[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 00/12] const-ify vendor checks

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
  • Date: Mon, 9 Feb 2026 11:05:52 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/ghaL8GcdRVpjK0JlWhyMVuHmqlJ6wrPR7AlENbBTfI=; b=L4J/BSo2ISRQQt+lE2S78xHimJWywlW+kHn5UzkEOm84aDPRU+4bOwe+9pni0o1+F6cuS9eK1FOLeHqVkzo2MXoKXwVOgjfoo2lXglUFh/q9pv6K3X8gMTnBonXU2GOmZXNdqfkYG0GBTIpD1v2rLBlmQnqxLejip21AiW3lKmJQ5EVtDKl0kAhWYftLg8VHrL6yGR6UuWkvdvKoDD0gFzHCoATDkU1visrQ2R43XFAn92oZerunTNCk1HP6ghACh/i9QinJZ+pf+Kk2dOHmv4SJBIShweswMa5aQ3eKIpTvEQq0nn3ywISFdvKiTYjkE/t4v10k0xn7Y9KPKcV1vA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DCGeROPW6+ZWzqOsPYI4wfSIsNupsiSe3qw+SsaVpXFHmNgpXlBmJ0lYzS9cg3DBHfzfFpbNU5/OQLQCLMCIBrL4qhsZquX1fmdsoFaN1EY4FPhkdnfuzXM88FUX4VoV8yf0gSLHvqATyFfmEw12d22q63Lbv0uKuKvJc4hnUJ+IKjVHG4FQr1WJ9lwSfsWLwsNMGQzxEfXVGSIr7SJEf4ZIdMmmZP3G54/7GxenKJ5nQRX8UpiWAG9/+4cYg2lWqgo+t0F+h7woO4nrscjMEiX3MyEg2ePFCfy87rZtzjOZshe9qyldiuhext1wJu+AHSqFF4BY18LRTvWj5kmMWQ==
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Jason Andryuk <jason.andryuk@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 09 Feb 2026 10:06:15 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Mon Feb 9, 2026 at 10:21 AM CET, Jan Beulich wrote:
> On 06.02.2026 17:15, Alejandro Vallejo wrote:
>> Hi,
>> 
>> This series is a big revamp of vendor-checking to enable it to perform DCE.
>> It improves all configurations useful in practice at minimal cost in the full
>> build, and at a massive advantage for the single-vendor case. Many ifdefs can
>> go away as a side effect of the series.
>> 
>> This series depends on cross-vendor removal:
>>   
>> https://lore.kernel.org/xen-devel/20260205170923.38425-1-alejandro.garciavallejo@xxxxxxx/T/#m4c3d318f37e4f24d0f8c62b104221aa5d428cebc
>> 
>> Patch 1 in this series matches that of cross-vendor removal. It's logically
>> required, but that's the single requirement.
>> 
>> High level description
>> ======================
>> 
>> When compared to the RFC this makes a different approach The series 
>> introduces
>> cpu_vendor() which maps to a constant in the single vendor case and to
>> (boot_cpu_data.vendor & X86_ENABLED_VENDORS), where X86_ENABLED_VENDORS is a
>> mask of the compile-time chosen vendors. This enables the compiler to detect
>> dead-code at the uses and remove all unreachable branches, including in
>> switches.
>> 
>> When compared to the x86_vendor_is() macro introduced in the RFC, this is
>> simpler. It achieves MOST of what the older macro did without touching the
>> switches, with a few caveats:
>> 
>>   1. Compiled-out vendors cause a panic, they don't fallback onto the unknown
>>      vendor case. In retrospect, this is a much saner thing to do.
>
> I'm unconvinced here. Especially our Centaur and Shanghai support is at best
> rudimentary. Treating those worse when configured-out than when configured-in
> feels questionable.

Isn't that the point of configuring out?

Besides the philosophical matter of whether or not a compiled-out vendor
should be allowed to run there's the more practical matter of what to do
with the x86_vendor field of boot_cpu_data. Because at that point our take
that cross-vendor support is forbidden is a lot weaker. If I can run an
AMD-hypervisor on an Intel host, what then? What policies would be allowed? If I
wipe x86_vendor then policies with some unknown vendor would be fine. Should the
leaves match too? If I do not wipe the field, should I do black magic to ensure
the behaviour is different depending on whether the vendor is compiled in or
not? What if I want to migrate a VM currently running in this hypothetical
hypervisor? The rules becomes seriously complex.

It's just a lot cleaner to take the stance that compiled out vendors can't run.
Then everything else is crystal clear and we avoid a universe's worth of corner
cases. I expect upstream Xen to support all cases (I'm skeptical about the
utility of the unknown vendor path, but oh well), but many downstreams might
benefit from killing off support for vendors they really will never touch.

>
>>   2. equalities and inequalities have been replaced by equivalent 
>> (cpu_vendor() & ...)
>>      forms. This isn't stylistic preference. This form allows the compiler
>>      to merge the compared-against constant with X86_ENABLED_VENDORS, 
>> yielding
>>      much better codegen throughout the tree.
>> 
>> The effect of (2) triples the delta in the full build below.
>> 
>> Some differences might be attributable to the change from policy vendor 
>> checks
>> to boot_cpu_data. In the case of the emulator it caused a 400 bytes increase
>> due to the way it checks using LOTS of macro invocations, so I left that one
>> piece using the policy vendor except for the single vendor case.
>
> For the emulator I'd like to point out this question that I raised in the
> AVX10 series:

There's no optimisation shortage for the emulator. For that patch I just
ensure I didn't make a tricky situation worse. It is much better in the 
single-vendor case.

>
> "Since it'll be reducing code size, we may want to further convert
>  host_and_vcpu_must_have() to just vcpu_must_have() where appropriate
>  (should be [almost?] everywhere)."
>
> Sadly there was no feedback an that (or really on almost all of that work) at
> all so far.

It sounds fairly orthogonal to this, unless I'm missing the point.

In principle that would be fine. the vCPU features whose emulation requires
special instructions are most definitely a subset of those of the host anyway.

I agree many cases could be simplified as you describe.

I do see a worrying danger of XSA should the max policy ever exceed the
capabilities of the host on a feature required for emulating some instruction
for that very feature. Then the guest could abuse the emulator to trigger #UD
inside the hypervisor's emulation path.

Cheers,
Alejandro

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.