[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC 5/6] capabilities: add dom0 cpu faulting disable

  • To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 8 Aug 2023 17:30:30 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kt2S1S0jn+nKaJ0uq97aWIlcDX7aRs+BnFNHWu+f7zU=; b=Tf9iYGH/3v2W6gfKboLZVTun9IaA9AmXUwjbHJJHI073E8rnuMf8SZlx2V+juaWo0IL6rNqYFwAfJBWvjH/XACBNb/UFBwx8w/n61jll9n8/qwX4BZgTAwXF+xOwvPQYwSRb1gCu3bb94nJyIOhoajy28CQgcs5VnSy46ikufLehrI4+PCRlECdYa/21oROsBmmahZgqZ7pHtJKcVoP+qYo/0wkmtTjTWG1+O9VlAPJQzz6WGh06J3f6hyy4CKPk3944stDRCra8U1scpkeqAmJpgeL2t7a1C5jKtoqwE77KUUs+yMhc22MuxIvQnwV8/nlo9yvU5RVs4ukwB62nOg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OcPcTPG+xXurrrJTlJYv850/j9QoH3YflLGl8DB2pcbQ8gMQ615IxvI8+C3PbTAdyeFf5iTXNFP3c2BUVUHMdPvih+AATNPufBSc6iuYyJeJ9ECE5n44E38Rb/v/sOw+NMMYeFFIfrn/mMhyizHFC2DRHAPUGZeRBa8lIVYYS451sNkWP7FU6/f4kZ7x/d5SGuulMQVRWtThJ3i05vAh0Q3mtcsaB6BKaCowh+Ga6cLCQYyyLZHy8jF06lF+6bW0nbVgWLyolwk4mQK9NGcS4ikgWg3+Ac5R6Vl5rbpJSIGYNq1rvmemQymmmj6yEvT7mg9zKUOl4bGYwDEn/bmUNg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 08 Aug 2023 15:30:43 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 01.08.2023 22:20, Daniel P. Smith wrote:
> --- a/xen/arch/x86/cpu/common.c
> +++ b/xen/arch/x86/cpu/common.c
> @@ -164,48 +164,46 @@ static void set_cpuid_faulting(bool enable)
>  
>  void ctxt_switch_levelling(const struct vcpu *next)
>  {
> -     const struct domain *nextd = next ? next->domain : NULL;
> -     bool enable_cpuid_faulting;
> -
> -     if (cpu_has_cpuid_faulting ||
> -         boot_cpu_has(X86_FEATURE_CPUID_USER_DIS)) {
> -             /*
> -              * No need to alter the faulting setting if we are switching
> -              * to idle; it won't affect any code running in idle context.
> -              */
> -             if (nextd && is_idle_domain(nextd))
> -                     return;
> -             /*
> -              * We *should* be enabling faulting for PV control domains.
> -              *
> -              * The domain builder has now been updated to not depend on
> -              * seeing host CPUID values.  This makes it compatible with
> -              * PVH toolstack domains, and lets us enable faulting by
> -              * default for all PV domains.
> -              *
> -              * However, as PV control domains have never had faulting
> -              * enforced on them before, there might plausibly be other
> -              * dependenices on host CPUID data.  Therefore, we have left
> -              * an interim escape hatch in the form of
> -              * `dom0=no-cpuid-faulting` to restore the older behaviour.
> -              */
> -             enable_cpuid_faulting = nextd && (opt_dom0_cpuid_faulting ||
> -                                               !is_control_domain(nextd) ||
> -                                               !is_pv_domain(nextd)) &&
> -                                     (is_pv_domain(nextd) ||
> -                                      next->arch.msrs->
> -                                      misc_features_enables.cpuid_faulting);
> -
> -             if (cpu_has_cpuid_faulting)
> -                     set_cpuid_faulting(enable_cpuid_faulting);
> -             else
> -                     amd_set_cpuid_user_dis(enable_cpuid_faulting);
> -
> -             return;
> -     }
> -
> -     if (ctxt_switch_masking)
> -             alternative_vcall(ctxt_switch_masking, next);
> +    const struct domain *nextd = next ? next->domain : NULL;
> +    bool enable_cpuid_faulting;
> +
> +    if ( cpu_has_cpuid_faulting ||
> +         boot_cpu_has(X86_FEATURE_CPUID_USER_DIS) ) {
> +        /*
> +        * No need to alter the faulting setting if we are switching
> +        * to idle; it won't affect any code running in idle context.
> +        */
> +        if (nextd && is_idle_domain(nextd))
> +            return;
> +        /*
> +        * We *should* be enabling faulting for PV control domains.
> +        *
> +        * The domain builder has now been updated to not depend on
> +        * seeing host CPUID values.  This makes it compatible with
> +        * PVH toolstack domains, and lets us enable faulting by
> +        * default for all PV domains.
> +        *
> +        * However, as PV control domains have never had faulting
> +        * enforced on them before, there might plausibly be other
> +        * dependenices on host CPUID data.  Therefore, we have left
> +        * an interim escape hatch in the form of
> +        * `dom0=no-cpuid-faulting` to restore the older behaviour.
> +        */
> +        enable_cpuid_faulting = nextd &&
> +            domain_has_cap(nextd, CAP_DISABLE_CPU_FAULT) &&
> +            (is_pv_domain(nextd) ||
> +            next->arch.msrs->misc_features_enables.cpuid_faulting);
> +
> +        if (cpu_has_cpuid_faulting)
> +            set_cpuid_faulting(enable_cpuid_faulting);
> +        else
> +            amd_set_cpuid_user_dis(enable_cpuid_faulting);
> +
> +        return;
> +    }
> +
> +    if (ctxt_switch_masking)
> +        alternative_vcall(ctxt_switch_masking, next);
>  }

I don't think I can spot what exactly changes here. Please avoid re-
indenting the entire function.

> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -907,6 +907,10 @@ static struct domain *__init create_dom0(const module_t 
> *image,
>  
>      d->role |= ROLE_UNBOUNDED_DOMAIN;
>  
> +    if ( !opt_dom0_cpuid_faulting &&
> +         !domain_set_cap(d, CAP_DISABLE_CPU_FAULT) )
> +        printk(XENLOG_WARNING "failed to set CPU faulting on Dom %pd\n", d);

No "Dom" please when you use %pd. Also I don't think you mean "set". Plus
we commonly use "%pd: xyz failed\n".

> --- a/xen/include/xen/sched.h
> +++ b/xen/include/xen/sched.h
> @@ -472,7 +472,8 @@ struct domain
>  #define ROLE_HARDWARE_DOMAIN   (1U<<2)
>  #define ROLE_XENSTORE_DOMAIN   (1U<<3)
>      uint8_t          role;
> -#define CAP_CONSOLE_IO  (1U<<0)
> +#define CAP_CONSOLE_IO         (1U<<0)
> +#define CAP_DISABLE_CPU_FAULT  (1U<<1)
>      uint8_t          capabilities;
>      /* Is this guest being debugged by dom0? */
>      bool             debugger_attached;
> @@ -1160,6 +1161,11 @@ static always_inline bool domain_set_cap(
>      case CAP_CONSOLE_IO:
>          d->capabilities |= cap;
>          break;
> +    case CAP_DISABLE_CPU_FAULT:
> +        /* Disabling cpu faulting is only allowed for a PV control domain. */
> +        if ( is_pv_domain(d) && is_control_domain(d) )
> +            d->capabilities |= cap;
> +        break;

How do you express the x86-ness of this? Plus shouldn't this fail when
either of the two conditions isn't met?

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.