Xen project Mailing List

Re: [PATCH 1/2] xen/*/nospec: Provide common versions of evaluate_nospec/block_speculation

Date: Tue, 5 Mar 2024 08:10:57 +0100

Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Shawn Anastasio <sanastasio@xxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Delivery-date: Tue, 05 Mar 2024 07:11:11 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 04.03.2024 18:40, Julien Grall wrote: > Hi Andrew, > > On 04/03/2024 17:07, Andrew Cooper wrote: >> On 04/03/2024 4:55 pm, Jan Beulich wrote: >>> On 04.03.2024 17:46, Julien Grall wrote: >>>> On 04/03/2024 16:41, Jan Beulich wrote: >>>>> On 04.03.2024 17:31, Julien Grall wrote: >>>>>> On 04/03/2024 16:10, Andrew Cooper wrote: >>>>>>> It is daft to require all architectures to provide empty >>>>>>> implementations of >>>>>>> this functionality. >>>>>> Oleksii recenlty sent a similar patch [1]. This was pushed back because >>>>>> from naming, it sounds like the helpers ought to be non-empty on every >>>>>> architecture. >>>>>> >>>>>> It would be best if asm-generic provides a safe version of the helpers. >>>>>> So my preference is to not have this patch. This can of course change if >>>>>> I see an explanation why it is empty on Arm (I believe it should contain >>>>>> csdb) and other arch would want the same. >>>>> Except that there's no new asm-generic/ header here (as opposed to how >>>>> Oleksii had it). Imo avoiding the need for empty stubs is okay this way, >>>>> when introducing an asm-generic/ header would not have been. Of course >>>>> if Arm wants to put something there rather sooner than later, then >>>>> perhaps the functions better wouldn't be removed from there, just to then >>>>> be put back pretty soon. >>>> I am confused. I agree the patch is slightly different, but I thought >>>> the fundamental problem was the block_speculation() implementation may >>>> not be safe everywhere. And it was best to let each architecture decide >>>> how they want to implement (vs Xen decide for us the default). >>>> >>>> Reading the original thread, I thought you had agreed with that >>>> statement. Did I misinterpret? >>> Yes and no. Whatever is put in asm-generic/ ought to be correct and safe >>> by default, imo. The same doesn't apply to fallbacks put in place in >>> headers in xen/: If an arch doesn't provide its own implementation, it >>> indicates that the default (fallback) is good enough. Still I can easily >>> see that other views are possible here ... >> >> With speculation, there's absolutely nothing we can possibly do in any >> common code which will be safe generally. >> >> But we can make it less invasive until an architecture wants to >> implement the primitives. > > I understand the goal. However, I am unsure it is a good idea to provide > unsafe just to reduce the arch specific header by a few lines. My > concern is new ports may not realize that block_speculation() needs to > be implemented. This could end to a preventable XSA in the future. > > I guess the risk could be reduced if we had some documentation > explaining how to port Xen to a new architecture (I am not asking you to > write the doc). But that's precisely the difference I'm trying to point out between having a stub header in asm-generic/ vs having the fallback in xen/nospec.h: This way an arch still has to supply asm/nospec.h, and hence they can be expected to consider what needs putting there and what can be left to the fallbacks (whether just "for the time being" is a separate question). Whereas allowing to simply point at the asm-generic/ header is (imo) far more likely to have only little thought applied ("oh, there is that generic header, let's just use it"). Yet as said, the line between the two can certainly be viewed as blurred. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.