From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oupton@google.com>
Cc: kvm@vger.kernel.org, pshier@google.com,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: KVM/arm64: Guest ABI changes do not appear rollback-safe
Date: Wed, 25 Aug 2021 10:27:10 +0100 [thread overview]
Message-ID: <87mtp5q3gx.wl-maz@kernel.org> (raw)
In-Reply-To: <YSVhV+UIMY12u2PW@google.com>
Hi Oliver,
Adding Andrew and Peter to the discussion.
On Tue, 24 Aug 2021 22:15:03 +0100,
Oliver Upton <oupton@google.com> wrote:
>
> Hey folks,
>
> Ricardo and I were discussing hypercall support in KVM/arm64 and
> something seems to be a bit problematic. I do not see anywhere that KVM
> requires opt-in from the VMM to expose new hypercalls to the guest. To
> name a few, the TRNG and KVM PTP hypercalls are unconditionally provided
> to the guest.
>
> Exposing new hypercalls to guests in this manner seems very unsafe to
> me. Suppose an operator is trying to upgrade from kernel N to kernel
> N+1, which brings in the new 'widget' hypercall. Guests are live
> migrated onto the N+1 kernel, but the operator finds a defect that
> warrants a kernel rollback. VMs are then migrated from kernel N+1 -> N.
> Any guests that discovered the 'widget' hypercall are likely going to
> get fussy _very_ quickly on the old kernel.
This goes against what we decided to support for the *only* publicly
available VMM that cares about save/restore, which is that we only
move forward and don't rollback. Hypercalls are the least of your
worries, and there is a whole range of other architectural features
that will have also appeared/disappeared (your own CNTPOFF series is a
glaring example of this).
I appreciate that you may have different considerations, but I felt
that it was important to state *why* this is the way it is.
>
> Really, we need to ensure that the exposed guest ABI is
> backwards-compatible. Running a VMM that is blissfully unaware of the
> 'widget' hypercall should not implicitly expose it to its guest on a new
> kernel.
>
> This conversation was in the context of devising a new UAPI that allows
> VMMs to trap hypercalls to userspace. While such an interface would
> easily work around the issue, the onus of ABI compatibility lies with
> the kernel.
>
> So, this is all a long-winded way of asking: how do we dig ourselves out
> of this situation, and how to we avoid it happening again in the future?
> I believe the answer to both is to have new VM capabilities for sets of
> hypercalls exposed to the guest. Unfortunately, the unconditional
> exposure of TRNG and PTP hypercalls is ABI now, so we'd have to provide
> an opt-out at this point. For anything new, require opt-in from the VMM
> before we give it to the guest.
>
> Have I missed something blatantly obvious, or do others see this as an
> issue as well? I'll reply with an example of adding opt-out for PTP.
> I'm sure other hypercalls could be handled similarly.
Why do we need this? For future hypercalls, we could have some buy-in
capabilities. For existing ones, it is too late, and negative features
are just too horrible.
For KVM-specific hypercalls, we could get the VMM to save/restore the
bitmap of supported functions. That would be "less horrible". This
could be implemented using extra "firmware pseudo-registers" such as
the ones described in Documentation/virt/kvm/arm/psci.rst.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oupton@google.com>
Cc: kvmarm@lists.cs.columbia.edu, pshier@google.com,
ricarkol@google.com, rananta@google.com, reijiw@google.com,
jingzhangos@google.com, kvm@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, james.morse@arm.com,
alexandru.elisei@arm.com, suzuki.poulose@arm.com,
Drew Jones <drjones@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>
Subject: Re: KVM/arm64: Guest ABI changes do not appear rollback-safe
Date: Wed, 25 Aug 2021 10:27:10 +0100 [thread overview]
Message-ID: <87mtp5q3gx.wl-maz@kernel.org> (raw)
In-Reply-To: <YSVhV+UIMY12u2PW@google.com>
Hi Oliver,
Adding Andrew and Peter to the discussion.
On Tue, 24 Aug 2021 22:15:03 +0100,
Oliver Upton <oupton@google.com> wrote:
>
> Hey folks,
>
> Ricardo and I were discussing hypercall support in KVM/arm64 and
> something seems to be a bit problematic. I do not see anywhere that KVM
> requires opt-in from the VMM to expose new hypercalls to the guest. To
> name a few, the TRNG and KVM PTP hypercalls are unconditionally provided
> to the guest.
>
> Exposing new hypercalls to guests in this manner seems very unsafe to
> me. Suppose an operator is trying to upgrade from kernel N to kernel
> N+1, which brings in the new 'widget' hypercall. Guests are live
> migrated onto the N+1 kernel, but the operator finds a defect that
> warrants a kernel rollback. VMs are then migrated from kernel N+1 -> N.
> Any guests that discovered the 'widget' hypercall are likely going to
> get fussy _very_ quickly on the old kernel.
This goes against what we decided to support for the *only* publicly
available VMM that cares about save/restore, which is that we only
move forward and don't rollback. Hypercalls are the least of your
worries, and there is a whole range of other architectural features
that will have also appeared/disappeared (your own CNTPOFF series is a
glaring example of this).
I appreciate that you may have different considerations, but I felt
that it was important to state *why* this is the way it is.
>
> Really, we need to ensure that the exposed guest ABI is
> backwards-compatible. Running a VMM that is blissfully unaware of the
> 'widget' hypercall should not implicitly expose it to its guest on a new
> kernel.
>
> This conversation was in the context of devising a new UAPI that allows
> VMMs to trap hypercalls to userspace. While such an interface would
> easily work around the issue, the onus of ABI compatibility lies with
> the kernel.
>
> So, this is all a long-winded way of asking: how do we dig ourselves out
> of this situation, and how to we avoid it happening again in the future?
> I believe the answer to both is to have new VM capabilities for sets of
> hypercalls exposed to the guest. Unfortunately, the unconditional
> exposure of TRNG and PTP hypercalls is ABI now, so we'd have to provide
> an opt-out at this point. For anything new, require opt-in from the VMM
> before we give it to the guest.
>
> Have I missed something blatantly obvious, or do others see this as an
> issue as well? I'll reply with an example of adding opt-out for PTP.
> I'm sure other hypercalls could be handled similarly.
Why do we need this? For future hypercalls, we could have some buy-in
capabilities. For existing ones, it is too late, and negative features
are just too horrible.
For KVM-specific hypercalls, we could get the VMM to save/restore the
bitmap of supported functions. That would be "less horrible". This
could be implemented using extra "firmware pseudo-registers" such as
the ones described in Documentation/virt/kvm/arm/psci.rst.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Marc Zyngier <maz@kernel.org>
To: Oliver Upton <oupton@google.com>
Cc: kvmarm@lists.cs.columbia.edu, pshier@google.com,
ricarkol@google.com, rananta@google.com, reijiw@google.com,
jingzhangos@google.com, kvm@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, james.morse@arm.com,
alexandru.elisei@arm.com, suzuki.poulose@arm.com,
Drew Jones <drjones@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>
Subject: Re: KVM/arm64: Guest ABI changes do not appear rollback-safe
Date: Wed, 25 Aug 2021 10:27:10 +0100 [thread overview]
Message-ID: <87mtp5q3gx.wl-maz@kernel.org> (raw)
In-Reply-To: <YSVhV+UIMY12u2PW@google.com>
Hi Oliver,
Adding Andrew and Peter to the discussion.
On Tue, 24 Aug 2021 22:15:03 +0100,
Oliver Upton <oupton@google.com> wrote:
>
> Hey folks,
>
> Ricardo and I were discussing hypercall support in KVM/arm64 and
> something seems to be a bit problematic. I do not see anywhere that KVM
> requires opt-in from the VMM to expose new hypercalls to the guest. To
> name a few, the TRNG and KVM PTP hypercalls are unconditionally provided
> to the guest.
>
> Exposing new hypercalls to guests in this manner seems very unsafe to
> me. Suppose an operator is trying to upgrade from kernel N to kernel
> N+1, which brings in the new 'widget' hypercall. Guests are live
> migrated onto the N+1 kernel, but the operator finds a defect that
> warrants a kernel rollback. VMs are then migrated from kernel N+1 -> N.
> Any guests that discovered the 'widget' hypercall are likely going to
> get fussy _very_ quickly on the old kernel.
This goes against what we decided to support for the *only* publicly
available VMM that cares about save/restore, which is that we only
move forward and don't rollback. Hypercalls are the least of your
worries, and there is a whole range of other architectural features
that will have also appeared/disappeared (your own CNTPOFF series is a
glaring example of this).
I appreciate that you may have different considerations, but I felt
that it was important to state *why* this is the way it is.
>
> Really, we need to ensure that the exposed guest ABI is
> backwards-compatible. Running a VMM that is blissfully unaware of the
> 'widget' hypercall should not implicitly expose it to its guest on a new
> kernel.
>
> This conversation was in the context of devising a new UAPI that allows
> VMMs to trap hypercalls to userspace. While such an interface would
> easily work around the issue, the onus of ABI compatibility lies with
> the kernel.
>
> So, this is all a long-winded way of asking: how do we dig ourselves out
> of this situation, and how to we avoid it happening again in the future?
> I believe the answer to both is to have new VM capabilities for sets of
> hypercalls exposed to the guest. Unfortunately, the unconditional
> exposure of TRNG and PTP hypercalls is ABI now, so we'd have to provide
> an opt-out at this point. For anything new, require opt-in from the VMM
> before we give it to the guest.
>
> Have I missed something blatantly obvious, or do others see this as an
> issue as well? I'll reply with an example of adding opt-out for PTP.
> I'm sure other hypercalls could be handled similarly.
Why do we need this? For future hypercalls, we could have some buy-in
capabilities. For existing ones, it is too late, and negative features
are just too horrible.
For KVM-specific hypercalls, we could get the VMM to save/restore the
bitmap of supported functions. That would be "less horrible". This
could be implemented using extra "firmware pseudo-registers" such as
the ones described in Documentation/virt/kvm/arm/psci.rst.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2021-08-25 9:27 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-24 21:15 KVM/arm64: Guest ABI changes do not appear rollback-safe Oliver Upton
2021-08-24 21:15 ` Oliver Upton
2021-08-24 21:15 ` Oliver Upton
2021-08-24 21:34 ` [RFC PATCH] KVM: arm64: Allow VMMs to opt-out of KVM_CAP_PTP_KVM Oliver Upton
2021-08-24 21:34 ` Oliver Upton
2021-08-25 9:27 ` Marc Zyngier [this message]
2021-08-25 9:27 ` KVM/arm64: Guest ABI changes do not appear rollback-safe Marc Zyngier
2021-08-25 9:27 ` Marc Zyngier
2021-08-25 10:02 ` Oliver Upton
2021-08-25 10:02 ` Oliver Upton
2021-08-25 10:02 ` Oliver Upton
2021-08-25 10:39 ` Marc Zyngier
2021-08-25 10:39 ` Marc Zyngier
2021-08-25 10:39 ` Marc Zyngier
2021-08-25 15:07 ` Andrew Jones
2021-08-25 15:07 ` Andrew Jones
2021-08-25 15:07 ` Andrew Jones
2021-08-25 18:14 ` Oliver Upton
2021-08-25 18:14 ` Oliver Upton
2021-08-25 18:14 ` Oliver Upton
2021-08-26 8:37 ` Marc Zyngier
2021-08-26 8:37 ` Marc Zyngier
2021-08-26 8:37 ` Marc Zyngier
2021-08-26 18:49 ` Oliver Upton
2021-08-26 18:49 ` Oliver Upton
2021-08-26 18:49 ` Oliver Upton
2021-08-27 7:40 ` Andrew Jones
2021-08-27 7:40 ` Andrew Jones
2021-08-27 7:40 ` Andrew Jones
2021-09-29 18:22 ` Oliver Upton
2021-09-29 18:22 ` Oliver Upton
2021-09-29 18:22 ` Oliver Upton
2021-09-30 7:32 ` Marc Zyngier
2021-09-30 7:32 ` Marc Zyngier
2021-09-30 7:32 ` Marc Zyngier
2021-09-30 17:24 ` Oliver Upton
2021-09-30 17:24 ` Oliver Upton
2021-09-30 17:24 ` Oliver Upton
2021-10-01 11:43 ` Marc Zyngier
2021-10-01 11:43 ` Marc Zyngier
2021-10-01 11:43 ` Marc Zyngier
2021-10-01 15:38 ` Oliver Upton
2021-10-01 15:38 ` Oliver Upton
2021-10-01 15:38 ` Oliver Upton
2022-01-25 3:47 ` Raghavendra Rao Ananta
2022-01-25 3:47 ` Raghavendra Rao Ananta
2022-01-25 3:47 ` Raghavendra Rao Ananta
2022-01-25 8:45 ` Marc Zyngier
2022-01-25 8:45 ` Marc Zyngier
2022-01-25 8:45 ` Marc Zyngier
2022-01-25 17:29 ` Oliver Upton
2022-01-25 17:29 ` Oliver Upton
2022-01-25 17:29 ` Oliver Upton
2022-02-08 9:46 ` Marc Zyngier
2022-02-08 9:46 ` Marc Zyngier
2022-02-08 9:46 ` Marc Zyngier
2022-02-08 9:56 ` Oliver Upton
2022-02-08 9:56 ` Oliver Upton
2022-02-08 9:56 ` Oliver Upton
2022-02-08 16:58 ` Sean Christopherson
2022-02-08 16:58 ` Sean Christopherson
2022-02-08 16:58 ` Sean Christopherson
2022-02-08 17:48 ` Marc Zyngier
2022-02-08 17:48 ` Marc Zyngier
2022-02-08 17:48 ` Marc Zyngier
2021-08-26 8:49 ` Andrew Jones
2021-08-26 8:49 ` Andrew Jones
2021-08-26 8:49 ` Andrew Jones
2021-08-26 8:54 ` Andrew Jones
2021-08-26 8:54 ` Andrew Jones
2021-08-26 8:54 ` Andrew Jones
2021-08-26 9:43 ` Marc Zyngier
2021-08-26 9:43 ` Marc Zyngier
2021-08-26 9:43 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mtp5q3gx.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=oupton@google.com \
--cc=pshier@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.