From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9F15EEB8FA5 for ; Wed, 6 Sep 2023 06:04:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=SQ2vwhhnGP4JVrKecnei3YY6TxvKQUQltl0AeYyIKyg=; b=yb5DHN6pF8qe0N 5JJfOj1oqB3yW5h3sb9KUByrcVQSjf/fSk7wxt6TeaEF2OqrGkEFE9LiHxlXPb2+91gK7WGxY2uPB rADU5/lDSewuCF3ebjKLFDCvwx80YBQnc9iBke3LfecaT5ZL4IdPPR7S87xAAumRUXeemWJM8JjXZ qfPrba4jZjr1jHHlHyh4INzU3LDmA1EoTTRJP1yfjAHpbEDzcisXy6pyVVkSHD9XlpVYfqp1uqlCs EGyMMyg8TGKZI16gwOdlkpqjLNSJBo8rQu+8OXE9ruJZprIOG3eyO8B5yZLeW43+KcrlTHC/QlIYt vhwDgWW9J96DiHpe9RPw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qdleF-007Kne-0J; Wed, 06 Sep 2023 06:04:19 +0000 Received: from out-215.mta1.migadu.com ([2001:41d0:203:375::d7]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qdleB-007KmQ-0V for linux-arm-kernel@lists.infradead.org; Wed, 06 Sep 2023 06:04:17 +0000 Date: Wed, 6 Sep 2023 06:03:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1693980244; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=sz1dEz51amxgl8u4MbjhfSRIzo+wFIPdJiGVXiPN2oc=; b=EJ5wecrMHeWERHJYByFrVHm6ApeXu0QDMUV8Vyw/HszWIrBM7WApWu25d5lv5Pf8Faj24E ClTt/toFuAW9prJz9vlPUmsu4JEsdV9RXKcExO3d2fQJgx/uvTAArm9d/KqmCAeyppT2BK ahN0cWfPM/4lxez1Pd3dBNCogpd97fU= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Jing Zhang Cc: Marc Zyngier , KVM , KVMARM , ARMLinux , Will Deacon , Paolo Bonzini , James Morse , Alexandru Elisei , Suzuki K Poulose , Fuad Tabba , Reiji Watanabe , Raghavendra Rao Ananta , Suraj Jitindar Singh , Cornelia Huck , Shaoqin Huang Subject: Re: [PATCH v9 05/11] KVM: arm64: Enable writable for ID_AA64DFR0_EL1 and ID_DFR0_EL1 Message-ID: References: <20230821212243.491660-1-jingzhangos@google.com> <20230821212243.491660-6-jingzhangos@google.com> <878ra3pndw.wl-maz@kernel.org> <86a5uef55n.wl-maz@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Migadu-Flow: FLOW_OUT X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230905_230415_341891_FDF879E5 X-CRM114-Status: GOOD ( 31.22 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Sep 05, 2023 at 07:13:35PM -0700, Jing Zhang wrote: [...] > > > > I removed sanity checks across multiple fields after the discussion > > > > here: https://lore.kernel.org/all/ZKRC80hb4hXwW8WK@thinky-boi/ > > > > I might have misunderstood the discussion. I thought we'd let VMM do > > > > more complete sanity checks. > > > > > > The problem is that you don't even have a statement about how this is > > > supposed to be handled. What are the rules? How can the VMM author > > > *know*? > > > > > > That's my real issue with this series: at no point do we state when an > > > ID register can be written, what are the rules that must be followed, > > > where is the split in responsibility between KVM and the VMM, and what > > > is the expected behaviour when the VMM exposes something that is > > > completely outlandish to the guest (such as the M-profile debug). > > > > > > Do you see the issue? We can always fix the code. But once we've > > > exposed that to userspace, there is no going back. And I really want > > > everybody's buy-in on that front, including the VMM people. > > > > Understood. > > Looks like it would be less complicated to have KVM do all the sanity > > checks to determine if a feature field is configured correctly. > > The determination can be done by following rules: > > 1. Architecture constraints from ARM ARM. > > 2. KVM constraints. (Those features not exposed by KVM should be read-only) > > 3. VCPU features. (The write mask needs to be determined on-the-fly) > > Does this sound good to you to have all sanity checks in KVM? I would rather we not implement exhaustive checks in KVM, because we *will* get them wrong. I don't believe Marc is asking for exhaustive sanity checks in KVM either, just that we prevent userspace from selecting features we will _never_ emulate (like the MProfDbg example). You need very clear documentation for the usage pattern and what the VMM's responsibilities are (like obeying the ARM ARM). While we're here, I'll subject the both of you to one of the ongoing thoughts I've had with the whole configurable CPU model UAPI. Ideally we should get to the point where all emulation and trap configuration is solely determined from the ID register values of the VM. I'm a bit worried that this mixes poorly with userspace system register accesses, though. As implemented, nothing stops userspce from interleaving ID register writes with other system registers that might be conditional on a particular CPU feature. For example, disabling the PMU via DFR0 and then writing to the PMCs. Sure, this could be hacked around by making PMCs visible to userspace only when the ID register hides the feature, but we may be painting ourselves in a corner w.r.t. the addition of new features. One way out would be to make the ID registers immutable after the first system register write outside of the ID register range. Changes under the hood wouldn't be too terrible; AFAICT it involves hoisting error checking into kvm_vcpu_init_check_features() and deferring kvm_vcpu_reset() to the point the ID regs are immutable. I somewhat like the clear order of operations, and it _shouldn't_ break existing VMMs since they just save/restore the KVM values verbatim. Of course, this requires some very clear documentation for VMMs that want to adopt the new UAPI. -- Thanks, Oliver _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel