[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] DESIGN: CPUID part 3

On 08/06/17 14:47, Jan Beulich wrote:
>>>> On 08.06.17 at 15:12, <andrew.cooper3@xxxxxxxxxx> wrote:
>> # Proposal
>>
>> First and foremost, split the current **max\_policy** notion into separate
>> **max** and **default** policies.  This allows for the provision of features
>> which are unused by default, but may be opted in to, both at the hypervisor
>> level and the toolstack level.
>>
>> At the hypervisor level, **max** constitutes all the features Xen can use on
>> the current hardware, while **default** is the subset thereof which are
>> supported features, the features which the user has explicitly opted in to,
>> and excluding any features the user has explicitly opted out of.
>>
>> A new `cpuid=` command line option shall be introduced, whose internals are
>> generated automatically from the featureset ABI.  This means that all 
>> features
>> added to `include/public/arch-x86/cpufeatureset.h` automatically gain command
>> line control.  (RFC: The same top level option can probably be used for
>> non-feature CPUID data control, although I can't currently think of any cases
>> where this would be used Also find a sensible way to express 'available but
>> not to be used by Xen', as per the current `smep` and `smap` options.)
> Especially for disabling individual features I'm not sure "cpuid=" is
> an appropriate name. After all CPUID is only a manifestation of
> behavior elsewhere, and hence we don't really want CPUID
> behavior be controlled, but behavior which CPUID output reflects.
> I can't, however, think of an alternative name I would consider
> more suitable.

I suppose I view it a little like "information contained within cpuid"=

I'm happy to use an alternative name if we can think of a better one,
but I definitely want a way to control every feature (rather than the
controls being ad-hoc), and don't want to introduce top level booleans
for each feature.

>
>> At the guest level, **max** constitutes all the features which can be offered
>> to each type of guest on this hardware.  Derived from Xen's **default**
>> policy, it includes the supported features and explicitly opted in to
>> features, which are appropriate for the guest.
> There's no provision here at all for features which hardware doesn't
> offer, but which we can emulate in a reasonable way (UMIP being
> the example I'd be thinking of right away). While perhaps this could
> be viewed to be covered by "explicitly opted in to features", I think
> it would be nice to make this explicit.

In this case, I'd include that within "the features which can be offered".

So far, there is only a single feature we emulate to guests without
hardware support, which is x2apic mode for HVM guests.

I should call this distinction out more clearly.

>
>> The guests **default** policy is then derived from its **max**, and includes
>> the supported features which are considered migration safe.  (RFC: This
>> distinction is rather fuzzy, but for example it wouldn't include things like
>> ITSC by default, as that is likely to go wrong unless special care is 
>> taken.)
> As per above I think the delta between max and default is larger
> than just migration-unsafe pieces. Iirc for UMIP we would mean to
> have it off by default at least in the case where emulation incurs
> side effects.

There is a lot of emulation overhead for UMIP on non-UMIP-capable
hardware.  I'd advocate for it needing to be opt-in at both the
hypervisor and toolstack level.  In general, I'd expect people to be
more wary of the added emulation than the information leak.

>
>> The `disable_migrate` field shall be dropped.  The concept of migrateability
>> is not boolean; it is a large spectrum, all of which needs to be managed by
>> the toolstack.  The simple case is picking the common subset of features
>> between the source and destination.  This becomes more complicated e.g. if 
>> the
>> guest uses LBR/LER, at which point the toolstack needs to consider hardware
>> with the same LBR/LER format in addition to just the plain features.
> Not sure about this - by intercepting the MSR accesses to the involved
> MSRs, it would be possible to mimic the LBR/LER format expected by
> the guest even if different from that of the host.

LER yes, but how would you emulate LBR?

You could set DBG_CTL.BTF/EFLAGS.TF and intercept #DB, but this would be
visible to the guest via pushf/popf.  It would also interfere with a
guest trying to single-step itself.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.