[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 for-4.15] x86/msr: introduce an option for compatible MSR behavior selection


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Tue, 9 Mar 2021 14:53:53 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D6nC5FmpFN+MJz4419r0TamyGM7/BsI6Yi5wphL6dqY=; b=CUm0co0sPuQebDdkvbmL3hQsspdvMuFTVOt30ZyzGO/N596CJhRrabA69GDWmzlAKfHey1ot++7zTC+/6NNQOc8+MO57UQMde/givqRMaXbHHRaTv8xoH5DiwOTPqTUNcThiUJpKO5g0YTxZi8AhoshfhPIrLCloQtcaYFlrlZPGFQViY8Jn0MNEPZpR1QhYth0T3iW+1IeoTFnAIA9CIDYUMvt1+rPvy47WRzGlQrJc+CqMIbahA6thP1mR3XwMw64PjEmEfTd+0/AenpER4wd7dgM/IyKFIHR5YeLytO7rmQxEOMBdGTnaNSmdWyxH7KsKm0ipYxfArECaiF/YzQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G4vfSxcrU6nhlKKD/fnPp8zC1LgVd8MfrL8OzdPH5oychq9IQsLc5bJ4LvQXEWjpZZyuULFKTPmMO95HxOG+QBqxKtPOsDmIxFHIrM5zy9sYg3nEUF8AHIzD9zdafpSwCoArPzAM8KmmQPMG8rYmeVuWIX2+n0zrPZP/t+UUH6os65bONYyh8hRltFhONuMy4bp63baBO+9Vpt/oazOh27KGLji9XXRDGAVOAGVguUNgrBlTkk2PMBApx6/+fWVqD+U5YptEgvX8IkIJnPwUJsRrPgMV+bY3oe9EJRqE+My7kvzVFuJt8V34ZXTeBkoO6MV0+4ihLwPlIv4QDBsusA==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Anthony PERARD" <anthony.perard@xxxxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 09 Mar 2021 13:54:47 +0000
  • Ironport-sdr: 7BTF9tYZq/oJHFo9+fB43BybqSCa9BsLB22fhRHUsO1xn3B+XgZX8oM7LUXUutUZF7hSqOhM1r zL9RBZYKTxypwoqA00q4+f+e+MV+gJSSARO1m3aESkMN0cTnu4ALTSWqHwAJcclD5VGrBUEnzv BQdSHq0zBJhMKW3OV6bIKo15SgJnFiR0PJLat3mjQhU2YDnM/o5WiR6N674ZRMJjripUwZnZeI zaL3Et02Q/52oXh/xVv/EpVQcZGnMo/p0VR/8tmsvge2+1w2hS73ZGmSJ0Z/weKHMPMPcgmwBL nfM=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Mar 09, 2021 at 12:36:39PM +0100, Jan Beulich wrote:
> On 09.03.2021 11:56, Roger Pau Monne wrote:
> > Introduce an option to allow selecting a behavior similar to the pre
> > Xen 4.15 one for accesses to MSRs not explicitly handled. Since commit
> > 84e848fd7a162f669 and 322ec7c89f6640e accesses to MSRs not explicitly
> > handled by Xen result in the injection of a #GP to the guest. This
> > is a behavior change since previously a #GP was only injected if
> > accessing the MSR on the real hardware would also trigger a #GP, or if
> > the attempted to be set bits wouldn't match the hardware values (for
> > PV).
> > 
> > This seems to be problematic for some guests, so introduce an option
> > to fallback to this kind of legacy behavior without leaking the
> > underlying MSR values to the guest.
> > 
> > When the option is set, for both PV and HVM don't inject a #GP to the
> > guest on MSR read if reading the underlying MSR doesn't result in a
> > #GP, do the same for writes and simply discard the value to be written
> > on that case.
> > 
> > Note that for guests restored or migrated from previous Xen versions
> > the option is enabled by default, in order to keep a compatible
> > MSR behavior. Such compatibility is done at the libxl layer, to avoid
> > higher-level toolstacks from having to know the details about this flag.
> > 
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> 
> I'm generally okay with this approach, but wouldn't want to give it
> my R-b until it's at least clear it's not entirely unacceptable to
> anyone else (Andrew in particular). Couple of remarks:

Thanks.

> > Changes since v2:
> >  - Apply the option to both HVM and PV guest.
> >  - Handle both reads and writes.
> 
> I take it that it's intentional that you didn't allow separate read
> and write control?

Yes, I don't have a strong opinion, but I think just having a single
option is better: guests requiring the read side bodge are also likely
to require the same adjustment on the write side. It's also better
from a user perspective, as it's likely people would enable them in
tandem anyway.

> 
> > --- a/xen/arch/x86/hvm/svm/svm.c
> > +++ b/xen/arch/x86/hvm/svm/svm.c
> > @@ -1795,6 +1795,7 @@ static int svm_msr_read_intercept(unsigned int msr, 
> > uint64_t *msr_content)
> >      const struct domain *d = v->domain;
> >      struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb;
> >      const struct nestedsvm *nsvm = &vcpu_nestedsvm(v);
> > +    uint64_t tmp;
> >  
> >      switch ( msr )
> >      {
> 
> While to some degree a matter of taste, I think such variables needed
> only inside a switch() and not needing an initializer would better
> live in the respective switch()'s scope.

I can indeed define them inside the switch statement.

> > --- a/xen/arch/x86/pv/emul-priv-op.c
> > +++ b/xen/arch/x86/pv/emul-priv-op.c
> > @@ -875,6 +875,7 @@ static int read_msr(unsigned int reg, uint64_t *val,
> >      const struct domain *currd = curr->domain;
> >      const struct cpuid_policy *cp = currd->arch.cpuid;
> >      bool vpmu_msr = false;
> > +    uint64_t tmp;
> >      int ret;
> >  
> >      if ( (ret = guest_rdmsr(curr, reg, val)) != X86EMUL_UNHANDLEABLE )
> > @@ -986,6 +987,12 @@ static int read_msr(unsigned int reg, uint64_t *val,
> >          }
> >          /* fall through */
> >      default:
> > +        if ( currd->arch.msr_relaxed && !rdmsr_safe(reg, tmp) )
> > +        {
> > +            *val = 0;
> > +            return X86EMUL_OKAY;
> > +        }
> > +
> >          gdprintk(XENLOG_WARNING, "RDMSR 0x%08x unimplemented\n", reg);
> >          break;
> >  
> > @@ -1148,6 +1155,9 @@ static int write_msr(unsigned int reg, uint64_t val,
> >          }
> >          /* fall through */
> >      default:
> > +        if ( currd->arch.msr_relaxed && !rdmsr_safe(reg, val) )
> > +            return X86EMUL_OKAY;
> > +
> >          gdprintk(XENLOG_WARNING,
> >                   "WRMSR 0x%08x val 0x%016"PRIx64" unimplemented\n",
> >                   reg, val);
> 
> So what are your thoughts wrt my change to this file? Drop it
> altogether and require people to use this new option? Or do you
> see both coexist?

I wouldn't be opposed to have both changes co-exist, as long as the PV
one is made part of the PV ABI, that is have it properly described in
the public headers as part of the PV behavior. I've replied with some
details along those lines in your patch.

> In the latter case, since you had suggested
> that I drop the write side of my change - does your changing of
> the write path indicate you've changed your mind?

Yes, I think we need to provide an option to allow users to revert
back to an MSR behavior as close as possible to the previous one for
compatibility reasons, and that should include the write side even if
we don't know any users requiring it right now.

We would be in a bad position if that use-case gets discovered after
the release, so it's IMO best to provide an option that covers both
read and write side straight away.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.