[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 09/13] x86/sysctl: Implement XEN_SYSCTL_get_cpumsr_policy


  • To: Jan Beulich <JBeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Thu, 5 Jul 2018 15:08:51 +0100
  • Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==
  • Cc: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Daniel de Graaf <dgdegra@xxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • Delivery-date: Thu, 05 Jul 2018 14:09:39 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Openpgp: preference=signencrypt

On 05/07/18 10:08, Jan Beulich wrote:
>>>> On 04.07.18 at 19:57, <andrew.cooper3@xxxxxxxxxx> wrote:
>> On 04/07/18 10:43, Jan Beulich wrote:
>>>> --- a/xen/arch/x86/sysctl.c
>>>> +++ b/xen/arch/x86/sysctl.c
>>>> @@ -32,22 +32,32 @@
>>>>  #include <asm/cpuid.h>
>>>>  
>>>>  const struct policy_group system_policies[] = {
>>>> -    {
>>>> +    [ XEN_SYSCTL_cpumsr_policy_raw ] = {
>>> Aha - this clarifies a question I had on the earlier patch. But it would
>>> be nice if that other patch was self contained also in the way of
>>> allowing readers to understand the intentions.
>> One thing I could do is introduce the XEN_SYSCTL_cpumsr_policy_* defines
>> in the previous patch?  I don't want to merge the two patches as that is
>> too many moving parts to review in a single patch.
> I think this would help, yes.

Ok, in which case I'll also move the max vs default discussion into the
previous patch.

>>> And with this I now
>>> wonder whether the pointers in struct policy_group shouldn't all
>>> be const qualified.
>> Unfortunately that doesn't work with the logic to create a policy_group
>> for an individual domain during audit.
> I don't understand: Is x86_policies_are_compatible() supposed to
> alter the policies? Otherwise, if you maintained local separate
> pointers in update_domain_cpumsr_policy(), using "new" just for
> the purpose of passing to x86_policies_are_compatible(), all
> should be fine and it would be crystal clear that anyone handed
> a group won't alter anything the group refers to.

With this diff:

diff --git a/xen/include/xen/libx86/policies.h
b/xen/include/xen/libx86/policies.h
index 21e0a40..03fe6dd 100644
--- a/xen/include/xen/libx86/policies.h
+++ b/xen/include/xen/libx86/policies.h
@@ -7,9 +7,9 @@
 
 struct policy_group
 {
-    struct cpuid_policy *cp;
-    struct msr_domain_policy *dp;
-    struct msr_vcpu_policy *vp;
+    const struct cpuid_policy *cp;
+    const struct msr_domain_policy *dp;
+    const struct msr_vcpu_policy *vp;
 };
 
 /*

The resulting compiler complains are

domctl.c: In function ‘update_domain_cpumsr_policy’:
domctl.c:355:15: error: passing argument 1 of ‘x86_cpuid_copy_from_buffer’ 
discards ‘const’ qualifier from pointer target type [-Werror]
               new.cp, xdpc->cpuid_policy, xdpc->nr_leaves,
               ^
In file included from /local/xen.git/xen/include/asm/cpuid.h:11:0,
                 from /local/xen.git/xen/include/asm/cpufeature.h:10,
                 from /local/xen.git/xen/include/asm/processor.h:14,
                 from /local/xen.git/xen/include/asm/system.h:6,
                 from /local/xen.git/xen/include/xen/list.h:11,
                 from /local/xen.git/xen/include/xen/mm.h:50,
                 from domctl.c:9:
/local/xen.git/xen/include/xen/libx86/cpuid.h:257:5: note: expected ‘struct 
cpuid_policy *’ but argument is of type ‘const struct cpuid_policy *’
 int x86_cpuid_copy_from_buffer(struct cpuid_policy *p,
     ^
domctl.c:360:15: error: passing argument 1 of ‘x86_msr_copy_from_buffer’ 
discards ‘const’ qualifier from pointer target type [-Werror]
               new.dp, new.vp,
               ^
In file included from /local/xen.git/xen/include/xen/libx86/policies.h:6:0,
                 from /local/xen.git/xen/include/asm/cpuid.h:12,
                 from /local/xen.git/xen/include/asm/cpufeature.h:10,
                 from /local/xen.git/xen/include/asm/processor.h:14,
                 from /local/xen.git/xen/include/asm/system.h:6,
                 from /local/xen.git/xen/include/xen/list.h:11,
                 from /local/xen.git/xen/include/xen/mm.h:50,
                 from domctl.c:9:
/local/xen.git/xen/include/xen/libx86/msr.h:63:5: note: expected ‘struct 
msr_domain_policy *’ but argument is of type ‘const struct msr_domain_policy *’
 int x86_msr_copy_from_buffer(struct msr_domain_policy *dp,
     ^
domctl.c:360:23: error: passing argument 2 of ‘x86_msr_copy_from_buffer’ 
discards ‘const’ qualifier from pointer target type [-Werror]
               new.dp, new.vp,
                       ^
In file included from /local/xen.git/xen/include/xen/libx86/policies.h:6:0,
                 from /local/xen.git/xen/include/asm/cpuid.h:12,
                 from /local/xen.git/xen/include/asm/cpufeature.h:10,
                 from /local/xen.git/xen/include/asm/processor.h:14,
                 from /local/xen.git/xen/include/asm/system.h:6,
                 from /local/xen.git/xen/include/xen/list.h:11,
                 from /local/xen.git/xen/include/xen/mm.h:50,
                 from domctl.c:9:
/local/xen.git/xen/include/xen/libx86/msr.h:63:5: note: expected ‘struct 
msr_vcpu_policy *’ but argument is of type ‘const struct msr_vcpu_policy *’
 int x86_msr_copy_from_buffer(struct msr_domain_policy *dp,
     ^
domctl.c:373:84: error: assignment discards ‘const’ qualifier from pointer 
target type [-Werror]
     SWAP(new.cp, d->arch.cpuid);
                                                                                
    ^
domctl.c:374:80: error: assignment discards ‘const’ qualifier from pointer 
target type [-Werror]
     SWAP(new.dp, d->arch.msr);
                                                                                
^
domctl.c:375:80: error: assignment discards ‘const’ qualifier from pointer 
target type [-Werror]
     SWAP(new.vp, v->arch.msr);
                                                                                
^
domctl.c:391:11: error: passing argument 1 of ‘xfree’ discards ‘const’ 
qualifier from pointer target type [-Werror]
     xfree(new.cp);
           ^
In file included from /local/xen.git/xen/include/xen/lib.h:7:0,
                 from domctl.c:8:
/local/xen.git/xen/include/xen/xmalloc.h:34:13: note: expected ‘void *’ but 
argument is of type ‘const struct cpuid_policy *’
 extern void xfree(void *);
             ^
domctl.c:392:11: error: passing argument 1 of ‘xfree’ discards ‘const’ 
qualifier from pointer target type [-Werror]
     xfree(new.dp);
           ^
In file included from /local/xen.git/xen/include/xen/lib.h:7:0,
                 from domctl.c:8:
/local/xen.git/xen/include/xen/xmalloc.h:34:13: note: expected ‘void *’ but 
argument is of type ‘const struct msr_domain_policy *’
 extern void xfree(void *);
             ^
domctl.c:393:11: error: passing argument 1 of ‘xfree’ discards ‘const’ 
qualifier from pointer target type [-Werror]
     xfree(new.vp);
           ^
In file included from /local/xen.git/xen/include/xen/lib.h:7:0,
                 from domctl.c:8:
/local/xen.git/xen/include/xen/xmalloc.h:34:13: note: expected ‘void *’ but 
argument is of type ‘const struct msr_vcpu_policy *’
 extern void xfree(void *);
             ^
cc1: all warnings being treated as errors


Furthermore, while x86_policies_are_compatible() isn't intended to
modify the policies, the other important function for levelling
(x86_calculate_compatible_policy(a, b, out)) will write to its parameter.

>
>>>> @@ -318,6 +328,74 @@ long arch_do_sysctl(
>>>>          break;
>>>>      }
>>>>  
>>>> +    case XEN_SYSCTL_get_cpumsr_policy:
>>>> +    {
>>>> +        const struct policy_group *group;
>>>> +
>>>> +        /* Bad policy index? */
>>>> +        if ( sysctl->u.cpumsr_policy.index >= ARRAY_SIZE(system_policies) 
>>>> )
>>>> +        {
>>>> +            ret = -EINVAL;
>>>> +            break;
>>>> +        }
>>>> +        group = &system_policies[sysctl->u.cpumsr_policy.index];
>>> Isn't this introducing at least half of a Spectre v1 gadget?
>> Nope :(
>>
>> It's both halves of the Spectre gadget, when you account for the
>> dereference when calling x86_*_copy_to_buffer() slightly lower.
>>
>> I suppose we want to port the Linux array nospec lookup logic so we can
>> protect the clearly-visible gadgets.
> I'm confused: You first say "nope", but the rest of your response reads
> as if you meant "yes.".

"No its not half a gadget.  Its a full gadget".

>
>>>> --- a/xen/include/public/sysctl.h
>>>> +++ b/xen/include/public/sysctl.h
>>>> @@ -1063,6 +1063,43 @@ struct xen_sysctl_set_parameter {
>>>>      uint16_t pad[3];                        /* IN: MUST be zero. */
>>>>  };
>>>>  
>>>> +#if defined(__i386__) || defined(__x86_64__)
>>>> +/*
>>>> + * XEN_SYSCTL_get_cpumsr_policy (x86 specific)
>>> Perhaps express the "x86 specific" also in the opcode name? And make
>>> more obvious that this is about CPUID and MSRs at the same time? E.g.
>>> XEN_SYSCTL_x86_get_cpuid_msr_policy?
>>>
>>> I'm sure you have reasons to munge it all into a single operation.
>> (Answering in reverse order)
>>
>> The get operations don't strictly need to be a single operation.  The
>> set operation specifically must be a single operation, and the getters
>> have an interface to match.
>>
>> As for naming, cpumsr_policy wasn't chosen by me, but I can't think of
>> anything better.  The code is currently consistent and, while I'm open
>> to a rename, it will impact large quantities of the series.
>>
>> One concern I have if we end up with a new block of information.  I was
>> hoping for a generic name, but simply "policy" on its own is too
>> generic.  cpumsr is, I believe, a contraction of cpuid_msr to avoid
>> excessive code volume.
>>
>> Suggestions welcome.
> To cover potential future additions, why not XEN_SYSCTL_get_cpu_policy?
> That's neither misleading by abbreviating too much, nor more specific than
> we need it to be. However, in this case it might be worthwhile to consider
> adding in "x86", as ARM might plausibly want something similar at some
> point. Otoh the same name (but different structure contents) could be
> used for both.

Hmm - I suppose "cpu policy" does logically cover any and all of the
main core, without including any of the uncore or chipset, which matches
the intended purpose.

I'll see about applying this naming scheme consistently across the series.

Julien/Stefano: Are you liable to want something like this on ARM?

>
>>>> +struct xen_sysctl_cpumsr_policy {
>>>> +#define XEN_SYSCTL_cpumsr_policy_raw          0
>>>> +#define XEN_SYSCTL_cpumsr_policy_host         1
>>>> +#define XEN_SYSCTL_cpumsr_policy_pv_max       2
>>>> +#define XEN_SYSCTL_cpumsr_policy_hvm_max      3
>>>> +#define XEN_SYSCTL_cpumsr_policy_pv_default   4
>>>> +#define XEN_SYSCTL_cpumsr_policy_hvm_default  5
>>>> +    uint32_t index;       /* IN: Which policy to query? */
>>>> +    uint32_t nr_leaves;   /* IN/OUT: Number of leaves in/written to
>>>> +                           * 'cpuid_policy', or the maximum number of 
>>>> leaves if
>>>> +                           * any of the guest handles is NULL.
>>>> +                           * NB. All policies come from the same space,
>>>> +                           * so have the same maximum length. */
>>>> +    uint32_t nr_msrs;     /* IN/OUT: Number of MSRs in/written to
>>>> +                           * 'msr_domain_policy', or the maximum number 
>>>> of MSRs
>>>> +                           * if any of the guest handles is NULL.
>>>> +                           * NB. All policies come from the same space,
>>>> +                           * so have the same maximum length. */
>>>> +    XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_policy; /* OUT: */
>>> Explicit padding (checked to be zero in the handler) above here
>>> please.
>> Why?  SYSCTLs are unstable and we don't perform similar checks for other
>> subops.
> You don't like the interface version bumps anyway, as being only
> partly useful. If you added and checked explicit padding, no bump
> would be needed once the field gains meaning.

Right, but possibly the only thing worse than an interface version of
questionable utility is inconsistent ABI expectations across different
subops of an otherwise consistent hypercall.

In principle I'd like to improve the ABI expectations of these ops, but
a) we need something much better than this suggestion, and b) I'm not
going to get diverted into fixing that rats nest as part of this series.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.