Xen project Mailing List

Re: [RFC PATCH] xen: EXPERT clean-up

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Rich Persaud <persaur@xxxxxxxxx>

From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Date: Wed, 4 Nov 2020 16:57:11 -0500

Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx> header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604527037; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=AVIeUoUbZjrTw79cxyPF13nENl8IE/JbmmTQieR44vY=; b=CIHFCpLnAzdUMqEVawGs8VBg1mZ3z2LRumeHCsIQh5+z4LADKYmOpMc7xsWTMKhyW0RyrHSiqwt07YPtWD5jLGt4Ms6f3ojG9NRUa0Zk2injdvSsignPCQke1ru3Zt71BieZfDiLtQpCxYGz9b5tDmRCCGRQWUd9073Iva22HdU=

Arc-seal: i=1; a=rsa-sha256; t=1604527037; cv=none; d=zohomail.com; s=zohoarc; b=j/vBMXehQxTPf7sjbk8ovqTsIeQESGcH1Jo9GH2nX9vZw1CWmSysGjeq0oUF2DY30xuxYktp63VpX7O4sqaOl77D0z5IZY+4GBvxgG0BjJI3BFcg0LPI4am99J+NwuDRHNILVc79EPq5U0cSLGA9M++CDjGgJGgX6dHcyS47SYg=

Cc: Jan Beulich <jbeulich@xxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxx>, andrew.cooper3@xxxxxxxxxx, george.dunlap@xxxxxxxxxx, iwj@xxxxxxxxxxxxxx, julien@xxxxxxx, wl@xxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Daniel DeGraaf <dgdegra@xxxxxxxxxxxxx>, Roman Shaposhnik <roman@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 04 Nov 2020 21:57:47 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11/3/20 4:15 PM, Stefano Stabellini wrote: > On Tue, 3 Nov 2020, Rich Persaud wrote: >> On Nov 3, 2020, at 14:37, Stefano Stabellini <sstabellini@xxxxxxxxxx> wrote: >>> >>> On Tue, 3 Nov 2020, Jan Beulich wrote: >>>>> On 02.11.2020 22:41, Stefano Stabellini wrote: >>>>> On Mon, 2 Nov 2020, Jan Beulich wrote: >>>>>> On 31.10.2020 01:24, Stefano Stabellini wrote: >>>>>>> @@ -79,8 +79,8 @@ config SBSA_VUART_CONSOLE >>>>>>> SBSA Generic UART implements a subset of ARM PL011 UART. >>>>>>> >>>>>>> config ARM_SSBD >>>>>>> - bool "Speculative Store Bypass Disable" if EXPERT >>>>>>> - depends on HAS_ALTERNATIVE >>>>>>> + bool "Speculative Store Bypass Disable" >>>>>>> + depends on HAS_ALTERNATIVE && EXPERT >>>>>>> default y >>>>>> >>>>>> At the example of this, I'm afraid when the default isn't "n" >>>>>> (or there's no default directive at all, as ought to be >>>>>> equivalent to and preferred over "default n"), such a >>>>>> transformation is not functionally identical: Before your >>>>>> change, with !EXPERT this option defaults to y. After your >>>>>> change this option is unavailable (which resolves to it being >>>>>> off for all consuming purposes). >>>>>> >>>>>> IOW there are reasons to have "if ..." attached to the prompts >>>>>> (for this construct indeed only making the prompt conditional, >>>>>> not the entire option), but there are also cases where the >>>>>> cleanup you do is indeed desirable / helpful. >>>>> >>>>> Yeah, thanks for catching it, it is obviously a problem. >>>>> >>>>> My intention was just to "tag" somehow the options to EXPERT so that it >>>>> would show on the menu. Maybe a better, simpler, way to do it is >>>>> to add the word "EXPERT" to the one line prompt: >>>>> >>>>> config ARM_SSBD >>>>> - bool "Speculative Store Bypass Disable" if EXPERT >>>>> + bool "Speculative Store Bypass Disable (EXPERT)" if EXPERT >>>>> depends on HAS_ALTERNATIVE >>>>> default y >>>>> help >>>>> >>>>> >>>>> What do you think? >>>> >>>> While on the surface this may look like an improvement, I don't >>>> see how it would actually help: If you read the Kconfig file >>>> itself, the dependency is seen anyway. And on the menu I don't >>>> see the point of telling someone who has enabled EXPERT that a >>>> certain option is (or is not) an expert one. If they think >>>> they're experts, so should they be treated. (It was, after all, >>>> a deliberate decision to make enabling expert mode easier, and >>>> hence easier to use for what one might consider not-really- >>>> experts. I realize saying so may be considered tendentious; I >>>> mean it in a purely technical sense, and I'd like to apologize >>>> in advance to anyone not sharing this as a possible perspective >>>> to take.) >>>> >>>> Plus, of course, the addition of such (EXPERT) markers to >>>> future options' prompts is liable to get forgotten now and then, >>>> so sooner or later we'd likely end up with an inconsistent >>>> mixture anyway. >>> >>> I tend to agree with you on everything you wrote. The fundamental issue >>> is that we are (mis)using EXPERT to tag features that are experimental, >>> as defined by SUPPORT.md. >>> >>> It is important to be able to distinguish clearly at the kconfig level >>> options that are (security) supported from options that are >>> unsupported/experimental. Today the only way to do it is with EXPERT >>> which is not great because: >>> >>> - it doesn't convey the idea that it is for unsupported/experimental >>> features >>> - if you want to enable one unsupported feature, it is not clear what >>> you have to do >>> >>> So maybe we should replace EXPERT with UNSUPPORTED (or EXPERIMENTAL) in >>> the Kconfig menu? >>> >>> It would make it clearer that by enabling UNSUPPORTED you are going to >>> get a configuration that is not security supported. >> >> If going down this path, there should be one, authoritative, in-tree >> definition of feature-level support from which Kconfig (build-time policy >> enforcement) and SUPPORT.md (documentation) can be derived. Later, even >> run-time enforcement can be similarly classified. FuSA may also wish for >> documented policy to align with enforcement. > > The goal is trying to align Kconfig and SUPPORT.md by clarifying the > EXPERT option, which today is a poor implementation of "experimental". Just a thought but what if it were to be kept as EXPERT for the config option to expose all of these features and then by convention require that experimental options be required to carry an EXPERIMENTAL tag at the beginning of the option's description. This would separate the idea of EXPERT configuration mode from that of EXPERIMENTAL features which can only be reached in EXPERT mode. The convention could be carried through to UNSUPPORTED, TECHPREVIEW, or any new types of tags as they are needed. > There could be further improvements down the line, for instance we could > taint Xen when UNSUPPORTED is selected and even have separate kconfig > options for UNSUPPORTED, EXPERIMENTAL, and TECHPREVIEW. FuSa is likely > going to need its own SAFETY option too. Like you suggested, we could > even have a single source of feature-level support information for both > Kconfig and SUPPORT.md. > > However, I didn't want to increase the scope of this one patch. For now, > it would be a good start if we replaced EXPERT with something that covers > anything not security supported, for which UNSUPPORTED looks like a good > name. >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.