[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/6] x86/boot: Rework dom0 feature configuration

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 16 May 2023 09:58:34 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=e+NqQN8QURNGKAr2qM5Y4A17EH6PrzkLoVprF0hx4cI=; b=DaDbzNh9bpkl7fTK9B7/xccNXr2xoXPhXiHjCxhcr+xDNzHNK0FK7qVeR4mOkkr+pbuFEBxCSrIyfETj1K9L5/CdtoayPOGD0az7KkjEwi0xnluAHdB+6xpj1MB9K6NPgqqvyTZMiIDvE5+N4b6CZCrVndcxrNGOPQRYjvoiFxB2dHvbyGtozMJNYQyTLdXdddShcTCfOEPA5WqY9s8RawOQO6nayEgFAY0+NXcA52PtRL+Teeqr7RQlqXhtcAp8cbd+BJI6NNaLzlZY3Kvj2c6/x8BXR05wLh/b20BTTdpDXF3xSrhqzFsro+3Kfauwr2dWeRmXV+SOqVXN+v/WsA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RSTkbP28W9U42Gb1uMutBn5zs+o1LCLN68v4NG4k0R0vlhGPhu+6x7vtNsCayAVu0M2V41PVlbqqGy8IO7sNJouzS/Vzu3wY9fla0QjjxMrE42r9t/qSrOjV6zrmGZznihCoAcEz13AG/pUCaiw5g/dk+8S8sf8wRnGjJVn3Xs5iJkAc0i0fGUqhrN7L663rgc4IUPRBwKmuxv+AafS+x5q2UtZT90llTj40TGAYlULW6BVzOz+6fOyW4UnnUXmCiaJIwZYCiJe2VP1S+CDHLlj3QU0lMkTnc/dZuu2JVHk8Zo0F7TVpH610AW37HYfLzpof7T/mqJwBrUboqVZ9VA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 16 May 2023 07:58:57 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 15.05.2023 16:42, Andrew Cooper wrote:
> Right now, dom0's feature configuration is split between between the common
> path and a dom0-specific one.  This mostly is by accident, and causes some
> very subtle bugs.
> 
> First, start by clearly defining init_dom0_cpuid_policy() to be the domain
> that Xen builds automatically.  The late hwdom case is still constructed in a
> mostly normal way, with the control domain having full discretion over the CPU
> policy.
> 
> Identifying this highlights a latent bug - the two halves of the MSR_ARCH_CAPS
> bodge are asymmetric with respect to the hardware domain.  This means that
> shim, or a control-only dom0 sees the MSR_ARCH_CAPS CPUID bit but none of the
> MSR content.  This in turn declares the hardware to be retpoline-safe by
> failing to advertise the {R,}RSBA bits appropriately.  Restrict this logic to
> the hardware domain, although the special case will cease to exist shortly.
> 
> For the CPUID Faulting adjustment, the comment in ctxt_switch_levelling()
> isn't actually relevant.  Provide a better explanation.
> 
> Move the recalculate_cpuid_policy() call outside of the dom0-cpuid= case.
> This is no change for now, but will become necessary shortly.
> 
> Finally, place the second half of the MSR_ARCH_CAPS bodge after the
> recalculate_cpuid_policy() call.  This is necessary to avoid transiently
> breaking the hardware domain's view while the handling is cleaned up.  This
> special case will cease to exist shortly.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
with one question / suggestion:

> @@ -858,7 +839,7 @@ void __init init_dom0_cpuid_policy(struct domain *d)
>       * so dom0 can turn off workarounds as appropriate.  Temporary, until the
>       * domain policy logic gains a better understanding of MSRs.
>       */
> -    if ( cpu_has_arch_caps )
> +    if ( is_hardware_domain(d) && cpu_has_arch_caps )
>          p->feat.arch_caps = true;

As a result of this, ...

> @@ -876,8 +857,32 @@ void __init init_dom0_cpuid_policy(struct domain *d)
>          }
>  
>          x86_cpu_featureset_to_policy(fs, p);
> +    }
> +
> +    /*
> +     * PV Control domains used to require unfiltered CPUID.  This was fixed 
> in
> +     * Xen 4.13, but there is an cmdline knob to restore the prior behaviour.
> +     *
> +     * If the domain is getting unfiltered CPUID, don't let the guest kernel
> +     * play with CPUID faulting either, as Xen's CPUID path won't cope.
> +     */
> +    if ( !opt_dom0_cpuid_faulting && is_control_domain(d) && is_pv_domain(d) 
> )
> +        p->platform_info.cpuid_faulting = false;
>  
> -        recalculate_cpuid_policy(d);
> +    recalculate_cpuid_policy(d);
> +
> +    if ( is_hardware_domain(d) && cpu_has_arch_caps )

... it would feel slightly more logical if p->feat.arch_caps was used here.
Whether that's to replace the entire condition or merely the right side of
the && depends on what the subsequent changes require (which I haven't
looked at yet).

Jan

> +    {
> +        uint64_t val;
> +
> +        rdmsrl(MSR_ARCH_CAPABILITIES, val);
> +
> +        p->arch_caps.raw = val &
> +            (ARCH_CAPS_RDCL_NO | ARCH_CAPS_IBRS_ALL | ARCH_CAPS_RSBA |
> +             ARCH_CAPS_SSB_NO | ARCH_CAPS_MDS_NO | 
> ARCH_CAPS_IF_PSCHANGE_MC_NO |
> +             ARCH_CAPS_TAA_NO | ARCH_CAPS_SBDR_SSDP_NO | ARCH_CAPS_FBSDP_NO |
> +             ARCH_CAPS_PSDP_NO | ARCH_CAPS_FB_CLEAR | ARCH_CAPS_RRSBA |
> +             ARCH_CAPS_BHI_NO | ARCH_CAPS_PBRSB_NO);
>      }
>  }
>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.