|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v2 3/3] svm/nestedsvm: Introduce nested capabilities bit
On 27.03.2024 18:01, George Dunlap wrote:
> On Mon, Mar 18, 2024 at 2:17 PM Jan Beulich <jbeulich@xxxxxxxx> wrote:
>> On 13.03.2024 13:24, George Dunlap wrote:
>>> --- a/xen/arch/x86/domain.c
>>> +++ b/xen/arch/x86/domain.c
>>> @@ -673,6 +673,12 @@ int arch_sanitise_domain_config(struct
>>> xen_domctl_createdomain *config)
>>> */
>>> config->flags |= XEN_DOMCTL_CDF_oos_off;
>>>
>>> + if ( nested_virt && !hvm_nested_virt_supported() )
>>> + {
>>> + dprintk(XENLOG_INFO, "Nested virt requested but not available\n");
>>> + return -EINVAL;
>>> + }
>>> +
>>> if ( nested_virt && !hap )
>>> {
>>> dprintk(XENLOG_INFO, "Nested virt not supported without HAP\n");
>>
>> As mentioned in reply to v1, I think what both start_nested_{svm,vmx}() check
>> is redundant with this latter check. I think that check isn't necessary there
>> (yet unlike suggested in reply to v1 I don't think anymore that the check
>> here
>> can alternatively be dropped). And even if it was to be kept for some reason,
>> I'm having some difficulty seeing why vendor code needs to do that check,
>> when
>> nestedhvm_setup() could do it for both of them.
>
> I'm having a bit of trouble resolving the antecedents in this
> paragraph (what "this" and "there" are referring to).
>
> Are you saying that we should set hvm_funcs.caps.nested_virt to 'true'
> even if the hardware doesn't support HAP, because we check that here?
>
> That seems like a very strange way to go about things; hvm_funcs.caps
> should reflect the actual capabilities of the hardware. Suppose at
> some point we want to expose nested virt capability to the toolstack
> -- wouldn't it make more sense to be able to just read
> `hvm_funcs.caps.nested_virt`, rather than having to remember to && it
> with `hvm_funcs.caps.hap`?
>
> And as you say, you can't get rid of the HAP check here, because we
> also want to deny nested virt if the admin deliberately created a
> guest in shadow mode on a system that has HAP available. So it's not
> redundant: one is checking the capabilities of the system, the other
> is checking the requested guest configuration.
Hmm, yes, you're right.
> As to why to have each vendor independent code check for HAP -- there
> are in fact two implementations of the code; it's nice to be able to
> look in one place for each implementation to determine the
> requirements. Additionally, it would be possible, in the future, for
> one of the nested virt implementations to enable shadow mode, while
> the other one didn't. The current arrangement makes that easy.
Well, first - how likely is this, when instead we've been considering
whether we could get rid of shadow mode? And then this is balancing
between ease of future changes vs avoiding redundancy where it can be
avoided. I'm not going to insist on centralizing the HAP check, but I
certainly wanted the option to be considered.
>>> --- a/xen/arch/x86/hvm/nestedhvm.c
>>> +++ b/xen/arch/x86/hvm/nestedhvm.c
>>> @@ -150,6 +150,16 @@ static int __init cf_check nestedhvm_setup(void)
>>> __clear_bit(0x80, shadow_io_bitmap[0]);
>>> __clear_bit(0xed, shadow_io_bitmap[1]);
>>>
>>> + /*
>>> + * NB this must be called after all command-line processing has been
>>> + * done, so that if (for example) HAP is disabled, nested virt is
>>> + * disabled as well.
>>> + */
>>> + if ( cpu_has_vmx )
>>> + start_nested_vmx(&hvm_funcs);
>>> + else if ( cpu_has_svm )
>>> + start_nested_svm(&hvm_funcs);
>>
>> Instead of passing the pointer, couldn't you have the functions return
>> bool, and then set hvm_funcs.caps.nested_virt from that? Passing that
>> pointer looks somewhat odd to me.
>
> For one, it makes start_nested_XXX symmetric to start_XXX, which also
> has access to the full hvm_funcs structure (albeit in the former case
> because it's creating the structure).
This last aspect is the crucial aspect: start{svm,vmx}() are indeed quite
special because of this. Everywhere else we have accessor helpers when
hvm_funcs needs consulting, e.g. ...
> For two, both of them need to read caps.hap.
... caps _reads_ would want using (an) accessor(s), too.
> For three, it's just more flexible -- there may be
> future things that we want to modify in the start_nested_*()
> functions. If we did as you suggest, and then added (say)
> caps.nested_virt_needs_hap, then we'd either need to add a second
> function, or refactor it to look like this.
Right, I can see this as an argument when taking, as you do, speculation
on future needs into account. Albeit I'm then inclined to say that even
such modifications may better be done through accessor helpers.
>> Is there a reason to use direct calls here rather than a true hook
>> (seeing that hvm_funcs must have been populated by the time we make it
>> here)? I understand we're (remotely) considering to switch away from
>> using hooks at some point, but right now this feels somewhat
>> inconsistent if not further justified.
>
> Again it mimics the calls to start_vmx/svm in hvm_enable. But I could
> look at adding a function pointer to see if it works.
Andrew - do you have any input here towards those somewhat vague plans
of getting rid of the hook functions? I guess they're more relevant in
places where we can't easily use the altcall machinery (i.e. not here).
Jan
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |