Xen project Mailing List

Re: [PATCH 6/6] x86/boot: Expose MSR_ARCH_CAPS data in guest max policies

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 22 May 2023 09:31:04 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZWbikd4CO1Y3ADVhZAqLtLz58LsSBYYwyMmvo++9TKY=; b=h/ctD+3Ij2L6hWBQLFZI6Td88Ne+TwT3RIdkEobE5avrzI/rYwEAJ2iXSliPXAzIJMulMKmnw10+CaWjFSUHV7pY3r9iLnG3QGVyJ8cU6ove0KlL9mD1jtDiJEcka6d8HOFMKEE6rYLXEowT09TXr28lgF8Yc6RmELfpbwyCqce/gxelc4ZkoGCpdcYJKWZiHZ8Brm/6PjBAH36kg8c1Z/ND38R3+fuIgHCLcfJsBzhePaJTnqwdoXERLnzEIH8+vBsi8UOBtrwsmOgn9S6rEcRpxv6N3kEibGo/nifHM6sQSiOg7YWkIsABQrfJR05H884gbx6NLhk5TONeCZmm+w==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EBL/OCVNaasVgUDZ4CDfbQIgtKSUjwsID9c8aR3lGvTGA9UQudm+7KwiH1i3ihFKWvaJN+gOpUMTrokCR1fYoV6gIbJzidpmzR24Pmpkr4KrDUJBaMp3yZTcrwrLHGlDDn+TIDZof5ej9/m8xUjwIGtRDqkMxY1WP3qyXVUC/NKEZUlnlFPN/jC/zGm+iXOuC32mOcqMnh1nHBvnQzDZtIem6IBqartGJWuYDzSd5s2lFn1/TSoeQILmcqTQJv9JDK2hfduS70uro9jWWlqhtMoTKc6JCseDbTJ6ypnAbzu0q63TtmwQ37r1AvLaR1/vGA/0uRxxHxx5xcS4BSg+5A==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 22 May 2023 07:31:48 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 19.05.2023 17:52, Andrew Cooper wrote: > On 17/05/2023 10:20 am, Jan Beulich wrote: >> On 16.05.2023 21:31, Andrew Cooper wrote: >>> On 16/05/2023 3:53 pm, Jan Beulich wrote: >>>> I guess that's no >>>> different from other max-only features with dependents, but I wonder >>>> whether that's good behavior. >>> It's not really something you get a choice over. >>> >>> Default is always less than max, so however you choose to express these >>> concepts, when you're opting-in you're always having to put information >>> back in which was previously stripped out. >> But my point is towards the amount of data you need to specify manually. >> I would find it quite helpful if default-on sub-features became available >> automatically once the top-level feature was turned on. I guess so far >> we don't have many such cases, but here you add a whole bunch. > > I'm not suggesting specifying it manually. That would be a dumb UX move. > > But you absolutely cannot have "user turns on EIBRS" meaning "turn on > ARCH_CAPS too", because a) that requires creating the reverse feature > map which is massively larger than the forward feature map, and b) it > creates a vulnerability in the guest, and c) it's ambiguous - e.g. what > does turning on a sub-mode of AVX-512 mean for sibling sub-modes? Feels like a misunderstanding at this point, because what you're describing above is not what I was referring to. Instead I was specifically referring to "cpuid=...,arch-caps" not having any effect beyond the turning on of the MSR itself (with all-zero content). This is even worse with libxl not even having a way right now to express something like "arch-caps=..." to enable some of the sub-features for guests. To explicitly answer the AVX512 part of your reply: Turning on a sub-mode alone could be useful as well (with the effect of also turning on the main feature, and with or without [policy question] also turning on other default-on subfeatures of AVX512). But again - that direction of possible "implications" isn't what my earlier reply was about. As you say, reverse maps would then also be needed, whereas for what I'm suggesting only the deep-deps we already have are necessary: We'd grab the main feature's dependencies and AND that with the default mask before ORing into the domain's policy. > Whichever algorithm you want, you still need *something* to know that > ARCH_CAPS is special and how to arrange the defaults given a non-default > overarching setting. Afaict right now that would be achieved by the same 'a', 'A', '!a", and "!A" annotations, suitably placed on every of the sub-features. Jan > When the toolstack infrastructure grows the ability to say no to the > user, it will be able to identify explicit user settings which cannot be > fulfilled. (And with a bit more complicated logic, why.) > >>>> Wouldn't it make more sense for the >>>> individual bits' exposure qualifiers to become meaningful one to >>>> qualifying feature is enabled? I.e. here this would then mean that >>>> some ARCH_CAPS bits may become available, while others may require >>>> explicit turning on (assuming they weren't all 'A'). >>> I'm afraid I don't follow. You could make some bits of MSR_ARCH_CAPS >>> itself 'a' vs 'A', and that would have the expected effect (for any VM >>> where arch_caps was visible). >> Visible by default, you mean. Whereas I'm considering the case where >> the CPUID bit is default-off, and turning it on for a guest doesn't at >> the same time turn on all the 'A' bits in ARCH_CAPS (which hardware >> offers, or which we synthesize). >> >> Something similar could be seen / utilized for AMX, where in my >> pending series I set all the bits to 'a', requiring every individual >> bit to be turned on along with turning on AMX-TILE. Yet it would be >> more user friendly if only the top-level bit needed enabling manually, >> with available sub-features then becoming available "automatically". > > I think I've covered all of this in the reply above? > > ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.