[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] xen/pv: support selecting safe/unsafe msr accesses

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Juergen Gross <jgross@xxxxxxxx>
Date: Mon, 26 Sep 2022 17:36:04 +0200
Cc: Jonathan Corbet <corbet@xxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, x86@xxxxxxxxxx, linux-doc@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
Delivery-date: Mon, 26 Sep 2022 15:36:12 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 26.09.22 17:23, Jan Beulich wrote:

On 26.09.2022 16:18, Juergen Gross wrote:

--- a/arch/x86/xen/Kconfig
+++ b/arch/x86/xen/Kconfig
@@ -92,3 +92,12 @@ config XEN_DOM0
        select X86_X2APIC if XEN_PVH && X86_64
        help
          Support running as a Xen Dom0 guest.
+
+config XEN_PV_MSR_SAFE
+       bool "Always use safe MSR accesses in PV guests"
+       default y


Is there any time line when this default will change, perhaps first to
DEBUG and later to N?


I'm not sure. I did an initial test with the safe variants disabled in dom0
and it just worked.

I'm not sure we want an intermediate step, as in critical cases the user can
still use the boot parameter.

@@ -1010,22 +1020,16 @@ static int xen_write_msr_safe(unsigned int msr, 
unsigned int low,

static u64 xen_read_msr(unsigned int msr)

  {
-       /*
-        * This will silently swallow a #GP from RDMSR.  It may be worth
-        * changing that.
-        */
        int err;

- return xen_read_msr_safe(msr, &err);

+       return xen_do_read_msr(msr, xen_msr_safe ? &err : NULL);
  }


When we were talking at the session, I think I said that at least there
is no uninitialized value being passed back. But I did look at
xen_read_msr_safe() only, which indeed is okay. Whereas
native_read_msr_safe() isn't (nor is native_read_msr() afaict), so I
think part of this series should be to also eliminate the undefined-
ness from this code path (possible now only when xen_msr_safe is true,
but as per above that'll be the default at least for some time), where
the caller has no way to know that it shouldn't look at the value.


I can add that.


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

References:
- [PATCH 0/3] xen/pv: sanitize xen pv guest msr accesses
  - From: Juergen Gross
- [PATCH 3/3] xen/pv: support selecting safe/unsafe msr accesses
  - From: Juergen Gross
- Re: [PATCH 3/3] xen/pv: support selecting safe/unsafe msr accesses
  - From: Jan Beulich

Prev by Date: Re: [PATCH 1/3] xen/pv: allow pmu msr accesses to cause GP
Next by Date: Re: [PATCH] x86/ept: limit calls to memory_type_changed()
Previous by thread: Re: [PATCH 3/3] xen/pv: support selecting safe/unsafe msr accesses
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.