Re: [PATCH v9 05/11] KVM: arm64: Enable writable for ID_AA64DFR0_EL1 and ID_DFR0_EL1

[Oliver Upton <oliver.upton@linux.dev>]

On Tue, Sep 05, 2023 at 07:13:35PM -0700, Jing Zhang wrote:

[...]

> > > > I removed sanity checks across multiple fields after the discussion
> > > > here: https://lore.kernel.org/all/ZKRC80hb4hXwW8WK@thinky-boi/
> > > > I might have misunderstood the discussion. I thought we'd let VMM do
> > > > more complete sanity checks.
> > >
> > > The problem is that you don't even have a statement about how this is
> > > supposed to be handled. What are the rules? How can the VMM author
> > > *know*?
> > >
> > > That's my real issue with this series: at no point do we state when an
> > > ID register can be written, what are the rules that must be followed,
> > > where is the split in responsibility between KVM and the VMM, and what
> > > is the expected behaviour when the VMM exposes something that is
> > > completely outlandish to the guest (such as the M-profile debug).
> > >
> > > Do you see the issue? We can always fix the code. But once we've
> > > exposed that to userspace, there is no going back. And I really want
> > > everybody's buy-in on that front, including the VMM people.
> >
> > Understood.
> > Looks like it would be less complicated to have KVM do all the sanity
> > checks to determine if a feature field is configured correctly.
> > The determination can be done by following rules:
> > 1. Architecture constraints from ARM ARM.
> > 2. KVM constraints. (Those features not exposed by KVM should be read-only)
> > 3. VCPU features. (The write mask needs to be determined on-the-fly)
> 
> Does this sound good to you to have all sanity checks in KVM?

I would rather we not implement exhaustive checks in KVM, because we
*will* get them wrong. I don't believe Marc is asking for exhaustive
sanity checks in KVM either, just that we prevent userspace from
selecting features we will _never_ emulate (like the MProfDbg example).
You need very clear documentation for the usage pattern and what the
VMM's responsibilities are (like obeying the ARM ARM).

While we're here, I'll subject the both of you to one of the ongoing
thoughts I've had with the whole configurable CPU model UAPI. Ideally
we should get to the point where all emulation and trap configuration is
solely determined from the ID register values of the VM.

I'm a bit worried that this mixes poorly with userspace system register
accesses, though. As implemented, nothing stops userspce from
interleaving ID register writes with other system registers that might
be conditional on a particular CPU feature. For example, disabling the
PMU via DFR0 and then writing to the PMCs. Sure, this could be hacked
around by making PMCs visible to userspace only when the ID register
hides the feature, but we may be painting ourselves in a corner w.r.t.
the addition of new features.

One way out would be to make the ID registers immutable after
the first system register write outside of the ID register range.
Changes under the hood wouldn't be too terrible; AFAICT it involves
hoisting error checking into kvm_vcpu_init_check_features() and
deferring kvm_vcpu_reset() to the point the ID regs are immutable.

I somewhat like the clear order of operations, and it _shouldn't_ break
existing VMMs since they just save/restore the KVM values verbatim. Of
course, this requires some very clear documentation for VMMs that want
to adopt the new UAPI.

-- 
Thanks,
Oliver

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel