From: Oliver Upton <oliver.upton@linux.dev>
To: Marc Zyngier <maz@kernel.org>
Cc: Fuad Tabba <tabba@google.com>, Mark Brown <broonie@kernel.org>,
kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
will@kernel.org, qperret@google.com, seanjc@google.com,
alexandru.elisei@arm.com, catalin.marinas@arm.com,
philmd@linaro.org, james.morse@arm.com, suzuki.poulose@arm.com,
mark.rutland@arm.com, joey.gouly@arm.com, rananta@google.com,
yuzenghui@huawei.com
Subject: Re: [PATCH v1 0/7] KVM: arm64: Fix handling of host fpsimd/sve state in protected mode
Date: Mon, 20 May 2024 17:37:36 +0000 [thread overview]
Message-ID: <ZkuKYA6-u-eZmBOO@linux.dev> (raw)
In-Reply-To: <87pltg3ntq.wl-maz@kernel.org>
On Mon, May 20, 2024 at 09:11:13AM +0100, Marc Zyngier wrote:
> On Mon, 20 May 2024 08:35:47 +0100, Fuad Tabba <tabba@google.com> wrote:
> > The reason for that is that in pKVM we want to avoid leaking any
> > information about protected VM activity to the host, including whether
> > the VM might have performed fpsimd/sve operations. Therefore, we need
> > to ensure that the host SVE state looks the same after a protected
> > guest has run as it did before a protected guest has run.
Wouldn't it be equally valid to just zero the state that will not be
preserved regardless of whether or not the guest used fpsimd/sve?
> > It would be correct to only save/restore the host's fpsimd state
> > (i.e., first 128 bits of the vector registers), which is what KVM does
> > in other modes. However, unless we always zero out the rest of the
> > state, regardless whether the protected guest has used fpsimd/sve,
> > then the host would be able to find out that the guest has in fact
> > performed fpsimd/sve operations.
> >
> > This isn't necessary for non-protected VMs, but Marc thought that for
> > now it would be better to simplify things and have pKVM behave the
> > same way for both protected and non-protected VMs. As a future
> > optimization for non-protected VMs, we could have them behave as VMs
> > in other modes.
>
> And I stand by what I said. Having a hybrid mode is a maintenance
> burden, and it will absolutely lead to some sort of horrible bugs (it
> just take a look at the mailing list to see that we have no shortage
> of bugs related to lazy FP/SVE handling).
Agree, but I don't think the suggestion is in any way incompatible with
eager save/restore of FP/SVE state.
From the looks of it, we're *still* adding protected-mode specialization
to save/restore the host's SVE state, even though we decided in commit
8383741ab2e7 ("KVM: arm64: Get rid of host SVE tracking/saving") that
this was completely unnecessary in non-protected configurations.
What I'm instead suggesting is that we make it part of the __kvm_vcpu_run() API
that the non-overlapping SVE state gets discarded by the callee, which
would align with an expectation that the host kernel has already done
this upon syscall entry.
Then all of the FPSIMD/SVE save/restore logic we have in the hyp 'just
works' so long as we 0 the SVE registers before loading in the host's
FPSIMD state.
--
Thanks,
Oliver
WARNING: multiple messages have this Message-ID (diff)
From: Oliver Upton <oliver.upton@linux.dev>
To: Marc Zyngier <maz@kernel.org>
Cc: Fuad Tabba <tabba@google.com>, Mark Brown <broonie@kernel.org>,
kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
will@kernel.org, qperret@google.com, seanjc@google.com,
alexandru.elisei@arm.com, catalin.marinas@arm.com,
philmd@linaro.org, james.morse@arm.com, suzuki.poulose@arm.com,
mark.rutland@arm.com, joey.gouly@arm.com, rananta@google.com,
yuzenghui@huawei.com
Subject: Re: [PATCH v1 0/7] KVM: arm64: Fix handling of host fpsimd/sve state in protected mode
Date: Mon, 20 May 2024 17:37:36 +0000 [thread overview]
Message-ID: <ZkuKYA6-u-eZmBOO@linux.dev> (raw)
In-Reply-To: <87pltg3ntq.wl-maz@kernel.org>
On Mon, May 20, 2024 at 09:11:13AM +0100, Marc Zyngier wrote:
> On Mon, 20 May 2024 08:35:47 +0100, Fuad Tabba <tabba@google.com> wrote:
> > The reason for that is that in pKVM we want to avoid leaking any
> > information about protected VM activity to the host, including whether
> > the VM might have performed fpsimd/sve operations. Therefore, we need
> > to ensure that the host SVE state looks the same after a protected
> > guest has run as it did before a protected guest has run.
Wouldn't it be equally valid to just zero the state that will not be
preserved regardless of whether or not the guest used fpsimd/sve?
> > It would be correct to only save/restore the host's fpsimd state
> > (i.e., first 128 bits of the vector registers), which is what KVM does
> > in other modes. However, unless we always zero out the rest of the
> > state, regardless whether the protected guest has used fpsimd/sve,
> > then the host would be able to find out that the guest has in fact
> > performed fpsimd/sve operations.
> >
> > This isn't necessary for non-protected VMs, but Marc thought that for
> > now it would be better to simplify things and have pKVM behave the
> > same way for both protected and non-protected VMs. As a future
> > optimization for non-protected VMs, we could have them behave as VMs
> > in other modes.
>
> And I stand by what I said. Having a hybrid mode is a maintenance
> burden, and it will absolutely lead to some sort of horrible bugs (it
> just take a look at the mailing list to see that we have no shortage
> of bugs related to lazy FP/SVE handling).
Agree, but I don't think the suggestion is in any way incompatible with
eager save/restore of FP/SVE state.
From the looks of it, we're *still* adding protected-mode specialization
to save/restore the host's SVE state, even though we decided in commit
8383741ab2e7 ("KVM: arm64: Get rid of host SVE tracking/saving") that
this was completely unnecessary in non-protected configurations.
What I'm instead suggesting is that we make it part of the __kvm_vcpu_run() API
that the non-overlapping SVE state gets discarded by the callee, which
would align with an expectation that the host kernel has already done
this upon syscall entry.
Then all of the FPSIMD/SVE save/restore logic we have in the hyp 'just
works' so long as we 0 the SVE registers before loading in the host's
FPSIMD state.
--
Thanks,
Oliver
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-05-20 17:37 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-17 13:18 [PATCH v1 0/7] KVM: arm64: Fix handling of host fpsimd/sve state in protected mode Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 13:18 ` [PATCH v1 1/7] KVM: arm64: Reintroduce __sve_save_state Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 13:18 ` [PATCH v1 2/7] KVM: arm64: Specialize deactivate fpsimd/sve traps on guest trap Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 13:18 ` [PATCH v1 3/7] KVM: arm64: Specialize handling of host fpsimd state on trap Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 13:18 ` [PATCH v1 4/7] KVM: arm64: Store the maximum sve vector length at hyp Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 13:18 ` [PATCH v1 5/7] KVM: arm64: Allocate memory at hyp for host sve state in pKVM Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 13:18 ` [PATCH v1 6/7] KVM: arm64: Eagerly restore host fpsimd/sve " Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 17:09 ` Oliver Upton
2024-05-17 17:09 ` Oliver Upton
2024-05-20 7:37 ` Fuad Tabba
2024-05-20 7:37 ` Fuad Tabba
2024-05-20 8:05 ` Marc Zyngier
2024-05-20 8:05 ` Marc Zyngier
2024-05-20 8:53 ` Fuad Tabba
2024-05-20 8:53 ` Fuad Tabba
2024-05-20 17:08 ` Oliver Upton
2024-05-20 17:08 ` Oliver Upton
2024-05-17 13:18 ` [PATCH v1 7/7] KVM: arm64: Consolidate initializing the host data's fpsimd_state/sve " Fuad Tabba
2024-05-17 13:18 ` Fuad Tabba
2024-05-17 17:30 ` [PATCH v1 0/7] KVM: arm64: Fix handling of host fpsimd/sve state in protected mode Oliver Upton
2024-05-17 17:30 ` Oliver Upton
2024-05-17 18:19 ` Mark Brown
2024-05-17 18:19 ` Mark Brown
2024-05-20 7:35 ` Fuad Tabba
2024-05-20 7:35 ` Fuad Tabba
2024-05-20 8:11 ` Marc Zyngier
2024-05-20 8:11 ` Marc Zyngier
2024-05-20 17:37 ` Oliver Upton [this message]
2024-05-20 17:37 ` Oliver Upton
2024-05-20 17:53 ` Mark Brown
2024-05-20 17:53 ` Mark Brown
2024-05-20 17:59 ` Fuad Tabba
2024-05-20 17:59 ` Fuad Tabba
2024-05-20 17:57 ` Fuad Tabba
2024-05-20 17:57 ` Fuad Tabba
2024-05-20 20:53 ` Oliver Upton
2024-05-20 20:53 ` Oliver Upton
2024-05-21 12:27 ` Fuad Tabba
2024-05-21 12:27 ` Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZkuKYA6-u-eZmBOO@linux.dev \
--to=oliver.upton@linux.dev \
--cc=alexandru.elisei@arm.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=philmd@linaro.org \
--cc=qperret@google.com \
--cc=rananta@google.com \
--cc=seanjc@google.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.