Xen project Mailing List

Re: [PATCH v2 3/3] svm/nestedsvm: Introduce nested capabilities bit

From: George Dunlap <george.dunlap@xxxxxxxxx>

Date: Wed, 27 Mar 2024 17:01:15 +0000

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Wed, 27 Mar 2024 17:01:37 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Mar 18, 2024 at 2:17 PM Jan Beulich <jbeulich@xxxxxxxx> wrote: > > On 13.03.2024 13:24, George Dunlap wrote: > > In order to make implementation and testing tractable, we will require > > specific host functionality. Add a nested_virt bit to hvm_funcs.caps, > > and return an error if a domain is created with nested virt and this > > bit isn't set. Create VMX and SVM callbacks to be executed from > > start_nested_svm(), which is guaranteed to execute after all > > Nit: nestedhvm_setup() (or, with different wording, start_nested_{svm,vmx}()). Oops, fixed. > > --- a/xen/arch/x86/domain.c > > +++ b/xen/arch/x86/domain.c > > @@ -673,6 +673,12 @@ int arch_sanitise_domain_config(struct > > xen_domctl_createdomain *config) > > */ > > config->flags |= XEN_DOMCTL_CDF_oos_off; > > > > + if ( nested_virt && !hvm_nested_virt_supported() ) > > + { > > + dprintk(XENLOG_INFO, "Nested virt requested but not available\n"); > > + return -EINVAL; > > + } > > + > > if ( nested_virt && !hap ) > > { > > dprintk(XENLOG_INFO, "Nested virt not supported without HAP\n"); > > As mentioned in reply to v1, I think what both start_nested_{svm,vmx}() check > is redundant with this latter check. I think that check isn't necessary there > (yet unlike suggested in reply to v1 I don't think anymore that the check here > can alternatively be dropped). And even if it was to be kept for some reason, > I'm having some difficulty seeing why vendor code needs to do that check, when > nestedhvm_setup() could do it for both of them. I'm having a bit of trouble resolving the antecedents in this paragraph (what "this" and "there" are referring to). Are you saying that we should set hvm_funcs.caps.nested_virt to 'true' even if the hardware doesn't support HAP, because we check that here? That seems like a very strange way to go about things; hvm_funcs.caps should reflect the actual capabilities of the hardware. Suppose at some point we want to expose nested virt capability to the toolstack -- wouldn't it make more sense to be able to just read `hvm_funcs.caps.nested_virt`, rather than having to remember to && it with `hvm_funcs.caps.hap`? And as you say, you can't get rid of the HAP check here, because we also want to deny nested virt if the admin deliberately created a guest in shadow mode on a system that has HAP available. So it's not redundant: one is checking the capabilities of the system, the other is checking the requested guest configuration. As to why to have each vendor independent code check for HAP -- there are in fact two implementations of the code; it's nice to be able to look in one place for each implementation to determine the requirements. Additionally, it would be possible, in the future, for one of the nested virt implementations to enable shadow mode, while the other one didn't. The current arrangement makes that easy. > > --- a/xen/arch/x86/hvm/nestedhvm.c > > +++ b/xen/arch/x86/hvm/nestedhvm.c > > @@ -150,6 +150,16 @@ static int __init cf_check nestedhvm_setup(void) > > __clear_bit(0x80, shadow_io_bitmap[0]); > > __clear_bit(0xed, shadow_io_bitmap[1]); > > > > + /* > > + * NB this must be called after all command-line processing has been > > + * done, so that if (for example) HAP is disabled, nested virt is > > + * disabled as well. > > + */ > > + if ( cpu_has_vmx ) > > + start_nested_vmx(&hvm_funcs); > > + else if ( cpu_has_svm ) > > + start_nested_svm(&hvm_funcs); > > Instead of passing the pointer, couldn't you have the functions return > bool, and then set hvm_funcs.caps.nested_virt from that? Passing that > pointer looks somewhat odd to me. For one, it makes start_nested_XXX symmetric to start_XXX, which also has access to the full hvm_funcs structure (albeit in the former case because it's creating the structure). For two, both of them need to read caps.hap. For three, it's just more flexible -- there may be future things that we want to modify in the start_nested_*() functions. If we did as you suggest, and then added (say) caps.nested_virt_needs_hap, then we'd either need to add a second function, or refactor it to look like this. > Is there a reason to use direct calls here rather than a true hook > (seeing that hvm_funcs must have been populated by the time we make it > here)? I understand we're (remotely) considering to switch away from > using hooks at some point, but right now this feels somewhat > inconsistent if not further justified. Again it mimics the calls to start_vmx/svm in hvm_enable. But I could look at adding a function pointer to see if it works. -George

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.