From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: kevin.tian@intel.com, suravee.suthikulpanit@amd.com,
andrew.cooper3@citrix.com, tim@xen.org,
dietmar.hahn@ts.fujitsu.com, xen-devel@lists.xen.org,
Aravind.Gopalakrishnan@amd.com, jun.nakajima@intel.com,
dgdegra@tycho.nsa.gov
Subject: Re: [PATCH v21 02/14] x86/VPMU: Add public xenpmu.h
Date: Tue, 19 May 2015 10:40:56 -0400 [thread overview]
Message-ID: <555B4B78.6050304@oracle.com> (raw)
In-Reply-To: <555AF8C7020000780007B6C7@mail.emea.novell.com>
On 05/19/2015 02:48 AM, Jan Beulich wrote:
>>>> On 18.05.15 at 18:12, <boris.ostrovsky@oracle.com> wrote:
>> On 05/18/2015 11:15 AM, Jan Beulich wrote:
>>>>>> On 08.05.15 at 23:06, <boris.ostrovsky@oracle.com> wrote:
>>>> +/*
>>>> + * Architecture-specific information describing state of the processor at
>>>> + * the time of PMU interrupt.
>>>> + * Fields of this structure marked as RW for guest can only be written by the
>>>> + * guest when PMU_CACHED bit in pmu_flags is set (which is done by the
>>>> + * hypervisor during PMU interrupt). Hypervisor will read updated data in
>>>> + * XENPMU_flush hypercall and clear PMU_CACHED bit.
>>>> + */
>>>> +struct xen_pmu_arch {
>>>> + union {
>>>> + /*
>>>> + * Processor's registers at the time of interrupt.
>>>> + * RW for hypervisor, RO for guests.
>>>> + */
>>>> + struct xen_pmu_regs regs;
>>>> + /* Padding for adding new registers to xen_pmu_regs in the future */
>>>> +#define XENPMU_REGS_PAD_SZ 64
>>>> + uint8_t pad[XENPMU_REGS_PAD_SZ];
>>>> + } r;
>>>> +
>>>> + /* RW for hypervisor, RO for guest */
>>>> + uint64_t pmu_flags;
>>>> +
>>>> + /*
>>>> + * APIC LVTPC register.
>>>> + * RW for both hypervisor and guest.
>>>> + * Only APIC_LVT_MASKED bit is loaded by the hypervisor into hardware
>>>> + * during XENPMU_flush.
>>>> + */
>>>> + union {
>>>> + uint32_t lapic_lvtpc;
>>>> + uint64_t pad;
>>>> + } l;
>>>> +
>>>> + /*
>>>> + * Vendor-specific PMU registers.
>>>> + * RW for both hypervisor and guest.
>>>> + * Guest's updates to this field are verified and then loaded by the
>>>> + * hypervisor into hardware during XENPMU_flush
>>>> + */
>>>> + union {
>>>> + struct xen_pmu_amd_ctxt amd;
>>>> + struct xen_pmu_intel_ctxt intel;
>>>> +
>>>> + /*
>>>> + * Padding for contexts (fixed parts only, does not include MSR banks
>>>> + * that are specified by offsets)
>>>> + */
>>>> +#define XENPMU_CTXT_PAD_SZ 128
>>>> + uint8_t pad[XENPMU_CTXT_PAD_SZ];
>>>> + } c;
>>>> +};
>>> Marking all the fields RW for the hypervisor is certainly correct from
>>> a permissions pov, but requires close auditing that the hypervisor
>>> doesn't ever read a field twice, potentially getting different results
>>> and hence inconsistent internal state. Therefore - do all of the fields
>>> _need_ to be RW for the hypervisor? If not, marking the ones
>>> where this isn't needed as WO would be much preferred, to limit
>>> the scope of whats needs to be audited.
>> Right, all arch-independent bits are WO for hypervisor as are
>> xen_pmu_regs above. I in fact meant to label them as such but for
>> reasons that I can't remember now decided to mark them as RW.
> Okay, that simplifies things for review purposes: Of the left
> fields, lapic_lvtpc can easily be verified to be read just once, and
> the vendor specific context gets copied into hypervisor memory
> once before doing verification and loading. Which leaves pmu_flags:
> Can you clarify how the read-write behavior there is expected to
> be (perhaps by slightly extending the respective comment)? I ask
> in particular because I don't recall having seen any read-once
> enforcement in the code.
pmu_flags are not read-once by neither hypervisor nor the guest. The
hypervisor uses PMU_CACHED flag (which it sets in the PMU interrupt) to
later determine whether or not to perform things like VPMU load (if the
flag is set then there is no reason to load). This may happen more than
once.
The rest of flags are WO by the hypervisor.
For the guest PMU_CACHED is indication that it shouldn't write MSRs
directly but rather do this into the shared page.
I don't believe that if guest writes flags (PMU_CACHED specifically) it
will have any effect on the hypervisor or other guests. It will
certainly affect the guest itself as it will probably mess up its VPMU
state. For example, we may end up loading the VPMU context when it
shouldn't be and that may result in an unexpected interrupt for the guest.
I can easily add a hypervisor-private flag for this purpose (into
vpmu_struct.flags) to make things more cleanly delineated (i.e.
pmu_flags will be strictly WO by hypervisor and RO by the guest). I
still want to keep PMU_CACHED flag for the guest though so that it knows
where to write MSRs (Linux PV guests don't need this right now but other
guests may find this useful).
-boris
next prev parent reply other threads:[~2015-05-19 14:40 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-08 21:06 [PATCH v21 00/14] x86/PMU: Xen PMU PV(H) support Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 01/14] common/symbols: Export hypervisor symbols to privileged guest Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 02/14] x86/VPMU: Add public xenpmu.h Boris Ostrovsky
2015-05-18 15:15 ` Jan Beulich
2015-05-18 16:12 ` Boris Ostrovsky
2015-05-19 6:48 ` Jan Beulich
2015-05-19 14:40 ` Boris Ostrovsky [this message]
2015-05-19 15:33 ` Jan Beulich
2015-05-08 21:06 ` [PATCH v21 03/14] x86/VPMU: Make vpmu not HVM-specific Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 04/14] x86/VPMU: Interface for setting PMU mode and flags Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 05/14] x86/VPMU: Initialize VPMUs with __initcall Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 06/14] x86/VPMU: Initialize PMU for PV(H) guests Boris Ostrovsky
2015-05-18 15:19 ` Jan Beulich
2015-05-08 21:06 ` [PATCH v21 07/14] x86/VPMU: Save VPMU state for PV guests during context switch Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 08/14] x86/VPMU: When handling MSR accesses, leave fault injection to callers Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 09/14] x86/VPMU: Add support for PMU register handling on PV guests Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 10/14] x86/VPMU: Use pre-computed masks when checking validity of MSRs Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 11/14] x86/VPMU: Handle PMU interrupts for PV(H) guests Boris Ostrovsky
2015-05-18 9:43 ` Dietmar Hahn
2015-05-18 15:11 ` Boris Ostrovsky
2015-05-18 15:39 ` Jan Beulich
2015-05-18 16:19 ` Boris Ostrovsky
2015-05-19 6:50 ` Jan Beulich
2015-05-08 21:06 ` [PATCH v21 12/14] x86/VPMU: Merge vpmu_rdmsr and vpmu_wrmsr Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 13/14] x86/VPMU: Add privileged PMU mode Boris Ostrovsky
2015-05-08 21:06 ` [PATCH v21 14/14] x86/VPMU: Move VPMU files up from hvm/ directory Boris Ostrovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555B4B78.6050304@oracle.com \
--to=boris.ostrovsky@oracle.com \
--cc=Aravind.Gopalakrishnan@amd.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=dietmar.hahn@ts.fujitsu.com \
--cc=jun.nakajima@intel.com \
--cc=kevin.tian@intel.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.