[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 4/4] x86/cpu-policy: Derive RSBA/RRSBA for guest policies

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Thu, 15 Jun 2023 11:41:54 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lIqwDCdnzsmQRsv19InjPQYPxpJ4eIavPCVl68cnLxE=; b=mazNV9Aqc/ztItnoVob+siogGhlCuuiKdTpZGOvn7qFfBp6lqi0sSHLHtI1vq3wXKsCQKBYcGKQLzVJZj+xRVG3jqJX87Q/tIUKFxACSO9+uVESmD9ukedin25QNwQK6lskpZPhMx92Q0KgADoUOSn2nhBLkJLDxKL1sVUOrdDDbcpFEN7xeaGTzjuX26AWB34nSuch8bjb8ozhUHO56hdofzsbRCcDLv82Ag3KXsfTvaGi7UK6XXZdyQesD1L6B5H4S4hlohcg/hEM/gc8clIyE0+bC1zNhmNyofhUrbudL+5FISuLCVHkDrHPtywSWPcE8NqeETmKCUlC0/8Cyhw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RTk82AUpeUf6R0/FQ8u/FyRmmkX+oUjLrtG6Kliqhru55jnFykFH0nuuzG23ze4sywtCpFQL1udMFx0Ajw4MLfshnAwyM/Bm2n3Wxu/XUB+kJRmYFvBtXmUX0kN9hNwx9emScax2Z/uzK7pSF5rb60qHxq483o6pzdjDcbtuL5hPDOeg8M64bY9RiSylHwxNZ9qQPluv7wqGRu1pOn/+t+FKaBhUFZUhAyVCN8cUlfKK8A2zuxA4+Rtc2VWYWGVOeEGSSf5mhSH1z1yWG36DLFcXsVAdq+jmhI/VuBfWYzfNr3jPbH0lN2geECr/6CiTyF1c58bJUuCwNrtIjNC6KA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 15 Jun 2023 10:42:17 +0000
  • Ironport-data: A9a23:X01h5aycDzTLs1rj2Id6t+caxyrEfRIJ4+MujC+fZmUNrF6WrkUFm mccD2HSaPzeYzfyKtt0PYnko0kPscCHydI1TQpu/CAxQypGp/SeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjP3OHfykTrafYEidfCc8IA85kxVvhuUltYBhhNm9Emult Mj75sbSIzdJ4RYtWo4vw/zF8EsHUMja4mtC5QRgPK0T5TcyqlFOZH4hDfDpR5fHatE88t6SH 47r0Ly/92XFyBYhYvvNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ai87XAME0e0ZP4whlqvgqo Dl7WT5cfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQq2pYjqhljJBheAGEWxgp4KWZK9 98qdWoAVCKKl92z5O/8buZNmst2eaEHPKtH0p1h5RfwKK9/BLvkGuDN79Ie2yosjMdTG/qYf 9AedTdkcBXHZVtIJ0sTD5U92uyvgxETcRUB8A7T+fVxvjaVlVMuuFTuGIO9ltiibMNZhEuH4 EnB+Hz0GEoyP92D0zuVtHmrg4cjmAuiAdhDTObiraACbFu73mhILx4HaV+ChMaiiFCCHM5eG mcP9X97xUQ13AnxJjXnZDW6qnOZuh8XW/JLDvY3rgqKz8L8/AKxFmUCCDlbZ7QOpMIwADAny FKNt9foHiB09q2YT2qH8bWZpi/0PjIaRVLufgcBRAoBptLk+Yc6i0uWSs45SfHqyNroBTv33 jaG6jAkgKkehtIK0KP9+k3bhzWrpd7CSQtdChjrY19JJzhRPOaND7FEI3CChRqcBO51lmW8g UU=
  • Ironport-hdrordr: A9a23:0HIGl622MCTh0m8Nj+wxRQqjBa9xeYIsimQD101hICG9Lfb0qy n+pp4mPEHP4wr5OEtOpTlPAtj4fZquz+8T3WB3B8beYOCGghrTEGgG1+ffKlLbak7DH4JmpM Jdmu1FeabN5DtB/LjHCWuDc+rIqePvmM7IuQ6d9QYUcegDUdAe0+4TMHf+LqQZfnghOXN0Lu v/2iIRzADQBUj/I/7LTkXsGIP41q/2vaOjRSRDKw8s6QGIgz/twLnmEyKA1hNbfyJTzawk+W 3llRW8wqm4qfm0xjLVymeWtv1t6Zfc4+oGIPbJptkeKz3qhArtTIN9W4eatDRwjPCz5E0smN zspQ5lG8ho8Xvecky8vBOo8Qj91zQF7WPk1Daj8DbeiP28YAh/J9tKhIpffBecw008vOtk2K YO+26CrZJYAT7JgSy4vrHzJltXv3vxhUBnvf8YjnRZX4dbQLhNrbYH9EcQNJsbBir15K0uDe ErJsDB4/R9d0+cchnizyJS6e3pek52MgaNQ0AEtMDQ+z9KnEphx09d/8AblmdozuNLd7B0o8 D/doh4nrBHScEbKYhnAv0afMexAmvRBTrRLWO7Oz3cZeE6EkOIj6SyzKQ+5emsdpBN5oA1go 79XFRRsnN3U17yCPeJwIZA/nn2MSSAtAzWu4NjDqVCy/jBrOKBC1zGdLluqbrvnxwnOLyZZx 7pU6gmRMMKLgPVaPJ0NkPFKt9vwEIlIb4oU+YAKiOzS/3wW/3XX8zgAYDuzenWYH8Zc1K6JE c/dx7OA+gFxnyXexbD8W3ssjXWCwPCwa4=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 15/06/2023 9:30 am, Jan Beulich wrote:
> On 14.06.2023 20:12, Andrew Cooper wrote:
>> On 13/06/2023 10:59 am, Jan Beulich wrote:
>>> On 12.06.2023 18:13, Andrew Cooper wrote:
>>>> The RSBA bit, "RSB Alternative", means that the RSB may use alternative
>>>> predictors when empty.  From a practical point of view, this mean 
>>>> "Retpoline
>>>> not safe".
>>>>
>>>> Enhanced IBRS (officially IBRS_ALL in Intel's docs, previously IBRS_ATT) 
>>>> is a
>>>> statement that IBRS is implemented in hardware (as opposed to the form
>>>> retrofitted to existing CPUs in microcode).
>>>>
>>>> The RRSBA bit, "Restricted-RSBA", is a combination of RSBA, and the eIBRS
>>>> property that predictions are tagged with the mode in which they were 
>>>> learnt.
>>>> Therefore, it means "when eIBRS is active, the RSB may fall back to
>>>> alternative predictors but restricted to the current prediction mode".  As
>>>> such, it's stronger statement than RSBA, but still means "Retpoline not 
>>>> safe".
>>>>
>>>> CPUs are not expected to enumerate both RSBA and RRSBA.
>>>>
>>>> Add feature dependencies for EIBRS and RRSBA.  While technically they're 
>>>> not
>>>> linked, absolutely nothing good can come of letting the guest see RRSBA
>>>> without EIBRS.  Nor a guest seeing EIBRS without IBRSB.  Furthermore, we 
>>>> use
>>>> this dependency to simplify the max derivation logic.
>>>>
>>>> The max policies gets RSBA and RRSBA unconditionally set (with the EIBRS
>>>> dependency maybe hiding RRSBA).  We can run any VM, even if it has been 
>>>> told
>>>> "somewhere you might run, Retpoline isn't safe".
>>>>
>>>> The default policies are more complicated.  A guest shouldn't see both 
>>>> bits,
>>>> but it needs to see one if the current host suffers from any form of RSBA, 
>>>> and
>>>> which bit it needs to see depends on whether eIBRS is visible or not.
>>>> Therefore, the calculation must be performed after sanitise_featureset().
>>>>
>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>>> ---
>>>> CC: Jan Beulich <JBeulich@xxxxxxxx>
>>>> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
>>>> CC: Wei Liu <wl@xxxxxxx>
>>>>
>>>> v3:
>>>>  * Minor commit message adjustment.
>>>>  * Drop changes to recalculate_cpuid_policy().  Deferred to a later series.
>>> With this dropped, with the title not saying "max/default", and with
>>> the description also not mentioning "live" policies at all, I don't
>>> think this patch is self-consistent (meaning in particular: leaving
>>> aside the fact that there's no way right now to requests e.g. both
>>> RSBA and RRSBA for a guest; aiui it is possible for Dom0).
>>>
>>> As you may imagine I'm also curious why you decided to drop this.
>> Because when I tried doing levelling in Xapi, I remembered why I did it
>> the way I did in v1, and why the v2 way was wrong.
>>
>> Xen cannot safely edit what the toolstack provides, so must not. 
> And this is the part I don't understand: Why can't we correct the
> (EIBRS,RSBA,RRSBA) tuple to a combination that is "legal"? At least
> as long as ...
>
>> Instead, failing the set_policy() call is an option, and is what we want
>> to do longterm,
> ... we aren't there.
>
>> but also happens to be wrong too in this case. An admin
>> may know that a VM isn't using retpoline, and may need to migrate it
>> anyway for a number of reasons, so any safety checks need to be in the
>> toolstack, and need to be overrideable with something like --force.
> Possibly leading to an inconsistent policy exposed to a guest? I
> guess this may be the only option when we can't really resolve an
> ambiguity, but that isn't the case here, is it?

Wrong.  Xen does not have any knowledge of other hosts the VM might
migrate to.

So while Xen can spot problem combinations *on this host*, which way to
correct the problem combination depends on where the VM might migrate to.

Xen cannot safely correct a problem combination even if you don't wish
to allow the admin the ability to override the safety check.

>
>> I don't really associate "derive policies" with anything other than the
>> system policies.  Domain construction isn't any kind of derivation -
>> it's simply doing what the toolstack asks.
> Hmm, I see. To me, since we do certain adjustments, "derive" still
> fits there as well. But I'm not going to insist on a subject
> adjustment then, given that imo both ways of looking at things make
> some sense.

It's a problem that Xen ever made adjustments behind the toolstack's
back, and this decade of technical debt has been extremely difficult to
address.  I guess I still view it in terms of the end properties, not
the intermediate mess.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.