[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 07/13] libs/guest: obtain a compatible cpu policy from two input ones


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Tue, 4 May 2021 13:56:55 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aAGZmKUgV3p5/89FFRlnYouNXo8eGBnLdLeQmKZcnSU=; b=nJptIdxeExLakYiFDIk1jU9Urxpr4jn0+wG7NhItr8xNnXKyfStDJnPT0VkwTUL+2GcOEWqMZ2W6gyUOdHSwMo5Ar8L51tKvr7p5FuslMowxdEUe7wwxVWaSI1Q5XQwcBlBUON3f7RZFsT9vyovuWqf0xhVe8XJzhqYGMVxZp/13afqGeRyRYb+QEtLYdMOrVAc++ujL2iugm/iI7Cirz2HrD1SeT34NiREpg99RPUflSZ0ac8gBqZQbLhVKlkqJUL8jvQLz2R9Tfj74OhAdl6ooHi3XMYeLIM8Pv4qd16wM17tk9wZx/QKKNi4w+GmvmSlSYUWVjq2EaMETIc/Zpw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UhnmjpgW9t++ohBH/Uws4afog9ZTutRZDDXj4+NoAsIwG7GFejlry9Zw79jX9Om1hyrSKiXjnh1rqhldumSpz9q+ZOs97ZI0laqbCq4fVWsY+LhGjffT+sVZDwT/X6mAUX/KR4js7k+TVjGboQ66cloXc2wJQOxfDo5xbDfAiESvTDH1FKwn2kMKgU4XX0iJ57/hxDo+O4D0FFofWGG65f9E85/jhHfYHFwv2aNDRqW4NHB48CQ1w70+RQyalPqCkDvakgWt/IfeVE7eMAr77qb+6yeOd0Lncc7Lier++QQzUwNvwKTN3OAXmHvJf9sm9YUarRcEaP0+quYROdXZYA==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 04 May 2021 11:57:12 +0000
  • Ironport-hdrordr: A9a23:liXVR6BiCwxAkRflHegltMeALOonbusQ8zAX/mhLY1h8btGYm8 eynP4SyB/zj3IrVGs9nM2bUZPsfVr1zrQwxYUKJ7+tUE3duGWuJJx/9oeK+VfdMgXE3Kpm2a 9kGpIUNPTZB1J3lNu/xQG+HcopztXvytHSuc715R5WPGJXQotn6Bp0DRveN0VwShVPC5ZRLu vn2uNsoT28dXMLKvmqH3VtZZmIm/TntrLDJSQHCRku9RWUgVqThILSPhCE0n4lIlRy6Jg492 ytqW3Ez4Wl98q20xrNk1LUhq4m4OfJ7vtmKIiyhtMOKjPq4zzYKbhJf7GZpjg6rKWOxT8R4b /xiiwtNchy9H/dF1vdyXSC5yDa3Dkj8HPkw1OD6EGT2PDRfi4wCMZKmOtiA3nkwncgp9113e Zq2G+UpvNsfHf9tRn9/NTBWlVWkFO1qxMZ4IsupkFYOLF/VJZh6agkuG9FGpYJGyz3rKo9Fv N1Mc3a7PFKNXuHcnHwpABUsZORd0V2Oi3DblkJu8ST3TQTtmt+1VEkyMsWmWpF3I4hSqND+/ /PPs1T5f9zZ/5TSZg4KPYKQMOxBGCIawnLKniuLVPuE7xCHH7RtZjt4vEQ6PuxcJIFiLs+8a 6xEW9whCoXQQbDGMeO1JpE/lTmW2OmRwngzclY+tx3obv5SL33MTCSSVwnnse6ys9vQfHzar KWAtZ7EvXjJWzhFcJixAvlQaRfLnEYTYkUt78AKhCzi/OODrevmv3Qcf7VKraoOy0jQHnDDn wKWyW2IM1B60usS2LpmRS5YQKpRmXPubZLVITK9ekaz4YAcqdWtBIOtFi/7saXbTtYsqI3e0 N6KKj9kryyoHS3+Wqg1RQoBjNtSmJupJnwWXJDogEHd2nud6wYhtmZcWdOmGecKgRnVMPQGg 5Hr1Fx8aa6RqbggRwKOpaCCCa3nnETrHWFQ9MggaWF/97iYY59JI0hQrZNGQLCEAFVlQ5mpH xYUhINQlbSG1rV+OKYpa1RINuaVtFnxC+3PMZfqBvkxDihjPBqYkFeYhmDfoq8hx00Sz9dm1 trmpVv/IaoqHKIMmswgOMxLVtWTn+YaYg2QDitbJlIm7ztZQF7RXqLgzvfkB0oZm/27Swp9x PcBDzRdvfRDlVHvHdElq7s7VNvb22YO1l9c3ZgrORGZC37k2c21e+Afayo1WSNLlME3+EGKT nACAFiVT9G1pSy1BSPniyFGmhjzpIyPvbFBLBmd73IwHuiJMmJkq4BdsUkiqpNJZTrsuURV/ iYdBLQJDTkC/kx0wjQv207IkBP2QsZuOKt3Aeg4Hmz3XY5D/aXKFN6R6sDK9XZ62T/Xf6H3J hwkNpdh5r5DkzhLtqdja3HZT9KLR3e5XS7SOwlsphYt6M/vrkbJeiubRLYkHVcmBkuJsb9k0 0TBLlh6LfaI4l1YogcfTla8ldBrqXFEGI79gjtRukwclEmgyWFY5eH47/UpaEuBUPErg3qIl Wb+zBc+fCAXybr789rN4sgZWBNLE474zB++enHcYvaAgCjbftC81q3KWXVSs4pdIGVXbEL6g 9n6NSJlfKNfyX22ArMrSJ2S5g+glqPUIe3GkaQAuZG/NyxJESUjqar6MC1ii3rSTHTUTVqua RVMUoKbspCjTE+jIo4liiqI5aH3H4Yrw==
  • Ironport-sdr: UetZ4xc+jB0oPjUu/ffExCZL+svyw22C+vErB/uGqxIM/PvHJ8E07Sob/o/RQ8xU4DP8j9h1/5 SBKG/91xP78i4KjjflV5FoXGT5LwTcb8d9arAjkEKsIDEUN9HYqCpNQP/CafRfR3eWHQduugj0 MHzVIU0OyOQh55uT4SahKGJeIkVK2xOKfi/RkfrL2iVPco3Y73zBj8mkTuApjQ2Klm7opgS4vn 1Zjdg88MEosvGHTloFaW2YmJF7NlmK5HdxmSKzq19eQd0F612hRaVbUWGVNFb5okTpolo31W7B hNg=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, May 03, 2021 at 12:43:08PM +0200, Jan Beulich wrote:
> On 30.04.2021 17:52, Roger Pau Monne wrote:
> > Introduce a helper to obtain a compatible cpu policy based on two
> > input cpu policies. Currently this is done by and'ing all CPUID
> > feature leaves and MSR entries, except for MSR_ARCH_CAPABILITIES which
> > has the RSBA bit or'ed.
> > 
> > The _AC macro is pulled from libxl_internal.h into xen-tools/libs.h
> > since it's required in order to use the msr-index.h header.
> > 
> > Note there's no need to place this helper in libx86, since the
> > calculation of a compatible policy shouldn't be done from the
> > hypervisor.
> > 
> > No callers of the interface introduced.
> > 
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> > ---
> > Changes since v2:
> >  - Add some comments.
> >  - Remove stray double semicolon.
> >  - AND all 0x7 subleaves (except 0.EAX).
> >  - Explicitly handle MSR indexes in a switch statement.
> >  - Error out when an unhandled MSR is found.
> >  - Add handling of leaf 0x80000021.
> > 
> > Changes since v1:
> >  - Only AND the feature parts of cpuid.
> >  - Use a binary search to find the matching leaves and msr entries.
> >  - Remove default case from MSR level function.
> > ---
> >  tools/include/xen-tools/libs.h    |   5 ++
> >  tools/include/xenctrl.h           |   4 +
> >  tools/libs/guest/xg_cpuid_x86.c   | 137 ++++++++++++++++++++++++++++++
> >  tools/libs/light/libxl_internal.h |   2 -
> >  4 files changed, 146 insertions(+), 2 deletions(-)
> > 
> > diff --git a/tools/include/xen-tools/libs.h b/tools/include/xen-tools/libs.h
> > index a16e0c38070..b9e89f9a711 100644
> > --- a/tools/include/xen-tools/libs.h
> > +++ b/tools/include/xen-tools/libs.h
> > @@ -63,4 +63,9 @@
> >  #define ROUNDUP(_x,_w) (((unsigned long)(_x)+(1UL<<(_w))-1) & 
> > ~((1UL<<(_w))-1))
> >  #endif
> >  
> > +#ifndef _AC
> > +#define __AC(X,Y)   (X##Y)
> > +#define _AC(X,Y)    __AC(X,Y)
> > +#endif
> > +
> >  #endif     /* __XEN_TOOLS_LIBS__ */
> > diff --git a/tools/include/xenctrl.h b/tools/include/xenctrl.h
> > index 5f699c09509..c41d794683c 100644
> > --- a/tools/include/xenctrl.h
> > +++ b/tools/include/xenctrl.h
> > @@ -2622,6 +2622,10 @@ int xc_cpu_policy_update_msrs(xc_interface *xch, 
> > xc_cpu_policy_t policy,
> >  /* Compatibility calculations. */
> >  bool xc_cpu_policy_is_compatible(xc_interface *xch, const xc_cpu_policy_t 
> > host,
> >                                   const xc_cpu_policy_t guest);
> > +int xc_cpu_policy_calc_compatible(xc_interface *xch,
> > +                                  const xc_cpu_policy_t p1,
> > +                                  const xc_cpu_policy_t p2,
> > +                                  xc_cpu_policy_t out);
> >  
> >  int xc_get_cpu_levelling_caps(xc_interface *xch, uint32_t *caps);
> >  int xc_get_cpu_featureset(xc_interface *xch, uint32_t index,
> > diff --git a/tools/libs/guest/xg_cpuid_x86.c 
> > b/tools/libs/guest/xg_cpuid_x86.c
> > index 6b8bae00334..be2056469aa 100644
> > --- a/tools/libs/guest/xg_cpuid_x86.c
> > +++ b/tools/libs/guest/xg_cpuid_x86.c
> > @@ -32,6 +32,7 @@ enum {
> >  #include <xen/arch-x86/cpufeatureset.h>
> >  };
> >  
> > +#include <xen/asm/msr-index.h>
> >  #include <xen/asm/x86-vendors.h>
> >  
> >  #include <xen/lib/x86/cpu-policy.h>
> > @@ -949,3 +950,139 @@ bool xc_cpu_policy_is_compatible(xc_interface *xch, 
> > const xc_cpu_policy_t host,
> >  
> >      return false;
> >  }
> > +
> > +static bool level_msr(const xen_msr_entry_t *e1, const xen_msr_entry_t *e2,
> > +                      xen_msr_entry_t *out)
> > +{
> > +    *out = (xen_msr_entry_t){ .idx = e1->idx };
> > +
> > +    switch ( e1->idx )
> > +    {
> > +    case MSR_INTEL_PLATFORM_INFO:
> > +        out->val = e1->val & e2->val;
> > +        return true;
> > +
> > +    case MSR_ARCH_CAPABILITIES:
> > +        out->val = e1->val & e2->val;
> > +        /*
> > +         * Set RSBA if present on any of the input values to notice the 
> > guest
> > +         * might run on vulnerable hardware at some point.
> > +         */
> > +        out->val |= (e1->val | e2->val) & ARCH_CAPS_RSBA;
> > +        return true;
> > +    }
> > +
> > +    return false;
> > +}
> > +
> > +/* Only level featuresets so far. */
> 
> I have to admit that I don't think I see all the implications from
> this implementation restriction. All other leaves get dropped by
> the caller, but it's not clear to me what this means wrt what the
> guest is ultimately going to get to see.

This aims to be based on what XenServer does, which I was told is to
level the featuresets. I think the caller of the function will have to
fill the part of the policy that cannot be leveled. It's likely new
helpers will be added to do that as required.

One option would be to get the default policy for the guest and then
use xc_cpu_policy_update_cpuid to apply the leveled one.

> > +static bool level_leaf(const xen_cpuid_leaf_t *l1, const xen_cpuid_leaf_t 
> > *l2,
> > +                       xen_cpuid_leaf_t *out)
> > +{
> > +    *out = (xen_cpuid_leaf_t){
> > +        .leaf = l1->leaf,
> > +        .subleaf = l2->subleaf,
> 
> Since ->leaf and ->subleaf ought to match anyway, I think it would
> look less odd if both initializers were taken from consistent source.

Sure, my bad.

> > +    };
> > +
> > +    switch ( l1->leaf )
> > +    {
> > +    case 0x1:
> > +    case 0x80000001:
> > +        out->c = l1->c & l2->c;
> > +        out->d = l1->d & l2->d;
> > +        return true;
> > +
> > +    case 0xd:
> > +        if ( l1->subleaf != 1 )
> > +            break;
> > +        /*
> > +         * Only take Da1 into account, the rest of subleaves will be 
> > dropped
> > +         * and recalculated by recalculate_xstate.
> > +         */
> > +        out->a = l1->a & l2->a;
> > +        return true;
> > +
> > +    case 0x7:
> > +        if ( l1->subleaf )
> > +            /* subleaf 0 EAX contains the max subleaf count. */
> > +            out->a = l1->a & l2->a;
> 
>         else
>             out->a = min(l1->a, l2->a);
> 
> ? Or is the result from here then further passed to
> x86_cpuid_policy_shrink_max_leaves() (not visible from this patch)?
> (If not, the same would apply to all other multi-subleaf leaves.)

Hm, might be worth to set all the max fields directly in
xc_cpu_policy_calc_compatible and also add a call to
x86_cpuid_policy_shrink_max_leaves after the leveling is done.

> > +        out->b = l1->b & l2->b;
> > +        out->c = l1->c & l2->c;
> > +        out->d = l1->d & l2->d;
> > +        return true;
> > +
> > +    case 0x80000007:
> > +        out->d = l1->d & l2->d;
> > +        return true;
> > +
> > +    case 0x80000008:
> > +        out->b = l1->b & l2->b;
> > +        return true;
> > +
> > +    case 0x80000021:
> > +        out->a = l1->a & l2->a;
> > +        return true;
> > +    }
> > +
> > +    return false;
> > +}
> > +
> > +int xc_cpu_policy_calc_compatible(xc_interface *xch,
> > +                                  const xc_cpu_policy_t p1,
> > +                                  const xc_cpu_policy_t p2,
> > +                                  xc_cpu_policy_t out)
> 
> I have to admit that I find these two "const" misleading here. You
> don't equally constify the other two parameters (which would e.g. be
> xc_interface *const xch), and I don't think doing so is common
> practice elsewhere. And what p1 and p2 point to is specifically non-
> const (and cannot be const), due to ...
> 
> > +{
> > +    unsigned int nr_leaves, nr_msrs, i, index;
> > +    unsigned int p1_nr_leaves, p2_nr_leaves;
> > +    unsigned int p1_nr_entries, p2_nr_entries;
> > +    int rc;
> > +
> > +    p1_nr_leaves = p2_nr_leaves = ARRAY_SIZE(p1->leaves);
> > +    p1_nr_entries = p2_nr_entries = ARRAY_SIZE(p1->entries);
> > +
> > +    rc = xc_cpu_policy_serialise(xch, p1, p1->leaves, &p1_nr_leaves,
> > +                                 p1->entries, &p1_nr_entries);
> > +    if ( rc )
> > +        return rc;
> > +    rc = xc_cpu_policy_serialise(xch, p2, p2->leaves, &p2_nr_leaves,
> > +                                 p2->entries, &p2_nr_entries);
> 
> ... these two calls.

Right, that's a leftover from previously, where xc_cpu_policy_t didn't
also contain a buffer to store the serialized version.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.