[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] x86/shutdown: change default reboot method preference

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Mon, 18 Sep 2023 18:00:41 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0+JSiLyydEbaukD5kRGTXd4mxUVTLMmmMm6k8K6qlhc=; b=SiHU5IAVCQz8TNvvduFmzITspeawR6BPjxJzrMb1Q0aZ+VgaopJqbj2p1blFwrHVqpdWEqpw077p1cFsKtlLCLsoyC6ehYnrfsN/uLXdq8p/feedXEWCODx4RWk+oHWbYRtbsUG1sy47hDyvJ3heI+dYPi9u1ge1/g3DRrjo/9Dcigffcbs7D/0P/iF+boLGCyPqj7EtA6qN2qF6WGKnmpQYFCdvg52HEer/+txUPuEjwn0b7P2vURJY6sQGDMYF5lSKs2iKdun3ujYGxp3rsvbnDv3OgEpQY89fz02PhNdj+Nr6OSZXiS3VrtyaHVID/GmBdIdJcrX5L0aG6ZDEWA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LcWLH1hH6Uw9bV9W0R6TRKNtUDXSzJHpVHMoCI1HKj5TbJQrR+5Z+PvnG1Z5Ygpsi2TPjzcTG9OUOub7S49Lfo381NNrwLVifBkyPTRIGG2AiXjlvNiaCnC8WvY1vdtOiV8fivK5zgwRC6gusX76AghWl9K/ieXRIND3OfbQLvgJhY30NWw6FRDh5pXpolHl/SJQRIfkdi31EYQkUb73QQTxGOEJGxgcGHvKeHaimJhR6OLCLe2Qc1yr85CjaqE96y6MUrmX31Ad+7PZvl3y4o7WMLq0K4ISunAr0SScbPwJZSaxyt9hCveTJ8TBjM5x5V6XY7t2PUs5ax9S8RyDEg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 18 Sep 2023 16:01:18 +0000
  • Ironport-data: A9a23:bpnmy64KPsXWlQXCK4yEcAxRtB7GchMFZxGqfqrLsTDasY5as4F+v mAbDDrUPvjeN2r2f9pwOo6x9BtX65PWx4djT1M+/3tnHi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRG/ykTraCY3gtLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9lU35pwehBtC5gZlPaES7AeH/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5m1 PxDNQwNVR+/q/uczqiFY7V8mc8pI5y+VG8fkikIITDxK98DGMmGaYOaoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6OnEoojuiF3Nn9I7RmQe1PmUmVv CTe9nnRCRAGLt2PjzGC9xpAg8eWx36kAd1LT+zQGvhCqlnI61QeWDQtaAXnmveVulGjXuJ2E hlBksYphe1onKCxdfH/VRClpH+PvjYHRsFdVeY97Wml1a788wufQG8eQVZpeNEg8cM7WzEu/ luIhM/yQyxitqWPTnCQ/avSqim9URX5NkcHbC4ACAEDs9/qpdhqigqVF4gzVqmoktfyBDf8h SiQqzQzjKkSishN0Lin+VfAgHSnoZ2hohMJ2zg7l1mNtmtRDLNJraTxgbQHxZ6s9Lqkc2Q=
  • Ironport-hdrordr: A9a23:R2jOkqyan+o3YUs5PjXaKrPw6L1zdoMgy1knxilNoHxuH/Bw9v re+cjzsCWftN9/Yh4dcLy7VpVoIkmsl6Kdg7NwAV7KZmCP1FdARLsI0WKI+UyCJ8SRzI9gPa cLSdkFNDXzZ2IK8PoTNmODYqodKNrsytHWuQ/HpU0dKT2D88tbnn9E4gDwKDwQeCB2QaAXOb C7/cR9qz+paR0sH7+G7ilsZZmkmzXT/qiWGCI7Ow==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Mon, Sep 18, 2023 at 05:44:47PM +0200, Jan Beulich wrote:
> On 18.09.2023 17:09, Roger Pau Monné wrote:
> > On Mon, Sep 18, 2023 at 02:26:51PM +0200, Jan Beulich wrote:
> >> On 15.09.2023 09:43, Roger Pau Monne wrote:
> >>> The current logic to chose the preferred reboot method is based on the 
> >>> mode Xen
> >>> has been booted into, so if the box is booted from UEFI, the preferred 
> >>> reboot
> >>> method will be to use the ResetSystem() run time service call.
> >>>
> >>> However, that method seems to be widely untested, and quite often leads 
> >>> to a
> >>> result similar to:
> >>>
> >>> Hardware Dom0 shutdown: rebooting machine
> >>> ----[ Xen-4.18-unstable  x86_64  debug=y  Tainted:   C    ]----
> >>> CPU:    0
> >>> RIP:    e008:[<0000000000000017>] 0000000000000017
> >>> RFLAGS: 0000000000010202   CONTEXT: hypervisor
> >>> [...]
> >>> Xen call trace:
> >>>    [<0000000000000017>] R 0000000000000017
> >>>    [<ffff83207eff7b50>] S ffff83207eff7b50
> >>>    [<ffff82d0403525aa>] F machine_restart+0x1da/0x261
> >>>    [<ffff82d04035263c>] F apic_wait_icr_idle+0/0x37
> >>>    [<ffff82d040233689>] F smp_call_function_interrupt+0xc7/0xcb
> >>>    [<ffff82d040352f05>] F call_function_interrupt+0x20/0x34
> >>>    [<ffff82d04033b0d5>] F do_IRQ+0x150/0x6f3
> >>>    [<ffff82d0402018c2>] F common_interrupt+0x132/0x140
> >>>    [<ffff82d040283d33>] F 
> >>> arch/x86/acpi/cpu_idle.c#acpi_idle_do_entry+0x113/0x129
> >>>    [<ffff82d04028436c>] F 
> >>> arch/x86/acpi/cpu_idle.c#acpi_processor_idle+0x3eb/0x5f7
> >>>    [<ffff82d04032a549>] F arch/x86/domain.c#idle_loop+0xec/0xee
> >>>
> >>> ****************************************
> >>> Panic on CPU 0:
> >>> FATAL TRAP: vector = 6 (invalid opcode)
> >>> ****************************************
> >>>
> >>> Which in most cases does lead to a reboot, however that's unreliable.
> >>>
> >>> Change the default reboot preference to prefer ACPI over UEFI if 
> >>> available and
> >>> not in reduced hardware mode.
> >>>
> >>> This is in line to what Linux does, so it's unlikely to cause issues on 
> >>> current
> >>> and future hardware, since there's a much higher chance of vendors testing
> >>> hardware with Linux rather than Xen.
> >>
> >> I certainly appreciate this as a goal. However, ...
> >>
> >>> Add a special case for one Acer model that does require being rebooted 
> >>> using
> >>> ResetSystem().  See Linux commit 0082517fa4bce for rationale.
> >>
> >> ... this is precisely what I'd like to avoid: Needing workarounds on spec-
> >> conforming systems.
> > 
> > I wouldn't call that platform spec-conforming when ACPI reboot doesn't
> > work reliably on it either.  I haven't been able to find a wording on
> > the UEFI specification that mandates using ResetSystem() in order to
> > reset the platform.  I've only found this wording:
> > 
> > "... then the UEFI OS Loader has taken control of the platform, and
> > EFI will not regain control of the system until the platform is reset.
> > One method of resetting the platform is through the EFI Runtime
> > Service ResetSystem()."
> > 
> > And this reads to me as a mere indication that one option is to use
> > ResetSystem(), but that there are likely other platform specific reset
> > methods that are suitable to be used for OSes and still be compliant
> > with the UEFI spec.
> 
> See my reference to ia64.

Right, I understand that on ia64 things might have been different, due
to the platform lacking any other reboot method, but I don't see how
this applies to x86 where there are other reboot methods.

> With ACPI_FADT_RESET_REGISTER not set, I don't
> think there would have been any other non-custom reboot method there. So
> while perhaps not mandated, it's still the designated abstraction layer.

Again the spec doesn't mention that ResetSystem() must be used, so
while it would make sense if it was reliable, it clearly isn't.  In
which case resorting to the more reliable method should always be
preferred, specially if the spec is so lax as to call ResetSystem()
"One method of resetting the platform".

We should also take into account that vendors are much more likely to
test new hardware with Linux rather than Xen, and hence it's low
probability that the default Linux reboot method doesn't work on a
platform, because that would hurt the vendor.

> >>> --- a/xen/arch/x86/shutdown.c
> >>> +++ b/xen/arch/x86/shutdown.c
> >>> @@ -150,19 +150,20 @@ static void default_reboot_type(void)
> >>>  
> >>>      if ( xen_guest )
> >>>          reboot_type = BOOT_XEN;
> >>> +    else if ( !acpi_disabled && !acpi_gbl_reduced_hardware )
> >>> +        reboot_type = BOOT_ACPI;
> >>>      else if ( efi_enabled(EFI_RS) )
> >>>          reboot_type = BOOT_EFI;
> >>> -    else if ( acpi_disabled )
> >>> -        reboot_type = BOOT_KBD;
> >>>      else
> >>> -        reboot_type = BOOT_ACPI;
> >>> +        reboot_type = BOOT_KBD;
> >>>  }
> >>>  
> >>>  static int __init cf_check override_reboot(const struct dmi_system_id *d)
> >>>  {
> >>>      enum reboot_type type = (long)d->driver_data;
> >>>  
> >>> -    if ( type == BOOT_ACPI && acpi_disabled )
> >>> +    if ( (type == BOOT_ACPI && acpi_disabled) ||
> >>> +         (type == BOOT_EFI && !efi_enabled(EFI_RS)) )
> >>>          type = BOOT_KBD;
> >>
> >> I guess I don't follow this adjustment: Why would we fall back to KBD
> >> first thing? Wouldn't it make sense to try ACPI first if EFI cannot
> >> be used?
> > 
> > This is IMO a weird corner case, we have a explicit request to use one
> > reboot method, but we cannot do so because the component is disabled.
> > I've assumed that falling back to KBD was the safest option.
> > 
> > For example if we have to explicitly reboot using UEFI it's likely
> > because ACPI (the proposed default method) is not suitable, and hence
> > falling back to ACPI here won't help.
> 
> Perhaps, but falling back to KBD isn't necessarily going to work either.
> And it might well be that on said Acer no reboot method would actually
> yield consistent behavior, except for ResetSystem(). The fallback logic
> here as well as that in machine_restart() is all based on guesswork
> anyway.

Indeed, hence it seemed a suitable and less risky option to fallback
to KBD in both cases.

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.