From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5A5AEEB64DA for ; Wed, 5 Jul 2023 08:49:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:References :In-Reply-To:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=J1Ly65sk+k2CA7Y42jnPkCBz6Sm+mRmyjgHrnKQZlUc=; b=Rd3CjUPXB5Fnee txJT/6HaeU4+LyDMo2aww4Bcd5U0RK5XK51I5/7jFktl19fiu2esqp9Aa5Bo6ShitYD8OCZqLCI52 CP85gTnrhMpNbhsV1s3eZt2oaZKkCf5QpLN7ZShdr2TRXJS7/WYQ9slVrOFV48m5NAQOxhIfVekkk HTMHBC6PpPLdpdfjT8xJe+8dNAmDzvH0rOdAWGmW2ZNKyYLUluvhnHcRtnncBbRRh5O5vkJzALDGL C8w6Koh9MdggeuNSYxxsfY/U5fbWNZIwUWy+oXCvID3ElPZ8jauzWp6azGsKDEehyZHo+1rouMZ7x aargkVZUgEsgYyPB1diw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qGyC9-00FGLF-29; Wed, 05 Jul 2023 08:49:05 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qGyC6-00FGKH-2u for linux-arm-kernel@lists.infradead.org; Wed, 05 Jul 2023 08:49:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1688546941; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=mejduW6pzyJ5/oq78SQym8Bp3DsXmuWwE5r2XAdQDl8=; b=VxdZywyOSEwjwzSFxXwA/kbK/AxNMjAK1Gif2Y2INjPkm+nXRH4vsznEytEcZgxyJJ1D+h zZheoz3p4EEeMNaDyRVyMkpeOdEYcdCVlyUm2EsNdbiInMQPoLkjGDNjUF2jROscLV3aTM h+d9ivz9F2710wMzckNUDSpCRtxrm2Y= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-274-plHcPoEfPyicWq02xxyA4Q-1; Wed, 05 Jul 2023 04:48:59 -0400 X-MC-Unique: plHcPoEfPyicWq02xxyA4Q-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5E74B3C100A1; Wed, 5 Jul 2023 08:48:58 +0000 (UTC) Received: from localhost (dhcp-192-239.str.redhat.com [10.33.192.239]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 194B41121315; Wed, 5 Jul 2023 08:48:57 +0000 (UTC) From: Cornelia Huck To: Oliver Upton Cc: Jing Zhang , KVM , KVMARM , ARMLinux , Marc Zyngier , Oliver Upton , Will Deacon , Paolo Bonzini , James Morse , Alexandru Elisei , Suzuki K Poulose , Fuad Tabba , Reiji Watanabe , Raghavendra Rao Ananta , Suraj Jitindar Singh Subject: Re: [PATCH v4 1/4] KVM: arm64: Enable writable for ID_AA64DFR0_EL1 In-Reply-To: Organization: Red Hat GmbH References: <20230607194554.87359-1-jingzhangos@google.com> <20230607194554.87359-2-jingzhangos@google.com> <874jmjiumh.fsf@redhat.com> User-Agent: Notmuch/0.37 (https://notmuchmail.org) Date: Wed, 05 Jul 2023 10:48:57 +0200 Message-ID: <87o7kq3fra.fsf@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230705_014903_020706_C14EF03E X-CRM114-Status: GOOD ( 33.06 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Jul 04 2023, Oliver Upton wrote: > Hi Cornelia, > > On Tue, Jul 04, 2023 at 05:06:30PM +0200, Cornelia Huck wrote: >> On Mon, Jun 26 2023, Oliver Upton wrote: >> >> > On Wed, Jun 07, 2023 at 07:45:51PM +0000, Jing Zhang wrote: >> >> + brps = FIELD_GET(ID_AA64DFR0_EL1_BRPs_MASK, val); >> >> + ctx_cmps = FIELD_GET(ID_AA64DFR0_EL1_CTX_CMPs_MASK, val); >> >> + if (ctx_cmps > brps) >> >> + return -EINVAL; >> >> + >> > >> > I'm not fully convinced on the need to do this sort of cross-field >> > validation... I think it is probably more trouble than it is worth. If >> > userspace writes something illogical to the register, oh well. All we >> > should care about is that the advertised feature set is a subset of >> > what's supported by the host. >> > >> > The series doesn't even do complete sanity checking, and instead works >> > on a few cherry-picked examples. AA64PFR0.EL{0-3} would also require >> > special handling depending on how pedantic you're feeling. AArch32 >> > support at a higher exception level implies AArch32 support at all lower >> > exception levels. >> > >> > But that isn't a suggestion to implement it, more of a suggestion to >> > just avoid the problem as a whole. >> >> Generally speaking, how much effort do we want to invest to prevent >> userspace from doing dumb things? "Make sure we advertise a subset of >> features of what the host supports" and "disallow writing values that >> are not allowed by the architecture in the first place" seem reasonable, >> but if userspace wants to create weird frankencpus[1], should it be >> allowed to break the guest and get to keep the pieces? > > What I'm specifically objecting to is having KVM do sanity checks across > multiple fields. That requires explicit, per-field plumbing that will > eventually become a tangled mess that Marc and I will have to maintain. > The context-aware breakpoints is one example, as is ensuring SVE is > exposed iff FP is too. In all likelihood we'll either get some part of > this wrong, or miss a required check altogether. Nod, this sounds like more trouble than it's worth in the end. > > Modulo a few exceptions to this case, I think per-field validation is > going to cover almost everything we're worried about, and we get that > largely for free from arm64_check_features(). > >> I'd be more in favour to rely on userspace to configure something that >> is actually usable; it needs to sanitize any user-provided configuration >> anyway. > > Just want to make sure I understand your sentiment here, you'd be in > favor of the more robust sanitization? In userspace. E.g. QEMU can go ahead and try to implement the user-exposed knobs in a way that the really broken configurations are not even possible. I'd also expect userspace to have a more complete view of what it is trying to instantiate (especially if code is shared between instantiating a vcpu for use with KVM and a fully emulated vcpu -- we probably don't want to go all crazy in the latter case, either.) > >> [1] I think userspace will end up creating frankencpus in any case, but >> at least it should be the kind that doesn't look out of place in the >> subway if you dress it in proper clothing. > > I mean, KVM already advertises a frankencpu in the first place, so we're > off to a good start :) Indeed :) _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel