From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH 0/1] ARM: Implement support for
 write-ctrlreg vm-events
Date: Mon, 7 Mar 2016 12:38:44 +0000
Message-ID: <56DD7654.8010405@citrix.com>
References: <1457014210-14552-1-git-send-email-czuzu@bitdefender.com>
 <56DD3A2B.6060803@bitdefender.com>
 <CABfawh=yjSMneVPuVRohPz5ivOYLtCQK-2DtL76WJ2oc94Ocnw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7367345843848816505=="
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <CABfawh=yjSMneVPuVRohPz5ivOYLtCQK-2DtL76WJ2oc94Ocnw@mail.gmail.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
To: Tamas K Lengyel <tamas@tklengyel.com>, Corneliu ZUZU <czuzu@bitdefender.com>
Cc: Kevin Tian <kevin.tian@intel.com>, Keir Fraser <keir@xen.org>, Jan Beulich <jbeulich@suse.com>, Razvan Cojocaru <rcojocaru@bitdefender.com>, Xen-devel <xen-devel@lists.xen.org>, Stefano Stabellini <stefano.stabellini@citrix.com>, Jun Nakajima <jun.nakajima@intel.com>
List-Id: xen-devel@lists.xenproject.org

--===============7367345843848816505==
Content-Type: multipart/alternative;
	boundary="------------070203010504020809080306"

--------------070203010504020809080306
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On 07/03/16 09:12, Tamas K Lengyel wrote:
>
>
> On Mon, Mar 7, 2016 at 9:22 AM, Corneliu ZUZU <czuzu@bitdefender.com
> <mailto:czuzu@bitdefender.com>> wrote:
>
>     On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:
>
>         Then,
>         QUESTIONS (FOR VM-EVENTS & ARM MAINTAINERS ESPECIALLY):
>
>         Q1) [...]
>
>         Q2) [...]
>
>         Q3) [...]
>
>         Q4) [...]
>
>
>     Hey all,
>
>     I have a question relating to this part of code @ vmx_update_guest_cr:
>
>             if ( paging_mode_hap(v->domain) )
>             {
>                 /* Manage GUEST_CR3 when CR0.PE <http://CR0.PE>=0. */
>                 uint32_t cr3_ctls = (CPU_BASED_CR3_LOAD_EXITING |
>                                      CPU_BASED_CR3_STORE_EXITING);
>                 v->arch.hvm_vmx.exec_control &= ~cr3_ctls;
>                 if ( !hvm_paging_enabled(v) &&
>     !vmx_unrestricted_guest(v) )
>                     v->arch.hvm_vmx.exec_control |= cr3_ctls;
>
>                 /* Trap CR3 updates if CR3 memory events are enabled. */
>                 if ( v->domain->arch.monitor.write_ctrlreg_enabled &
>                      monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3) )
>                     v->arch.hvm_vmx.exec_control |=
>     CPU_BASED_CR3_LOAD_EXITING;
>
>                 vmx_update_cpu_exec_control(v);
>             }
>
>     While trying to move the check for VM_EVENT_X86_CR3 to the
>     scheduling tail, a few questions came to my mind.
>
>     1). Tamas, Razvan, maybe you guys could clarify this. I noticed
>     this part of code is only executed if paging_mode_hap(v->domain).
>     Is EPT mandatory to monitor CR3 writes or is it just that when
>     shadow paging is enabled, CR3 r/w are unconditionally trapped?
>
>
> EPT is not really required for CR3 monitoring, it just has been the
> case that vm_events have been only implemented for hap-enabled
> domains. AFAIK for non-hap case CR3 needs to be trapped
> unconditionally, yes.

Specifically, the shadow pagetable code needs to swap shadows when the
guest switches cr3.

>  
>
>     If the former is true, shouldn't we do a check like this in
>     vm_event_monitor_get_capabilities instead?
>
>
> Yes, it should now, this code was just written before
> vm_event_monitor_get_capabilities was introduced and we haven't gotten
> around converting this check to it.
>  
>
>
>     2). I was also wondering why CR3 load/stores are trapped if paging
>     is disabled for a domain.
>
>
> Good question, I was wondering about that myself at some point but I
> haven't found an answer to it. Maybe some git archaeology can help
> determining when that was added and why ;)

Gen1 VT-x didn't support running a guest in non-paged mode.  Gen2
introduced "unrestricted-guest" which works as intended, but Gen1 has to
fake non-pagad mode using identity paging.  As a result, CR3 cannot be
used as scratch space like it can in non-paged mode, and the guest must
be prevented from moving CR3 away from the gfn set up by the domain
builder in HVM_PARAM_IDENT_PT.

~Andrew

--------------070203010504020809080306
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 07/03/16 09:12, Tamas K Lengyel
      wrote:<br>
    </div>
    <blockquote
cite="mid:CABfawh=yjSMneVPuVRohPz5ivOYLtCQK-2DtL76WJ2oc94Ocnw@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Mon, Mar 7, 2016 at 9:22 AM,
            Corneliu ZUZU <span dir="ltr">&lt;<a moz-do-not-send="true"
                href="mailto:czuzu@bitdefender.com" target="_blank">czuzu@bitdefender.com</a>&gt;</span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
                class="">On 3/3/2016 4:10 PM, Corneliu ZUZU wrote:<br>
              </span>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
                  class="">
                  Then,<br>
                  QUESTIONS (FOR VM-EVENTS &amp; ARM MAINTAINERS
                  ESPECIALLY):<br>
                  <br>
                </span><span class="">
                  Q1) [...]<br>
                  <br>
                  Q2) [...]<br>
                  <br>
                  Q3) [...]<br>
                  <br>
                  Q4) [...]<br>
                </span></blockquote>
              <br>
              Hey all,<br>
              <br>
              I have a question relating to this part of code @
              vmx_update_guest_cr:<br>
              <br>
                      if ( paging_mode_hap(v-&gt;domain) )<br>
                      {<br>
                          /* Manage GUEST_CR3 when <a
                moz-do-not-send="true" href="http://CR0.PE"
                rel="noreferrer" target="_blank">CR0.PE</a>=0. */<br>
                          uint32_t cr3_ctls =
              (CPU_BASED_CR3_LOAD_EXITING |<br>
                                             
               CPU_BASED_CR3_STORE_EXITING);<br>
                          v-&gt;arch.hvm_vmx.exec_control &amp;=
              ~cr3_ctls;<br>
                          if ( !hvm_paging_enabled(v) &amp;&amp;
              !vmx_unrestricted_guest(v) )<br>
                              v-&gt;arch.hvm_vmx.exec_control |=
              cr3_ctls;<span class=""><br>
                <br>
                            /* Trap CR3 updates if CR3 memory events are
                enabled. */<br>
                            if (
                v-&gt;domain-&gt;arch.monitor.write_ctrlreg_enabled
                &amp;<br>
                               
                 monitor_ctrlreg_bitmask(VM_EVENT_X86_CR3) )<br>
                                v-&gt;arch.hvm_vmx.exec_control |=
                CPU_BASED_CR3_LOAD_EXITING;<br>
                <br>
              </span>
                          vmx_update_cpu_exec_control(v);<br>
                      }<br>
              <br>
              While trying to move the check for VM_EVENT_X86_CR3 to the
              scheduling tail, a few questions came to my mind.<br>
              <br>
              1). Tamas, Razvan, maybe you guys could clarify this. I
              noticed this part of code is only executed if
              paging_mode_hap(v-&gt;domain). Is EPT mandatory to monitor
              CR3 writes or is it just that when shadow paging is
              enabled, CR3 r/w are unconditionally trapped?</blockquote>
            <div><br>
            </div>
            <div>EPT is not really required for CR3 monitoring, it just
              has been the case that vm_events have been only
              implemented for hap-enabled domains. AFAIK for non-hap
              case CR3 needs to be trapped unconditionally, yes.<br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    Specifically, the shadow pagetable code needs to swap shadows when
    the guest switches cr3.<br>
    <br>
    <blockquote
cite="mid:CABfawh=yjSMneVPuVRohPz5ivOYLtCQK-2DtL76WJ2oc94Ocnw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">If the
              former is true, shouldn't we do a check like this in
              vm_event_monitor_get_capabilities instead?<br>
            </blockquote>
            <div><br>
            </div>
            <div>Yes, it should now, this code was just written before
              vm_event_monitor_get_capabilities was introduced and we
              haven't gotten around converting this check to it.<br>
            </div>
            <div> </div>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <br>
              2). I was also wondering why CR3 load/stores are trapped
              if paging is disabled for a domain.<br>
            </blockquote>
            <div><br>
            </div>
            <div>Good question, I was wondering about that myself at
              some point but I haven't found an answer to it. Maybe some
              git archaeology can help determining when that was added
              and why ;)<br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    Gen1 VT-x didn't support running a guest in non-paged mode.  Gen2
    introduced "unrestricted-guest" which works as intended, but Gen1
    has to fake non-pagad mode using identity paging.  As a result, CR3
    cannot be used as scratch space like it can in non-paged mode, and
    the guest must be prevented from moving CR3 away from the gfn set up
    by the domain builder in HVM_PARAM_IDENT_PT.<br>
    <br>
    ~Andrew<br>
  </body>
</html>

--------------070203010504020809080306--


--===============7367345843848816505==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs
IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwOi8vbGlzdHMueGVuLm9y
Zy94ZW4tZGV2ZWwK

--===============7367345843848816505==--