Xen project Mailing List

Re: [PATCH] x86/ucode: Refresh raw CPU policy after microcode load

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 4 May 2023 10:22:51 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vbwPc94iyHwUkqQgtzgz/Y6XXp7gSahAMvglzZG4bls=; b=YYFL0bvnQMYA/gCvQiDKB7myLKs2SIqcJIztkU6pOH+lXr/dqTZ22iz7FuTpwZumhY45XirT66qomCgBb0Mua90cWdItmTpkxoJIO1cl73/e9JCzUNxB/PtRb4JHArBUgO9RCI231hn9psQ50Z62MRu8hD8kkN4XTh7XBBTd1d2eOq5NJLkrAwgN1HdbPRCE6oV9vWVl0V1Hx6UmS/qvgFAMki/2O/XI7s9yve1cq6kbhUQs1soLCmGGmoO8NrYKPxkOzhQKHQDSw5ymNeWKO65p197rczE6f32GQEGknWQAl28zlu//cbWOw3Y8chKcuQV+Is9ukES0Rp6IVtvzHA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WLK373GUcwahTfMmf8XAGl/Chmc8ERWlGZKXxUorWPyXaMdFA5Rx3eNptNvB1h9GXBYcytJXjSDCyLSLX4iISARWSLI9PL+Nxs47XindI7ulaJgKIHNyZRfwdrv0KmTKDQUSd0MWUQ3J/4cgqP7TPr7UmgB0Uwmb0XiOAxtL0SP9vU7fihfWoOk3DvCV4yCWhDBBWog14+QvCsMBIXM0CDSb2VTAdr6Cy7yw1NdSKijUq8ujQ8Zu52GMQAA2WmhaGzMYjlmnesEUwUq6Ys/LIMSG2fHstkluodKEgB6zKMDIjqVFoYU7ykbxxDPDiiznit0HeRt/fhoNoWdlo2ZL0w==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Jan Beulich <jbeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 04 May 2023 08:23:16 +0000

Ironport-data: A9a23:6dUlkK/r8W4Wagp5riJCDrUDpn+TJUtcMsCJ2f8bNWPcYEJGY0x3m mEbCj+Oa6uPa2Omf90lbYu1/BgF65PTz9M2T1Bpqi48E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKicYXoZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ire7kI+1BjOkGlA5AdmOKgX5Aa2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDklw+ 94KJSEoZyq4isCn64n8YOlCppoKeZyD0IM34hmMzBn/JNN/GdXvZvuP4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTWDilUpjNABM/KMEjCObd9SkUuC4 HrP4kzyAw0ANczZwj2Amp6prraXw36rBd5JTdVU8NZxuFmul0MdOicPC1qqhuCSgF+YRulQf hl8Fi0G6PJaGFaQZtv3UgC8oXWElgUBQNcWGOo/gCmSzoLE7gDfAXILJhZRZdpjuMIoSDgC0 l6Sg8ivFTFpqKeSS3+W6vGTtzzaBMQOBWoLZCtBQQ5b5dDm+dk3lkiWFoolF7OphNroHz222 yqNsCU1m7QUi4gMyrm/+lfExTmro/AlUzII2+keZUr9hisRWWJvT9XABYTzhRqYELukcw==

Ironport-hdrordr: A9a23:6rr6Jqnatn9OM+lMf8vqPmuC1QvpDfIW3DAbv31ZSRFFG/Fw8P rDoB1773DJYVMqM03I9urvBEDtexLhHPxOkOos1MaZPDUO0VHAROsO0WKI+UyDJ8SRzJ876Y 5QN4R4Fd3sHRxboK/BkW+F+g8bsby6GXaT9IPj80s=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, May 04, 2023 at 09:08:02AM +0100, Andrew Cooper wrote: > On 04/05/2023 8:08 am, Jan Beulich wrote: > > On 03.05.2023 20:58, Andrew Cooper wrote: > >> Loading microcode can cause new features to appear. > > Or disappear (LWP)? While I don't think we want to panic() in this > > case (we do on the S3 resume path when recheck_cpu_features() fails > > on the BSP), it would seem to me that we want to go a step further > > than you do and at least warn when a feature went amiss. Or is that > > too much of a scope-creeping request right here? > > You're correct that I ought to discuss the disappear case. But like > livepatching, it's firmly in the realm of "the end user takes > responsibility for trying this in their test system before running it in > production". > > For LWP specifically, we ought to explicitly permit its disappearance in > recheck_cpu_features(), because this specific example is known to exist, > and known safe as Xen never used or virtualised LWP functionality. > Crashing on S3 Printing disappearing features might be a nice bonus, but could be done from the tool that loads the microcode itself, no need to do such work in the hypervisor IMO. > > > >> @@ -677,6 +678,9 @@ static long cf_check microcode_update_helper(void > >> *data) > >> spin_lock(&microcode_mutex); > >> microcode_update_cache(patch); > >> spin_unlock(&microcode_mutex); > >> + > >> + /* Refresh the raw CPU policy, in case the features have changed. > >> */ > >> + calculate_raw_cpu_policy(); > > I understand this is in line with what we do during boot, but there > > and here I wonder whether this wouldn't better deal with possible > > asymmetries (e.g. in case ucode loading failed on one of the CPUs), > > along the lines of what we do near the end of identify_cpu() for > > APs. (Unlike the question higher up, this is definitely only a > > remark here, not something I'd consider dealing with right in this > > change.) > > Asymmetry is an increasingly theoretical problem. Yeah, it exists in > principle, but Xen has no way of letting you explicitly get into that > situation. > > This too falls firmly into the "end user takes responsibility for > testing it properly first" category. > > We have explicit symmetric assumptions/requirements elsewhere (e.g. for > a single system, there's 1 correct ucode blob). > > We can acknowledge that asymmetry exists, but there is basically nothing > Xen can do about it other than highlight that something is very wrong on > the system. Odds are that a system which gets into such a state won't > survive much longer. Would it make sense to only update the CPU policy if updated == nr_cores? Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.