Xen project Mailing List

Re: [PATCH v6 10/13] vpci/header: reset the command register when adding devices

To: Oleksandr Andrushchenko <Oleksandr_Andrushchenko@xxxxxxxx>

Date: Mon, 7 Feb 2022 15:31:06 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bQPXztmSsN/WlqoqGglenb983o+SKCoxVV8WvV8ZyXI=; b=oK25qfMAkwvRj2HrW897IysiI88W3COzt+0G+KerncIGspPKGh8v1/1aYxeJpi37UY+jW6KgE1ktk3tOVVRV1vx4wtGZsMBlkD2k7XHc+UZhFtSA/DynAcFcmx99DJrasPWcKK9S3ANsSls4b4AI9NsmHdMUA47+BOqYWcwwqqDMd09iZUeglKEjAI76Vh6DAiFJVnMMUrmQ2SE8geCtRIXdGahFsY5GRFOAJi8tI7l1hELlBsOSiJObPRhexVhuc3rS25NSXekQdZJW0RPPT0/iARrhaP9XWLNinnZG7FZaBVyTCHXXsHzJJpsZUieJp/ccNQhG7g7Mzzo/nCT/Tw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SM6uArVAjTPQvs8bhAdMFcLpTPZ7+S+5OjuxBLUDu1E+1eqpMPFjoO7acbDnoFLG6nwwLhK90hLVnCOL66aOIh9jNllEspIf+RMW/vJLJMAUvQSyTUY8pwZfKy+hySc4aR6pjpwLFdPPMCfRAfcX32r9O8/vF54iIbBmgh+cTGrFFWu2I8kx7VvoyFg5v0qQcfr8/Vdur1cX48Jj09dEIayco2fe67+YpPvHqWPtUGIqYlZeXSJJ7Cwg2RIKBe1IsipT0KszpKikSHrGON3kopGq6UIv65QahCZHNW4CPmWlM2pIydA8EPvdEB3MzTogmiOd2EVOWzUrWBqw1bLU6Q==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: "julien@xxxxxxx" <julien@xxxxxxx>, "sstabellini@xxxxxxxxxx" <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <Oleksandr_Tyshchenko@xxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Artem Mygaiev <Artem_Mygaiev@xxxxxxxx>, "roger.pau@xxxxxxxxxx" <roger.pau@xxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>, "george.dunlap@xxxxxxxxxx" <george.dunlap@xxxxxxxxxx>, "paul@xxxxxxx" <paul@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Rahul Singh <rahul.singh@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 07 Feb 2022 14:31:19 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 07.02.2022 15:17, Oleksandr Andrushchenko wrote: > > > On 07.02.22 14:54, Jan Beulich wrote: >> On 07.02.2022 13:51, Oleksandr Andrushchenko wrote: >>> >>> On 07.02.22 14:38, Jan Beulich wrote: >>>> On 07.02.2022 12:27, Oleksandr Andrushchenko wrote: >>>>> On 07.02.22 09:29, Jan Beulich wrote: >>>>>> On 04.02.2022 15:37, Oleksandr Andrushchenko wrote: >>>>>>> On 04.02.22 16:30, Jan Beulich wrote: >>>>>>>> On 04.02.2022 07:34, Oleksandr Andrushchenko wrote: >>>>>>>>> Reset the command register when assigning a PCI device to a guest: >>>>>>>>> according to the PCI spec the PCI_COMMAND register is typically all >>>>>>>>> 0's >>>>>>>>> after reset. >>>>>>>> It's not entirely clear to me whether setting the hardware register to >>>>>>>> zero is okay. What wants to be zero is the value the guest observes >>>>>>>> initially. >>>>>>> "the PCI spec says the PCI_COMMAND register is typically all 0's after >>>>>>> reset." >>>>>>> Why wouldn't it be ok? What is the exact concern here? >>>>>> The concern is - as voiced is similar ways before, perhaps in other >>>>>> contexts - that you need to consider bit-by-bit whether overwriting >>>>>> with 0 what is currently there is okay. Xen and/or Dom0 may have put >>>>>> values there which they expect to remain unaltered. I guess >>>>>> PCI_COMMAND_SERR is a good example: While the guest's view of this >>>>>> will want to be zero initially, the host having set it to 1 may not >>>>>> easily be overwritten with 0, or else you'd effectively imply giving >>>>>> the guest control of the bit. >>>>> We have already discussed in great detail PCI_COMMAND emulation [1]. >>>>> At the end you wrote [1]: >>>>> "Well, in order for the whole thing to be security supported it needs to >>>>> be explained for every bit why it is safe to allow the guest to drive it. >>>>> Until you mean vPCI to reach that state, leaving TODO notes in the code >>>>> for anything not investigated may indeed be good enough. >>>>> >>>>> Jan" >>>>> >>>>> So, this is why I left a TODO in the PCI_COMMAND emulation for now and >>>>> only >>>>> care about INTx which is honored with the code in this patch. >>>> Right. The issue I see is that the description does not have any >>>> mention of this, but instead talks about simply writing zero. >>> How do you want that mentioned? Extended commit message or >>> just a link to the thread [1]? >> What I'd like you to describe is what the change does without >> fundamentally implying it'll end up being zero which gets written >> to the register. Stating as a conclusion that for the time being >> this means writing zero is certainly fine (and likely helpful if >> made explicit). > Xen and/or Dom0 may have put values in PCI_COMMAND which they expect > to remain unaltered. PCI_COMMAND_SERR bit is a good example: while the > guest's view of this will want to be zero initially, the host having set > it to 1 may not easily be overwritten with 0, or else we'd effectively > imply giving the guest control of the bit. Thus, PCI_COMMAND register needs > proper emulation in order to honor host's settings. > > There are examples of emulators [1], [2] which already deal with PCI_COMMAND > register emulation and it seems that at most they care about the only INTX > bit (besides IO/memory enable and bus muster which are write through). > It could be because in order to properly emulate the PCI_COMMAND register > we need to know about the whole PCI topology, e.g. if any setting in device's > command register is aligned with the upstream port etc. > This makes me think that because of this complexity others just ignore that. > Neither I think this can be easily done in Xen case. > > According to "PCI LOCAL BUS SPECIFICATION, REV. 3.0", section "6.2.2 > Device Control" says that the reset state of the command register is > typically 0, so reset the command register when assigning a PCI device > to a guest t all 0's and for now only make sure INTx bit is set according > to if MSI/MSI-X enabled. "... is typically 0, so when assigning a PCI device reset the guest view of the command register to all 0's. For now our emulation only makes sure INTx is set according to host requirements, i.e. depending on MSI/MSI-X enabled state." Maybe? (Obviously a fresh device given to a guest will have MSI/MSI-X disabled, so I'm not sure that aspect really needs mentioning.) But: What's still missing here then is the separation of guest and host views. When we set INTx behind the guest's back, it shouldn't observe the bit set. Or is this meant to be another (big) TODO? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.