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
> > index 02cc7a2023..9c37790c36 100644
> > --- a/xen/arch/x86/hvm/vmx/vmx.c
> > +++ b/xen/arch/x86/hvm/vmx/vmx.c
> > @@ -4567,6 +4567,30 @@ void vmx_vmexit_handler(struct cpu_user_regs *regs)
> > */
> > break;
> >
> > + case EXIT_REASON_NOTIFY:
> > + __vmread(EXIT_QUALIFICATION, &exit_qualification);
> > +
> > + if ( exit_qualification & NOTIFY_VM_CONTEXT_INVALID )
> > + {
> > + perfc_incr(vmnotify_crash);
> > + gprintk(XENLOG_ERR, "invalid VM context after notify
> > vmexit\n");
> > + domain_crash(v->domain);
> > + break;
> > + }
> > +
> > + if ( cpu_has_vmx_vnmi &&
> > + (exit_qualification & INTR_INFO_NMI_UNBLOCKED_BY_IRET) )
> > + {
> > + unsigned long guest_info;
> > +
> > + /* Exit was incident to an execution of IRET that unblocked
> > NMIs. */
> > + __vmread(GUEST_INTERRUPTIBILITY_INFO, &guest_info);
> > + __vmwrite(GUEST_INTERRUPTIBILITY_INFO,
> > + guest_info | VMX_INTR_SHADOW_NMI);
>
> I am saddened by how irritating it is having the UNBLOCKED_BY_IRET (in
> the first place...) but moving between the exit qualification and the
> vmexit intr info fields. The constant probably ought to be renamed to
> lose the INTR_INFO prefix.
>
> I'd suggest a prereq patch to also break
>
> static void undo_nmis_unblocked_by_iret(void)
> {
> ...
> }
>
> out to avoid opencoding it in several places. There's one other
> instance in our code (general fault intercept), but we're buggy on
> PML-full, APIC-access and EPT violation all of which Xen handles.
I don't think we are buggy on APIC-accesses, the SDM says:
"Executions of IRET may also incur VM exits due to APIC accesses and
EPT misconfigurations. These VM exits do not report information about
NMI unblocking due to IRET."
> I don't think you need the vnmi check, because the bit is 0 otherwise.
Right, the bit is only defined in the Xen case if vnmi is enabled,
because Xen requires PIN_BASED_NMI_EXITING to be set (NMI Exiting set
to 0 could also allow the bit to be 1).
Thanks, Roger.
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |