Xen project Mailing List

Re: [PATCH 6/6] x86/boot: Expose MSR_ARCH_CAPS data in guest max policies

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 16 May 2023 15:16:13 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VAwGYWF5pFRzkGozLRQbwCbMCrKb58pgpqIbImSxPGQ=; b=KWzC1uaDhzcAmUAL/xXFeP+J6Wvzxv9RJQ6PQVUAhcIweMrFp9m2S1kTJ41REgutZDAYK2VBamqoS93LwOEDkw7X/GZCwyjlTf7AZ4V4wKzMDeTN6AtYFMJ2nganGUs0rODadlYWh/Izv7N8N9ymHHXhONPfrCt7rsZLpddEcy3ILCpCqWnLhaBrLHOCoylE7QjXE4LIv235gIXTBU/ITC/RFkVYNlH5HHX9e+M8cJcCnK19aXNPTKn3dE2DCIuPHubASqdgchKKElbPj6mTHPMeUWhMlzu0vw8PDaQ2Jhkfe2UZFMATbo11pbXu4nV4Se4KvEU+aXgBT+50pd2bFw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E6BBNaYp2FNbb/zCoRgWvs4QBA13VuoxC7oVrmscDUQB2baINzimrM57aH5q1wWhQ4VPkjc/YNl4CGnUHoQTQmU/3AJzz747KN7dcM9IOwU8tyK+y0q04hNXdYH7fIPx3i66Y5lCw4ILgsLJqHTFlidhjMiBWUtwZ3HuyfjjmWyw7chGKd1zbW8gqsjW6K5y95pT2z+WgE7G6D9NBOapizJ+pvjVCYV2pWDQx9bVrIDdHfkI4adsZ+iQnPdlLHg7p1YUVZ1eF0t9kDBuWP44oWSl2qceLFCSDSx2D/Q/cepbz4XVsHVjwbFzn+9i7/cmhKWWbsjD17jyJKiNVfOUVQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 16 May 2023 14:16:45 +0000

Ironport-data: A9a23:RlcjRK4MQxhhPArK/U0aNQxRtBXGchMFZxGqfqrLsTDasY5as4F+v mAZDTiPPKneN2bxedwkOYW28k0Fu5LQyNVmHgA++Sw9Hi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraCYnsrLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9VU+7ZwehBtC5gZlPa0S4geE/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5m6 ttfLxATbDa5t+PskYq+WtNOoZ4MI5y+VG8fkikIITDxK98DGMmGb4CUoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6Ok0ooj+eF3Nn9I7RmQe18mEqCq 32A1GP+GhwAb/SUyCaf82LqjejK9c/+cNtKRefjpqYy2TV/wEQQJUEnRQuShcOfyRW8YdhzK UsM/DQx+P1aGEuDC4OVsweDiHyOswMYWtFQO/Yn8wzLwa3Riy6GAkAUQzgHb8Yp3OcmSDpv2 lKXktfBAT10rKbTWX+b7q2Trz65JW4SN2BqWMMfZQ4M4t2mrIRtiBvKF49nCPTs0YKzHizsy TeXqiR4n68UkcMAy6S8+xbAni6ooZ/KCAUy4207Q16Y0++wX6b9D6TA1LQRxawowFqxJrVZg EU5pg==

Ironport-hdrordr: A9a23:e+8MLqEFv9DRh0ydpLqE18eALOsnbusQ8zAXPo5KOGVom62j5r iTdZEgvyMc5wxhPU3I9erwWpVoBEmslqKdgrNxAV7BZniDhILAFugLhrcKgQeBJ8SUzJ876U 4PSdkZNDQyNzRHZATBjTVQ3+xO/DBPys6Vuds=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 16/05/2023 3:06 pm, Jan Beulich wrote: > On 16.05.2023 15:51, Andrew Cooper wrote: >> On 16/05/2023 2:06 pm, Jan Beulich wrote: >>> On 15.05.2023 16:42, Andrew Cooper wrote: >>>> --- a/xen/arch/x86/cpu-policy.c >>>> +++ b/xen/arch/x86/cpu-policy.c >>>> @@ -408,6 +408,25 @@ static void __init calculate_host_policy(void) >>>> p->platform_info.cpuid_faulting = cpu_has_cpuid_faulting; >>>> } >>>> >>>> +static void __init guest_common_max_feature_adjustments(uint32_t *fs) >>>> +{ >>>> + if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL ) >>>> + { >>>> + /* >>>> + * MSR_ARCH_CAPS is just feature data, and we can offer it to >>>> guests >>>> + * unconditionally, although limit it to Intel systems as it is >>>> highly >>>> + * uarch-specific. >>>> + * >>>> + * In particular, the RSBA and RRSBA bits mean "you might migrate >>>> to a >>>> + * system where RSB underflow uses alternative predictors (a.k.a >>>> + * Retpoline not safe)", so these need to be visible to a guest >>>> in all >>>> + * cases, even when it's only some other server in the pool which >>>> + * suffers the identified behaviour. >>>> + */ >>>> + __set_bit(X86_FEATURE_ARCH_CAPS, fs); >>>> + } >>>> +} >>> The comment reads as if it wasn't applying to "max" only, but rather to >>> "default". Reading this I'm therefore now (and perhaps even more so in >>> the future, when coming across it) wondering whether it's misplaced, or >>> and hence whether the commented code is also misplaced and/or wrong. >> On migrate-in, we (well - toolstacks that understand multiple hosts) >> check the cpu policy the VM saw against the appropriate PV/HVM max >> policy to determine whether it can safely run. >> >> So this is very intentionally for the max policy. We need (I think - >> still pending an clarification from Intel because there's pending work >> still not published) to set RSBA unconditionally, and RRSBA conditional >> on EIBRS being available, in max even on pre-Skylake hardware such that >> we can migrate-in a VM which previously ran on Skylake or later hardware. >> >> Activating this by default for VMs is just a case of swapping the CPUID >> ARCH_CAPS bit from 'a' to 'A', without any adjustment to this logic. > Hmm, I see. Not very intuitive, but I think I follow. > >>> Further is even just non-default exposure of all the various bits okay >>> to other than Dom0? IOW is there indeed no further adjustment necessary >>> to guest_rdmsr()? > With your reply further down also sufficiently clarifying things for > me (in particular pointing the one oversight of mine), the question > above is the sole part remaining before I'd be okay giving my R-b here. Oh sorry. Yes, it is sufficient. Because VMs (other than dom0) don't get the ARCH_CAPS CPUID bit, reads of MSR_ARCH_CAPS will #GP. Right now, you can set cpuid = "host:arch-caps" in an xl.cfg file. If you do this, you get to keep both pieces, as you'll end up advertising the MSR but with a value of 0 because of the note in patch 4. libxl still only understand the xend CPUID format and can't express any MSR data at all. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.