[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 09/10] drivers/char: allow driving the rest of XHCI by a domain while Xen uses DbC

  • To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 9 Aug 2022 08:24:48 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=h3I7wrC6uIm93pblMo/mskVh2+IQUPsBt+7EVIrcxyI=; b=OlakdCmAMIdMvnetFM227FCrbPdAwLr9f6kBQqo/NLYTv0nXjGus2bKjz+ntPKS5X2/oKklxkxI/AI5pn9shHRr9J0YoOAlkwgtMVZsOZgX2hsvdNeLev+31FVGDodmpNnORColjVqmm4WoO5e7sySGobFWg3UmPtBvaw3YJTnGodjgdwKYInKsAij0uybETS836SbATC89IiRGj56U4cRtslN8UogmhgIh8k5lQYfTzo23UxLfcmOpun0Vpzn5kPIcGJ9CVEN/CDbOXbL/EUoITzprm0mPZMRumSgaDMQWrfpnaXns16jvB6N4mNDy+TAavv3ZutMX+3KhE8GLUKw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EtNktvMEMN3G2NSsJw6e0G5xuzHsf1g8ejQN6YVULUml/UmacyG38GOWBP7mUaBqF925mw7F0GMI9iPeqgKaVxOUqaXOFvNuJcAjpiKcdeTR+S7NWfmGmsmUi4LYsF77zt+y1X26ztgRebgS3JPRVleGhJeSR7qnvIJCQF7VFhRtzkX5Req+wpZSEQJEtwyOncPkjtukytRVsTwkEmCXiqV17HXYvXbMfOZTZBtrKXLP1UEYQySOWatRF7ozErrZo6HBiLddbbeAQo0+9xPlDIBmLJF6U5ejPQv7b1SUbaa6ibPZV6cV9Fn8fW8HLl9JVb1JbYjbMMnr2wx1emlzbw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 09 Aug 2022 06:24:59 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 05.08.2022 17:49, Marek Marczykowski-Górecki wrote:
> On Fri, Aug 05, 2022 at 10:15:59AM +0200, Jan Beulich wrote:
>> On 26.07.2022 05:23, Marek Marczykowski-Górecki wrote:
>>> That's possible, because the capability was designed specifically to
>>> allow separate driver handle it, in parallel to unmodified xhci driver
>>> (separate set of registers, pretending the port is "disconnected" for
>>> the main xhci driver etc). It works with Linux dom0, although requires
>>> an awful hack - re-enabling bus mastering behind dom0's backs.
>>
>> Which is one of the main reasons why I view DomU exposure as
>> going too far, despite recognizing the argument that this would only
>> be done if that DomU is fully trusted.
>>
>> Furthermore - what's the effect of this? It would seem to me that
>> while bus mastering is off, the device will not function. What happens
>> to output occurring during that time window? 
> 
> If no reset happens, the controller will continue sending the data after
> bus mastering is enabled back - no data lost in this case. If reset does
> happen, data that was already handed off to the controller (TRB queued)
> but not sent yet, is lost. But data that is still queued only in the
> work_ring, will be sent after controller is re-initialized. I did
> several tests of this, and I have not noticed any data loss in practice.
> 
>> Rather than needing to
>> re-enable bus mastering behind the owning domain's back, can't the
>> disabling of bus mastering be avoided in the driver there?
> 
> Linux disables bus mastering when PCI devices are enumerated (before
> xhci driver is loaded at all), and enables it back only when xhci driver
> tells it so. So, if xhci driver in dom0 is blacklisted (which is the
> case in qubes by default...), the console would be much less useful, so
> to say. And I don't think Linux maintainers will appreciate xen-xhci-dbc
> specific code in core PCI handling...
> It isn't an issue for EHCI driver, because EHCI debug port
> interface does not seem to use DMA.
> 
>>  As we can
>> see from the EHCI driver, there certainly can be communication
>> between Xen and Dom0 for functionality-impacting operations Dom0
>> might perform (there it's a device reset iirc).
> 
> Yes, I can see how controller reset can be coordinated this way. But
> also, I see it more like a future improvement if it deemed to be
> necessary, than a strict requirement, as the controller reset is a quick
> event that in practice does not impact the functionality in any
> significant way (with the current code shape). On the other hand, adding
> such synchronization feels like several more iterations of this
> series...
> 
> And BTW, if Linux crashes in the middle of controller reset, with such
> synchronization you would not get the crash message at all. While
> admittedly such issue is rather unlikely, I see it as a potential
> downside of coordination here (you could still avoid it by
> `share=none`/`share=no`, with all its consequences).
> 
> Generally, what would be your minimal acceptable version? If support for
> sharing the controller with a domain (including dom0) requires
> significantly more work to be accepted, I'd much prefer to drop it in
> this series and have it possibly introduced later (and in the meantime,
> possibly carry as a downstream patch). Unfortunately, I have limited
> time to work on the series, but also, I think having this feature
> upstream - even in partial form - will be very useful for many Xen users
> and developers. Especially, I'd like this series (in some shape) to be
> included in Xen 4.17.

I think I could agree with such logic as a temporary measure, i.e. marked
clearly with a FIXME: or alike. The Kconfig option then also would want
marking "experimental" (or maybe it already is).

>>> @@ -1005,10 +1050,32 @@ static void __init cf_check 
>>> dbc_uart_init_postirq(struct serial_port *port)
>>>      init_timer(&uart->timer, dbc_uart_poll, port, 0);
>>>      set_timer(&uart->timer, NOW() + MILLISECS(1));
>>>  
>>> -    if ( pci_ro_device(0, uart->dbc.sbdf.bus, uart->dbc.sbdf.devfn) )
>>> -        printk(XENLOG_WARNING
>>> -               "Failed to mark read-only %pp used for XHCI console\n",
>>> -               &uart->dbc.sbdf);
>>> +    switch ( uart->dbc.share )
>>> +    {
>>> +    case XHCI_SHARE_NONE:
>>> +        if ( pci_ro_device(0, uart->dbc.sbdf.bus, uart->dbc.sbdf.devfn) )
>>> +            printk(XENLOG_WARNING
>>> +                   "Failed to mark read-only %pp used for XHCI console\n",
>>> +                   &uart->dbc.sbdf);
>>> +        break;
>>> +    case XHCI_SHARE_HWDOM:
>>> +        if ( pci_hide_device(0, uart->dbc.sbdf.bus, uart->dbc.sbdf.devfn) )
>>> +            printk(XENLOG_WARNING
>>> +                   "Failed to hide %pp used for XHCI console\n",
>>> +                   &uart->dbc.sbdf);
>>> +        break;
>>> +    case XHCI_SHARE_ANY:
>>> +        /* Do not hide. */
>>> +        break;
>>> +    }
>>> +#ifdef CONFIG_X86
>>> +    if ( rangeset_add_range(mmio_ro_ranges,
>>> +                PFN_DOWN(uart->dbc.xhc_mmio_phys + 
>>> uart->dbc.xhc_dbc_offset),
>>> +                PFN_UP(uart->dbc.xhc_mmio_phys + uart->dbc.xhc_dbc_offset +
>>> +                       sizeof(*uart->dbc.dbc_reg)) - 1) )
>>> +        printk(XENLOG_INFO
>>> +               "Error while adding MMIO range of device to 
>>> mmio_ro_ranges\n");
>>
>> How can this allow use of the device by a domain? Is there some sort of
>> guarantee that nothing else will live in the same 4k range? I can't
>> infer such from xhci_find_dbc().
> 
> That's a very good question. From what I see, it lives on a page
> together with other extended capabilities (but nothing else). Most of
> registers in other capabilities are read-only, but there are some
> read-write. It seems Linux driver works fine without writing to any of
> them, but it sounds very fragile...
> 
> The main reason for this code is to prevent Linux initializing DbC for
> itself. But AFAIK Linux does not do it on its own, it requires explicit
> action from the system admin (a write to sysfs or kernel option).
> I'm not exactly sure what will happen if Linux will try to use DbC too,
> my guess is either Xen console will stall, or they will fight each other
> by re-initializing DbC over and over. Neither of them look appealing...
> 
> Would you prefer to drop this part, in favor of documenting it's the
> system admin responsibility to prevent Linux from using it? In that
> case, I think the default should remain `share=no` (possibly changing
> only after implementing some coordination with Linux side).

No, quite the other way around - it being there makes Xen's use safe,
at the risk of breaking Dom0 (or, for your purposes, DomU) functionality.
The latter, if necessary, would imo need restoring by way of emulating
all write accesses to the page.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.