Xen project Mailing List

Re: [Xen-devel] [PATCH v9 15/15] microcode: block #NMI handling when loading an ucode

From: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>

Date: Wed, 28 Aug 2019 09:52:00 +0100

Authentication-results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=sergey.dyasli@xxxxxxxxxx; spf=Pass smtp.mailfrom=sergey.dyasli@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Autocrypt: addr=sergey.dyasli@xxxxxxxxxx; keydata= mQINBFtMVHEBEADc/hZcLexrB6vGTdGqEUsYZkFGQh6Z1OO7bCtM1go1RugSMeq9tkFHQSOc 9c7W9NVQqLgn8eefikIHxgic6tGgKoIQKcPuSsnqGao2YabsTSSoeatvmO5HkR0xGaUd+M6j iqv3cD7/WL602NhphT4ucKXCz93w0TeoJ3gleLuILxmzg1gDhKtMdkZv6TngWpKgIMRfoyHQ jsVzPbTTjJl/a9Cw99vuhFuEJfzbLA80hCwhoPM+ZQGFDcG4c25GQGQFFatpbQUhNirWW5b1 r2yVOziSJsvfTLnyzEizCvU+r/Ek2Kh0eAsRFr35m2X+X3CfxKrZcePxzAf273p4nc3YIK9h cwa4ZpDksun0E2l0pIxg/pPBXTNbH+OX1I+BfWDZWlPiPxgkiKdgYPS2qv53dJ+k9x6HkuCy i61IcjXRtVgL5nPGakyOFQ+07S4HIJlw98a6NrptWOFkxDt38x87mSM7aSWp1kjyGqQTGoKB VEx5BdRS5gFdYGCQFc8KVGEWPPGdeYx9Pj2wTaweKV0qZT69lmf/P5149Pc81SRhuc0hUX9K DnYBa1iSHaDjifMsNXKzj8Y8zVm+J6DZo/D10IUxMuExvbPa/8nsertWxoDSbWcF1cyvZp9X tUEukuPoTKO4Vzg7xVNj9pbK9GPxSYcafJUgDeKEIlkn3iVIPwARAQABtChTZXJnZXkgRHlh c2xpIDxzZXJnZXkuZHlhc2xpQGNpdHJpeC5jb20+iQJOBBMBCgA4FiEEkI7HMI5EbM2FLA1L Aa+w5JvbyusFAltMVHECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQAa+w5JvbyuuQ JBAAry/oRK6m0I+ck1Tarz9a1RrF73r1YoJUk5Bw+PSxsBJOPp3vDeAz3Kqw58qmBXeNlMU4 1cqAxFxCCKMtER1gpmrKWBA1/H1ZoBRtzhaHgPTQLyR7LB1OgdpgwEOjN1Q5gME8Pk21y/3N cG5YBgD/ZHbq8nWS/G3r001Ie3nX55uacGk/Ry175cS48+asrerShKMDNMT1cwimo9zH/3Lm RTpWloh2dG4jjwtCXqB7s+FEE5wQVCpPp9p55+9pPd+3DXmsQEcJ/28XHo/UJW663WjRlRc4 wgPwiC9Co1HqaMKSzdPpZmI5D4HizWH8jF7ppUjWoPapwk4dEA7Al0vx1Bz3gbJAL8DaRgQp H4j/16ifletfGUNbHJR2vWljZ5SEf2vMVcdubf9eFUfBF/9OOR1Kcj1PISP8sPhcP7oCfFtH RcxXh1OStrRFtltJt2VlloKXAUggdewwyyD4xl9UHCfI4lSexOK37wNSQYPQcVcOS1bl4NhQ em6pw2AC32NsnQE5PmczFADDIpWhO/+WtkTFeE2HHfAn++y3YDtKQd7xes9UJjQNiGziArST l6Zrx4/nShVLeYRVW76l27gI5a8BZLWwBVRsWniGM50OOJULvSag7kh+cjsrXXpNuA4rfEoB Bxr7pso9e5YghupDc8XftsYd7mlAgOTCAC8uZme5Ag0EW0xUcQEQAMKi97v3DwwPgYVPYIbQ JAvoMgubJllC9RcE0PQsE6nEKSrfOT6Gh5/LHOXLbQI9nzU/xdr6kMfwbYVTnZIY/SwsLrJa gSKm64t11MjC1Vf03/sncx1tgI7nwqMMIAYLsXnQ9X/Up5L/gLO2YDIPxrQ6g4glgRYPT53i r6/hTz3dlpqyPCorpuF+WY7P2ujhlFlXCAaD6btPPM/9LZSmI0xS4aCBLH+pZeCr0UGSMhsX JYN0QRLjfsIDGyqaXVH9gwV2Hgsq6z8fNPQlBc3IpDvfXa1rYtgldYBfG521L3wnsMcKoFSr R5dpH7Jtvv5YBuAk8r571qlMhyAmVKiEnc+RonWl503D5bAHqNmFNjV248J5scyRD/+BcYLI 2CFG28XZrCvjxq3ux5hpmg2fCu+y98h6/yuwB/JhbFlDOSoluEpysiEL3R5GTKbxOF664q5W fiSObxNONxs86UtghqNDRUJgyS0W6TfykGOnZDVYAC9Gg8SbQDta1ymA0q76S/NG2MrJEOIr 1GtOr/UjNv2x4vW56dzX/3yuhK1ilpgzh1q504ETC6EKXMaFT8cNgsMlk9dOvWPwlsIJ249+ PizMDFGITxGTIrQAaUBO+HRLSBYdHNrHJtytkBoTjykCt7M6pl7l+jFYjGSw4fwexVy0MqsD AZ2coH82RTPb6Q7JABEBAAGJAjYEGAEKACAWIQSQjscwjkRszYUsDUsBr7Dkm9vK6wUCW0xU cQIbDAAKCRABr7Dkm9vK6+9uD/9Ld3X5cvnrwrkFMddpjFKoJ4yphtX2s+EQfKT6vMq3A1dJ tI7zHTFm60uBhX6eRbQow8fkHPcjXGJEoCSJf8ktwx/HYcBcnUK/aulHpvHIIYEma7BHry4x L+Ap7oBbBNiraS3Wu1k+MaX07BWhYYkpu7akUEtaYsCceVc4vpYNITUzPYCHeMwc5pLICA+7 VdI1rrTSAwlCtLGBt7ttbvaAKN4dysiN+/66Hlxnn8n952lZdG4ThPPzafG50EgcTa+dASgm tc6HaQAmJiwb4iWUOoUoM+udLRHcN6cE0bQivyH1bqF4ROeFBRz00MUJKvzUynR9E50F9hmd DOBJkyM3Z5imQ0RayEkRHhlhj7uECaojnUeewq4zjpAg2HTSMkdEzKRbdMEyXCdQXFnSCmUB 5yMIULuDbOODWo3EufExLjAKzIRWEKQ/JidLzO6hrhlQffsJ7MPTU+Hg7WxqWfn4zhuUcIQB SlkiRMalSiJITC2jG7oQRRh9tyNaDMkKzTbeFtHKRmUUAuhE0LBXP8Wc+5W7b3WOf2SO8JMR 4TqDZ0K06s66S5fOTW0h56iCCxTsAnRvM/tA4SERyRoFs/iTqJzboskZY0yKeWV4/IQxfOyC YwdU3//zANM1ZpqeE/8lnW/kx+fyzVyEioLSwkjDvdG++4GQ5r6PHQ7BbdEWhA==

Cc: "sergey.dyasli@xxxxxxxxxx >> Sergey Dyasli" <sergey.dyasli@xxxxxxxxxx>, Ashok Raj <ashok.raj@xxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Wed, 28 Aug 2019 08:52:33 +0000

Ironport-sdr: MB5MFhvdb6+hWjMYqYVOaPd4KCPraFHioOy44TnrHba4YFr5GFx3ikCUnzZAYEjybqX7AArIDF uIrUhFiflrf4MuTcJbBYxlezkQ5YkmuY2x3/m6mu+b0CwlPQeV1mvXMoNCJX+GHOCRflXFP9Ae j/yx75azUuFUKHIR3A83OUWiJ67ozOwaCo/OmAr8ybHNbWTw8hpaqBOINR/EzEHTt9Xl0UJOat EM9nwKMHcNZawQokPIMdziJDM6Y/Khtfcq9aLYrT9Cwf7EEk4bHIOXlaiZHqRthc4KZ5h8K689 FrA=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 27/08/2019 05:52, Chao Gao wrote: > On Mon, Aug 26, 2019 at 04:07:59PM +0800, Chao Gao wrote: >> On Fri, Aug 23, 2019 at 09:46:37AM +0100, Sergey Dyasli wrote: >>> On 19/08/2019 02:25, Chao Gao wrote: >>>> register an nmi callback. And this callback does busy-loop on threads >>>> which are waiting for loading completion. Control threads send NMI to >>>> slave threads to prevent NMI acceptance during ucode loading. >>>> >>>> Signed-off-by: Chao Gao <chao.gao@xxxxxxxxx> >>>> --- >>>> Changes in v9: >>>> - control threads send NMI to all other threads. Slave threads will >>>> stay in the NMI handling to prevent NMI acceptance during ucode >>>> loading. Note that self-nmi is invalid according to SDM. >>> >>> To me this looks like a half-measure: why keep only slave threads in >>> the NMI handler, when master threads can update the microcode from >>> inside the NMI handler as well? >> >> No special reason. Because the issue we want to address is that slave >> threads might go to handle NMI and access MSRs when master thread is >> loading ucode. So we only keep slave threads in the NMI handler. >> >>> >>> You mention that self-nmi is invalid, but Xen has self_nmi() which is >>> used for apply_alternatives() during boot, so can be trusted to work. >> >> Sorry, I meant using self shorthand to send self-nmi. I tried to use >> self shorthand but got APIC error. And I agree that it is better to >> make slave thread call self_nmi() itself. >> >>> >>> I experimented a bit with the following approach: after loading_state >>> becomes LOADING_CALLIN, each cpu issues a self_nmi() and rendezvous >>> via cpu_callin_map into LOADING_ENTER to do a ucode update directly in >>> the NMI handler. And it seems to work. >>> >>> Separate question is about the safety of this approach: can we be sure >>> that a ucode update would not reset the status of the NMI latch? I.e. >>> can it cause another NMI to be delivered while Xen already handles one? >> >> Ashok, what's your opinion on Sergey's approach and his concern? > > Hi Sergey, > > I talked with Ashok. We think your approach is better. I will follow > your approach in v10. It would be much helpful if you post your patch > so that I can just rebase it onto other patches. Sure thing. The below code is my first attempt at improving the original patch. It can benefit from some further refactoring. --- xen/arch/x86/microcode.c | 108 ++++++++++++++++++++++++++++----------- 1 file changed, 79 insertions(+), 29 deletions(-) diff --git a/xen/arch/x86/microcode.c b/xen/arch/x86/microcode.c index 91f9e811f8..ba2363406f 100644 --- a/xen/arch/x86/microcode.c +++ b/xen/arch/x86/microcode.c @@ -36,8 +36,10 @@ #include <xen/earlycpio.h> #include <xen/watchdog.h> +#include <asm/apic.h> #include <asm/delay.h> #include <asm/msr.h> +#include <asm/nmi.h> #include <asm/processor.h> #include <asm/setup.h> #include <asm/microcode.h> @@ -232,6 +234,7 @@ DEFINE_PER_CPU(struct cpu_signature, cpu_sig); */ static cpumask_t cpu_callin_map; static atomic_t cpu_out, cpu_updated; +struct microcode_patch *nmi_patch; /* * Return a patch that covers current CPU. If there are multiple patches, @@ -337,15 +340,25 @@ static int microcode_update_cpu(const struct microcode_patch *patch) return err; } +static void slave_thread_work(void) +{ + /* Do nothing, just wait */ + while ( loading_state != LOADING_EXIT ) + cpu_relax(); +} + static int slave_thread_fn(void) { - unsigned int cpu = smp_processor_id(); unsigned int master = cpumask_first(this_cpu(cpu_sibling_mask)); while ( loading_state != LOADING_CALLIN ) + { + if ( loading_state == LOADING_EXIT ) + return 0; cpu_relax(); + } - cpumask_set_cpu(cpu, &cpu_callin_map); + self_nmi(); while ( loading_state != LOADING_EXIT ) cpu_relax(); @@ -356,30 +369,35 @@ static int slave_thread_fn(void) return 0; } -static int master_thread_fn(const struct microcode_patch *patch) +static void master_thread_work(void) { - unsigned int cpu = smp_processor_id(); - int ret = 0; - - while ( loading_state != LOADING_CALLIN ) - cpu_relax(); - - cpumask_set_cpu(cpu, &cpu_callin_map); + int ret; while ( loading_state != LOADING_ENTER ) + { + if ( loading_state == LOADING_EXIT ) + return; cpu_relax(); + } - /* - * If an error happened, control thread would set 'loading_state' - * to LOADING_EXIT. Don't perform ucode loading for this case - */ - if ( loading_state == LOADING_EXIT ) - return ret; - - ret = microcode_ops->apply_microcode(patch); + ret = microcode_ops->apply_microcode(nmi_patch); if ( !ret ) atomic_inc(&cpu_updated); atomic_inc(&cpu_out); +} + +static int master_thread_fn(const struct microcode_patch *patch) +{ + int ret = 0; + + while ( loading_state != LOADING_CALLIN ) + { + if ( loading_state == LOADING_EXIT ) + return ret; + cpu_relax(); + } + + self_nmi(); while ( loading_state != LOADING_EXIT ) cpu_relax(); @@ -387,35 +405,40 @@ static int master_thread_fn(const struct microcode_patch *patch) return ret; } -static int control_thread_fn(const struct microcode_patch *patch) +static void control_thread_work(void) { - unsigned int cpu = smp_processor_id(), done; - unsigned long tick; int ret; - /* Allow threads to call in */ - loading_state = LOADING_CALLIN; - smp_mb(); - - cpumask_set_cpu(cpu, &cpu_callin_map); - /* Waiting for all threads calling in */ ret = wait_for_condition(wait_cpu_callin, (void *)(unsigned long)num_online_cpus(), MICROCODE_CALLIN_TIMEOUT_US); if ( ret ) { loading_state = LOADING_EXIT; - return ret; + return; } /* Let master threads load the given ucode update */ loading_state = LOADING_ENTER; smp_mb(); - ret = microcode_ops->apply_microcode(patch); + ret = microcode_ops->apply_microcode(nmi_patch); if ( !ret ) atomic_inc(&cpu_updated); atomic_inc(&cpu_out); +} + +static int control_thread_fn(const struct microcode_patch *patch) +{ + unsigned int done; + unsigned long tick; + int ret; + + /* Allow threads to call in */ + loading_state = LOADING_CALLIN; + smp_mb(); + + self_nmi(); tick = rdtsc_ordered(); /* Waiting for master threads finishing update */ @@ -481,12 +504,35 @@ static int do_microcode_update(void *patch) return ret; } +static int microcode_nmi_callback(const struct cpu_user_regs *regs, int cpu) +{ + unsigned int master = cpumask_first(this_cpu(cpu_sibling_mask)); + unsigned int controller = cpumask_first(&cpu_online_map); + + /* System-generated NMI, will be ignored */ + if ( loading_state == LOADING_PREPARE ) + return 0; + + ASSERT(loading_state == LOADING_CALLIN); + cpumask_set_cpu(cpu, &cpu_callin_map); + + if ( cpu == controller ) + control_thread_work(); + else if ( cpu == master ) + master_thread_work(); + else + slave_thread_work(); + + return 0; +} + int microcode_update(XEN_GUEST_HANDLE_PARAM(const_void) buf, unsigned long len) { int ret; void *buffer; unsigned int cpu, updated; struct microcode_patch *patch; + nmi_callback_t *saved_nmi_callback; if ( len != (uint32_t)len ) return -E2BIG; @@ -551,6 +597,9 @@ int microcode_update(XEN_GUEST_HANDLE_PARAM(const_void) buf, unsigned long len) * watchdog timeout. */ watchdog_disable(); + + nmi_patch = patch; + saved_nmi_callback = set_nmi_callback(microcode_nmi_callback); /* * Late loading dance. Why the heavy-handed stop_machine effort? * @@ -563,6 +612,7 @@ int microcode_update(XEN_GUEST_HANDLE_PARAM(const_void) buf, unsigned long len) * conservative and good. */ ret = stop_machine_run(do_microcode_update, patch, NR_CPUS); + set_nmi_callback(saved_nmi_callback); watchdog_enable(); updated = atomic_read(&cpu_updated); -- 2.17.1 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.