[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 6/6] x86/boot: Expose MSR_ARCH_CAPS data in guest max policies


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 16 May 2023 20:31:45 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UEOWwoXYmogg+FZr/nvtAjUiGOViDPxhO8690y9mbV4=; b=OdeYB8WTDE35NwvGs3o6P9lL0OY5IKieN2HOyOEOxhLavTEpXHGDkaE1skeOGLt83gvdZu2dEIxe1irB55cg9k9uIha5J6zopwRfwLDLwx0c1+4o6b2GbT3N1qxka8JSVhavSq/+SyDCAqGM/AFcOIXpoiAZPYH/6/GksePTLWONXb54xEk3+kVpYykkT76AomzfxYqzeSh27GxfOpZb1KMO1s15XQeMSHQ7NimL1s3yo4i9rpBhpKAvnpxJk1YI/xDgWLICEjS4fTXwEW9vNnkMv8nkVW+11cKBuQ90GxkArEIRJ4UXdJ0PXLsILpOxcSlLrTJBq/NUp9RKTv5wDw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CWvqAQYG3jPrIMtH8YDOjD9H9jvWxyNnk1N2t4ZYBxrOLKG9b+KzRvzJhBhSMSwFEnYQXIQd31cZBtT0PneHcS28IPxkz97QKLrztt+LcugZWrOj3ADrw5L2zPF7whul3U9OcuCVST65PaxXbgP8fOr/ir98+efXS7ZbM5/1XSoEayaIDwNCvbtNHMWFfJaOaz2DNM0CZUt32WT6hwgzsS33umZBySwm7VuddgHxb/StnsQHrwM6Fj1Prpg/QVTrRkppkMguojfcQwu8rXecHfwr/BNHLflBDd44QCJ/N98/rldnV0qLph5Q2KgNOA+sukbeAb+X+p3g8E8/MzHYSw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 16 May 2023 19:32:39 +0000
  • Ironport-data: A9a23:yJMOgq8iFdYn0RRUlMnoDrUDrX+TJUtcMsCJ2f8bNWPcYEJGY0x3z mdOXmGPMqzZajTzfIh/b9y08klQsZWEnNcwQAJpqCg8E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKicYXoZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ire7kI+1BjOkGlA5AdmOKkV5AW2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDkkT5 KI2NhInQyvdgui74Zy/cc9FuO88eZyD0IM34hmMzBn/JNN/G9XpZfWP4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTWOilUvgdABM/KMEjCObexTklyVu STt+GPhDwtBHNee1SCE4jSngeqncSbTAdpCSuXhrqUx6LGV7mceCEUddViDm/e40EODA/EFK hU4xBN7+MDe82TuFLERRSaQonSJoxodUNp4CPAh5UeGza+8yxmdLngJSHhGctNOnN87Q3km2 0GEm/vtBCdzq/uFRHSF7LCWoDiufy8PIgc/iTQsSAIE55zpptE1hxeWFNJ7Svfr35vyBC36x C2MoG4mnbIPgMUX1qK9u1fanzaroZuPRQkwjunKYl+YAspCTNbNT+SVBZLzsZ6s8K7xooG9g UU5
  • Ironport-hdrordr: A9a23:nsa0aK1Eyl5mqdvTTJeRSQqjBa9xeYIsimQD101hICG9Lfb0qy n+pp4mPEHP4wr5OEtOpTlPAtj4fZquz+8T3WB3B8beYOCGghrTEGgG1+ffKlLbak7DH4JmpM Jdmu1FeabN5DtB/LjHCWuDc+rIqePvmM7IuQ6d9QYUcegDUdAe0+4TMHf+LqQZfnghOXN0Lu v/2iIRzADQBUj/I/7LTkXsGIP41q/2vaOjRSRDKw8s6QGIgz/twLnmEyKA1hNbfyJTzawk+W 3llRW8wqm4qfm0xjLVymeWtv1t6Zfc4+oGIPbJptkeKz3qhArtTIN9W4eatDRwjPCz5E0smN zspQ5lG8ho8Xvecky8vBOo8Qj91zQF7WPk1Daj8DbeiP28YAh/J9tKhIpffBecw008vOtk2K YO+26CrZJYAT7JgSy4vrHzJltXv3vxhUBnvf8YjnRZX4dbQLhNrbYH9EcQNJsbBir15K0uDe ErJsDB4/R9d0+cchnizyJS6e3pek52MgaNQ0AEtMDQ+z9KnEphx09d/8AblmdozuNLd7B0o8 D/doh4nrBHScEbKYhnAv0afMexAmvRBTrRLWO7Oz3cZeE6EkOIj6SyzKQ+5emsdpBN5oA1go 79XFRRsnN3U17yCPeJwIZA/nn2MSSAtAzWu4NjDqVCy/jBrOKBC1zGdLluqbrvnxwnOLyZZx 7pU6gmRMMKLgPVaPJ0NkPFKt9vwEIlIb4oU+YAKiOzS/3wW/3XX8zgAYDuzenWYH8Zc1K6JE c/dx7OA+gFxnyXexbD8W3ssjXWCwPCwa4=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 16/05/2023 3:53 pm, Jan Beulich wrote:
> On 16.05.2023 16:16, Andrew Cooper wrote:
>> On 16/05/2023 3:06 pm, Jan Beulich wrote:
>>> On 16.05.2023 15:51, Andrew Cooper wrote:
>>>> On 16/05/2023 2:06 pm, Jan Beulich wrote:
>>>>> On 15.05.2023 16:42, Andrew Cooper wrote:
>>>>> Further is even just non-default exposure of all the various bits okay
>>>>> to other than Dom0? IOW is there indeed no further adjustment necessary
>>>>> to guest_rdmsr()?
>>> With your reply further down also sufficiently clarifying things for
>>> me (in particular pointing the one oversight of mine), the question
>>> above is the sole part remaining before I'd be okay giving my R-b here.
>> Oh sorry.  Yes, it is sufficient.  Because VMs (other than dom0) don't
>> get the ARCH_CAPS CPUID bit, reads of MSR_ARCH_CAPS will #GP.
>>
>> Right now, you can set cpuid = "host:arch-caps" in an xl.cfg file.  If
>> you do this, you get to keep both pieces, as you'll end up advertising
>> the MSR but with a value of 0 because of the note in patch 4.  libxl
>> still only understand the xend CPUID format and can't express any MSR
>> data at all.
> Hmm, so the CPUID bit being max only results in all the ARCH_CAPS bits
> getting turned off in the default policy. That is, to enable anything
> you need to not only enable the CPUID bit, but also the ARCH_CAPS bits
> you want enabled (with no presents means to do so).

Correct.

> I guess that's no
> different from other max-only features with dependents, but I wonder
> whether that's good behavior.

It's not really something you get a choice over.

Default is always less than max, so however you choose to express these
concepts, when you're opting-in you're always having to put information
back in which was previously stripped out.

> Wouldn't it make more sense for the
> individual bits' exposure qualifiers to become meaningful one to
> qualifying feature is enabled? I.e. here this would then mean that
> some ARCH_CAPS bits may become available, while others may require
> explicit turning on (assuming they weren't all 'A').

I'm afraid I don't follow.  You could make some bits of MSR_ARCH_CAPS
itself 'a' vs 'A', and that would have the expected effect (for any VM
where arch_caps was visible).

The thing which is 99% of the complexity with MSR_ARCH_CAPS is getting
RSBA/RRSBA right.  The moment we advertise MSR_ARCH_CAPS to guests,
RSBA/RRSBA must be set appropriately for migrate or we're creating a
security vulnerability in the guest.

If you're wondering about the block disable, that's because MSRs and
CPUID are different.  With CPUID, we have
x86_cpu_policy_clear_out_of_range_leaves() which uses the various
max_leaf.  e.g. a feat.max_leaf=0 is what causes all of subleaf 1 and 2
to be zeroed in a policy.


> But irrespective of that (which is kind of orthogonal) my question was
> rather with already considering the point in time when the CPUID bit
> would become 'A'. IOW I was wondering whether at that point having all
> the individual bits be 'A' is actually going to be correct.

I've chosen all 'A' for these bits because that is what I expect to be
correct in due course.  They're all the simple "you're not vulnerable to
$X" bits, plus eIBRS which in practice is just a qualifying statement on
IBRS (already fully supported in guests).

The rest of MSR_ARCH_CAPS is pretty much a dumping ground for all of the
controls we can't give to guests under any circumstance.  (FB_CLEAR_CTRL
might be an exception - allegedly we might want to give it to guests
which have passthrough and trust their userspace, but I'm unconvinced of
this argument and going to insist on concrete numbers from anyone
wanting to try and implement this usecase.)

But there certainly could be a feature in there in the future where we
leave it at 'a' for a while...  It's just feature bitmap data in a
non-CPUID form factor.

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.