From: Oliver Upton <oliver.upton@linux.dev>
To: Alexandru Elisei <alexandru.elisei@arm.com>
Cc: maz@kernel.org, Will Deacon <will@kernel.org>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: KVM/arm64: SPE: Translate VA to IPA on a stage 2 fault instead of pinning VM memory
Date: Tue, 13 Sep 2022 15:13:31 +0100 [thread overview]
Message-ID: <YyCPYLVayX+NwR4K@google.com> (raw)
In-Reply-To: <YyB6MAv5UZkiY66a@monolith.localdoman>
On Tue, Sep 13, 2022 at 01:41:56PM +0100, Alexandru Elisei wrote:
> Hi Oliver,
>
> On Tue, Sep 13, 2022 at 11:58:47AM +0100, Oliver Upton wrote:
> > Hey Alex,
> >
> > On Mon, Sep 12, 2022 at 03:50:46PM +0100, Alexandru Elisei wrote:
> >
> > [...]
> >
> > > > Yeah, that would be good to follow up on what other OSes are doing.
> > >
> > > FreeBSD doesn't have a SPE driver.
> > >
> > > Currently in the process of finding out how/if Windows implements the
> > > driver.
> > >
> > > > You'll still have a nondestructive S2 fault handler for the SPE, right?
> > > > IOW, if PMBSR_EL1.DL=0 KVM will just unpin the old buffer and repin the
> > > > new one.
> > >
> > > This is how I think about it: a S2 DABT where DL == 0 can happen because of
> > > something that the VMM, KVM or the guest has done:
> > >
> > > 1. If it's because of something that the host's userspace did (memslot was
> > > changed while the VM was running, memory was munmap'ed, etc). In this case,
> > > there's no way for KVM to handle the SPE fault, so I would say that the
> > > sensible approach would be to inject an SPE external abort.
> > >
> > > 2. If it's because of something that KVM did, that can only be because of a
> > > bug in SPE emulation. In this case, it can happen again, which means
> > > arbitrary blackout windows which can skew the profiling results. I would
> > > much rather inject an SPE external abort then let the guest rely on
> > > potentially bad profiling information.
> > >
> > > 3. The guest changes the mapping for the buffer when it shouldn't have: A.
> > > when the architecture does allow it, but KVM doesn't support, or B. when
> > > the architecture doesn't allow it. For both cases, I would much rather
> > > inject an SPE external abort for the reasons above. Furthermore, for B, I
> > > think it would be better to let the guest know as soon as possible that
> > > it's not following the architecture.
> > >
> > > In conclusion, I would prefer to treat all SPE S2 faults as errors.
> >
> > My main concern with treating S2 faults as a synthetic external abort is
> > how this behavior progresses in later versions of the architecture.
> > SPEv1p3 disallows implementations from reporting external aborts via the
> > SPU, instead allowing only for an SError to be delivered to the core.
>
> Ah, yes, missed that bit for SPEv1p3 (ARM DDI 0487H.a, page D10-5180).
>
> >
> > I caught up with Will on this for a little bit:
> >
> > Instead of an external abort, how about reporting an IMP DEF buffer
> > management event to the guest? At least for the Linux driver it should
> > have the same effect of killing the session but the VM will stay
> > running. This way there's no architectural requirement to promote to an
> > SError.
>
> The only reason I proposed to inject an external abort is because KVM needs
> a way to tell the guest that something outside of the guest's control went
> wrong and it should drop the contents of the current profiling session. An
> external abort reported by the SPU seemed to fit the bit.
>
> By IMP DEF buffer management event I assume you mean PMBSR_EL1.EC=0b011111
> (Buffer management event for an IMPLEMENTATION DEFINED reason).
Yup, that's it. You also get two whole bytes of room in PMBSR_EL1.MSS
which is also IMP DEF, so we could even stick some ASCII in there to
tell the guest how we really feel! :-P
> I'm thinking that someone might run a custom kernel in a VM, like a vendor
> downstream kernel, with patches that actually handle this exception class,
> and injecting such an exception might not have the effects that KVM
> expects. Am I overthinking things? Is that something that KVM should take
> into consideration? I suppose KVM can and should also set
> PMBSR_EL1.DL = 1, as that means per the architecture that the buffer
> contents should be discarded.
I agree with you that PMBSR_EL1.DL=1 is the right call for this. With
that, I'd be surprised if there was a guest that tried to pull some
tricks other than blowing away the profile. The other option that I
find funny is if we plainly report the S2 abort to the guest, but that
wont work well when nested comes into the picture.
--
Thanks,
Oliver
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Oliver Upton <oliver.upton@linux.dev>
To: Alexandru Elisei <alexandru.elisei@arm.com>
Cc: maz@kernel.org, Will Deacon <will@kernel.org>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: KVM/arm64: SPE: Translate VA to IPA on a stage 2 fault instead of pinning VM memory
Date: Tue, 13 Sep 2022 15:13:31 +0100 [thread overview]
Message-ID: <YyCPYLVayX+NwR4K@google.com> (raw)
In-Reply-To: <YyB6MAv5UZkiY66a@monolith.localdoman>
On Tue, Sep 13, 2022 at 01:41:56PM +0100, Alexandru Elisei wrote:
> Hi Oliver,
>
> On Tue, Sep 13, 2022 at 11:58:47AM +0100, Oliver Upton wrote:
> > Hey Alex,
> >
> > On Mon, Sep 12, 2022 at 03:50:46PM +0100, Alexandru Elisei wrote:
> >
> > [...]
> >
> > > > Yeah, that would be good to follow up on what other OSes are doing.
> > >
> > > FreeBSD doesn't have a SPE driver.
> > >
> > > Currently in the process of finding out how/if Windows implements the
> > > driver.
> > >
> > > > You'll still have a nondestructive S2 fault handler for the SPE, right?
> > > > IOW, if PMBSR_EL1.DL=0 KVM will just unpin the old buffer and repin the
> > > > new one.
> > >
> > > This is how I think about it: a S2 DABT where DL == 0 can happen because of
> > > something that the VMM, KVM or the guest has done:
> > >
> > > 1. If it's because of something that the host's userspace did (memslot was
> > > changed while the VM was running, memory was munmap'ed, etc). In this case,
> > > there's no way for KVM to handle the SPE fault, so I would say that the
> > > sensible approach would be to inject an SPE external abort.
> > >
> > > 2. If it's because of something that KVM did, that can only be because of a
> > > bug in SPE emulation. In this case, it can happen again, which means
> > > arbitrary blackout windows which can skew the profiling results. I would
> > > much rather inject an SPE external abort then let the guest rely on
> > > potentially bad profiling information.
> > >
> > > 3. The guest changes the mapping for the buffer when it shouldn't have: A.
> > > when the architecture does allow it, but KVM doesn't support, or B. when
> > > the architecture doesn't allow it. For both cases, I would much rather
> > > inject an SPE external abort for the reasons above. Furthermore, for B, I
> > > think it would be better to let the guest know as soon as possible that
> > > it's not following the architecture.
> > >
> > > In conclusion, I would prefer to treat all SPE S2 faults as errors.
> >
> > My main concern with treating S2 faults as a synthetic external abort is
> > how this behavior progresses in later versions of the architecture.
> > SPEv1p3 disallows implementations from reporting external aborts via the
> > SPU, instead allowing only for an SError to be delivered to the core.
>
> Ah, yes, missed that bit for SPEv1p3 (ARM DDI 0487H.a, page D10-5180).
>
> >
> > I caught up with Will on this for a little bit:
> >
> > Instead of an external abort, how about reporting an IMP DEF buffer
> > management event to the guest? At least for the Linux driver it should
> > have the same effect of killing the session but the VM will stay
> > running. This way there's no architectural requirement to promote to an
> > SError.
>
> The only reason I proposed to inject an external abort is because KVM needs
> a way to tell the guest that something outside of the guest's control went
> wrong and it should drop the contents of the current profiling session. An
> external abort reported by the SPU seemed to fit the bit.
>
> By IMP DEF buffer management event I assume you mean PMBSR_EL1.EC=0b011111
> (Buffer management event for an IMPLEMENTATION DEFINED reason).
Yup, that's it. You also get two whole bytes of room in PMBSR_EL1.MSS
which is also IMP DEF, so we could even stick some ASCII in there to
tell the guest how we really feel! :-P
> I'm thinking that someone might run a custom kernel in a VM, like a vendor
> downstream kernel, with patches that actually handle this exception class,
> and injecting such an exception might not have the effects that KVM
> expects. Am I overthinking things? Is that something that KVM should take
> into consideration? I suppose KVM can and should also set
> PMBSR_EL1.DL = 1, as that means per the architecture that the buffer
> contents should be discarded.
I agree with you that PMBSR_EL1.DL=1 is the right call for this. With
that, I'd be surprised if there was a guest that tried to pull some
tricks other than blowing away the profile. The other option that I
find funny is if we plainly report the S2 abort to the guest, but that
wont work well when nested comes into the picture.
--
Thanks,
Oliver
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-09-13 14:14 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-19 13:51 KVM/arm64: SPE: Translate VA to IPA on a stage 2 fault instead of pinning VM memory Alexandru Elisei
2022-04-19 13:51 ` Alexandru Elisei
2022-04-19 14:10 ` Will Deacon
2022-04-19 14:10 ` Will Deacon
2022-04-19 14:44 ` Alexandru Elisei
2022-04-19 14:44 ` Alexandru Elisei
2022-04-19 14:59 ` Will Deacon
2022-04-19 14:59 ` Will Deacon
2022-04-19 15:20 ` Alexandru Elisei
2022-04-19 15:20 ` Alexandru Elisei
2022-04-19 15:35 ` Alexandru Elisei
2022-04-19 15:35 ` Alexandru Elisei
2022-07-25 10:06 ` Alexandru Elisei
2022-07-25 10:06 ` Alexandru Elisei
2022-07-26 17:51 ` Oliver Upton
2022-07-26 17:51 ` Oliver Upton
2022-07-27 9:30 ` Marc Zyngier
2022-07-27 9:30 ` Marc Zyngier
2022-07-27 9:52 ` Marc Zyngier
2022-07-27 9:52 ` Marc Zyngier
2022-07-27 10:38 ` Alexandru Elisei
2022-07-27 10:38 ` Alexandru Elisei
2022-07-27 16:06 ` Oliver Upton
2022-07-27 16:06 ` Oliver Upton
2022-07-27 10:56 ` Alexandru Elisei
2022-07-27 10:56 ` Alexandru Elisei
2022-07-27 11:18 ` Marc Zyngier
2022-07-27 11:18 ` Marc Zyngier
2022-07-27 12:10 ` Alexandru Elisei
2022-07-27 12:10 ` Alexandru Elisei
2022-07-27 10:19 ` Alexandru Elisei
2022-07-27 10:19 ` Alexandru Elisei
2022-07-27 10:29 ` Marc Zyngier
2022-07-27 10:29 ` Marc Zyngier
2022-07-27 10:44 ` Alexandru Elisei
2022-07-27 10:44 ` Alexandru Elisei
2022-07-27 11:08 ` Marc Zyngier
2022-07-27 11:08 ` Marc Zyngier
2022-07-27 11:57 ` Alexandru Elisei
2022-07-27 11:57 ` Alexandru Elisei
2022-07-27 15:15 ` Oliver Upton
2022-07-27 15:15 ` Oliver Upton
2022-07-27 11:00 ` Alexandru Elisei
2022-07-27 11:00 ` Alexandru Elisei
2022-08-01 17:00 ` Will Deacon
2022-08-01 17:00 ` Will Deacon
2022-08-02 9:49 ` Alexandru Elisei
2022-08-02 9:49 ` Alexandru Elisei
2022-08-02 19:34 ` Oliver Upton
2022-08-02 19:34 ` Oliver Upton
2022-08-09 14:01 ` Alexandru Elisei
2022-08-09 14:01 ` Alexandru Elisei
2022-08-09 18:43 ` Oliver Upton
2022-08-09 18:43 ` Oliver Upton
2022-08-10 9:37 ` Alexandru Elisei
2022-08-10 9:37 ` Alexandru Elisei
2022-08-10 15:25 ` Oliver Upton
2022-08-10 15:25 ` Oliver Upton
2022-08-12 13:05 ` Alexandru Elisei
2022-08-12 13:05 ` Alexandru Elisei
2022-08-17 15:05 ` Oliver Upton
2022-08-17 15:05 ` Oliver Upton
2022-09-12 14:50 ` Alexandru Elisei
2022-09-12 14:50 ` Alexandru Elisei
2022-09-13 10:58 ` Oliver Upton
2022-09-13 10:58 ` Oliver Upton
2022-09-13 12:41 ` Alexandru Elisei
2022-09-13 12:41 ` Alexandru Elisei
2022-09-13 14:13 ` Oliver Upton [this message]
2022-09-13 14:13 ` Oliver Upton
2023-01-03 14:26 ` Alexandru Elisei
2023-01-03 14:26 ` Alexandru Elisei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YyCPYLVayX+NwR4K@google.com \
--to=oliver.upton@linux.dev \
--cc=alexandru.elisei@arm.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=maz@kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.