From: Jan Beulich <jbeulich@suse.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: "Michał Leszczyński" <michal.leszczynski@cert.pl>,
"Roger Pau Monné" <roger.pau@citrix.com>, "Wei Liu" <wl@xen.org>,
"Jun Nakajima" <jun.nakajima@intel.com>,
"Kevin Tian" <kevin.tian@intel.com>,
"Tamas K Lengyel" <tamas@tklengyel.com>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH v7 06/10] xen/domctl: Add XEN_DOMCTL_vmtrace_op
Date: Tue, 26 Jan 2021 15:18:06 +0100 [thread overview]
Message-ID: <04f34381-92b4-7965-8c6f-76cfa2312f2a@suse.com> (raw)
In-Reply-To: <20210121212718.2441-7-andrew.cooper3@citrix.com>
On 21.01.2021 22:27, Andrew Cooper wrote:
> --- a/xen/arch/x86/domctl.c
> +++ b/xen/arch/x86/domctl.c
> @@ -155,6 +155,55 @@ void arch_get_domain_info(const struct domain *d,
> info->arch_config.emulation_flags = d->arch.emulation_flags;
> }
>
> +static int do_vmtrace_op(struct domain *d, struct xen_domctl_vmtrace_op *op,
> + XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
> +{
> + struct vcpu *v;
> + int rc;
> +
> + if ( !d->vmtrace_frames || d == current->domain /* No vcpu_pause() */ )
> + return -EINVAL;
> +
> + ASSERT(is_hvm_domain(d)); /* Restricted by domain creation logic. */
> +
> + v = domain_vcpu(d, op->vcpu);
> + if ( !v )
> + return -ENOENT;
> +
> + vcpu_pause(v);
> + switch ( op->cmd )
> + {
> + case XEN_DOMCTL_vmtrace_enable:
> + case XEN_DOMCTL_vmtrace_disable:
> + case XEN_DOMCTL_vmtrace_reset_and_enable:
> + rc = hvm_vmtrace_control(
> + v, op->cmd != XEN_DOMCTL_vmtrace_disable,
> + op->cmd == XEN_DOMCTL_vmtrace_reset_and_enable);
> + break;
> +
> + case XEN_DOMCTL_vmtrace_output_position:
> + rc = hvm_vmtrace_output_position(v, &op->value);
> + if ( rc >= 0 )
> + rc = 0;
So vmtrace_output_position() effectively returns a boolean, and
there is no other caller of it afaics. I understand the hook and
function return int to allow for error indicators. But what's
the purpose of returning ipt_active when the only caller doesn't
care?
> --- a/xen/arch/x86/hvm/vmx/vmx.c
> +++ b/xen/arch/x86/hvm/vmx/vmx.c
> @@ -2261,6 +2261,153 @@ static bool vmx_get_pending_event(struct vcpu *v, struct x86_event *info)
> return true;
> }
>
> +static int vmtrace_get_option(struct vcpu *v, uint64_t key, uint64_t *output)
> +{
> + const struct vcpu_msrs *msrs = v->arch.msrs;
> +
> + /*
> + * We only let vmtrace agents see and modify a subset of bits in
> + * MSR_RTIT_CTL. These all pertain to date emitted into the trace
s/date/data/ ?
> + * buffer(s). Must not include controls pertaining to the
> + * structure/position of the trace buffer(s).
> + */
> +#define RTIT_CTL_MASK \
> + (RTIT_CTL_TRACE_EN | RTIT_CTL_OS | RTIT_CTL_USR | RTIT_CTL_TSC_EN | \
> + RTIT_CTL_DIS_RETC | RTIT_CTL_BRANCH_EN)
> +
> + /*
> + * Status bits restricted to the first-gen subset (i.e. no further CPUID
> + * requirements.)
> + */
> +#define RTIT_STATUS_MASK \
> + (RTIT_STATUS_FILTER_EN | RTIT_STATUS_CONTEXT_EN | RTIT_STATUS_TRIGGER_EN | \
> + RTIT_STATUS_ERROR | RTIT_STATUS_STOPPED)
The placement of these two #define-s kind of suggests they're
intended for this function only, but the next one (at least)
also uses them. May I suggest to move these ahead of this
function?
> +static int vmtrace_set_option(struct vcpu *v, uint64_t key, uint64_t value)
> +{
> + struct vcpu_msrs *msrs = v->arch.msrs;
> + bool new_en, old_en = msrs->rtit.ctl & RTIT_CTL_TRACE_EN;
> +
> + switch ( key )
> + {
> + case MSR_RTIT_OUTPUT_MASK:
> + /*
> + * MSR_RTIT_OUTPUT_MASK, when using Single Output mode, has a limit
> + * field in the lower 32 bits, and an offset in the upper 32 bits.
> + *
> + * Limit is fixed by the vmtrace buffer size and must not be
> + * controlled by userspace, while offset must be within the limit.
> + *
> + * Drop writes to the limit field to simply userspace wanting to reset
> + * the offset by writing 0.
> + */
> + if ( (value >> 32) > msrs->rtit.output_limit )
> + return -EINVAL;
> + msrs->rtit.output_offset = value >> 32;
> + break;
> +
> + case MSR_RTIT_CTL:
> + if ( value & ~RTIT_CTL_MASK )
> + return -EINVAL;
> +
> + msrs->rtit.ctl &= ~RTIT_CTL_MASK;
> + msrs->rtit.ctl |= (value & RTIT_CTL_MASK);
> + break;
> +
> + case MSR_RTIT_STATUS:
> + if ( value & ~RTIT_STATUS_MASK )
> + return -EINVAL;
> +
> + msrs->rtit.status &= ~RTIT_STATUS_MASK;
> + msrs->rtit.status |= (value & RTIT_STATUS_MASK);
> + break;
> +
> + default:
> + return -EINVAL;
> + }
> +
> + new_en = msrs->rtit.ctl & RTIT_CTL_TRACE_EN;
> +
> + /* ctl.trace_en changed => update MSR load/save lists appropriately. */
> + if ( !old_en && new_en )
> + {
> + if ( vmx_add_guest_msr(v, MSR_RTIT_CTL, msrs->rtit.ctl) ||
> + vmx_add_host_load_msr(v, MSR_RTIT_CTL, 0) )
> + {
> + /*
> + * The only failure cases here are failing the
> + * singleton-per-domain memory allocation, or exceeding the space
> + * in the allocation. We could unwind in principle, but there is
> + * nothing userspace can usefully do to continue using this VM.
> + */
> + domain_crash(v->domain);
> + return -ENXIO;
I don't think I fully agree with the 2nd half of the last
sentence, but well, so be it then for the time being at least.
Why could userspace not decide to continue running this VM
with ipt disabled?
> +static int vmtrace_control(struct vcpu *v, bool enable, bool reset)
> +{
> + struct vcpu_msrs *msrs = v->arch.msrs;
> + uint64_t new_ctl;
> + int rc;
> +
> + if ( v->arch.hvm.vmx.ipt_active == enable )
> + return -EINVAL;
Why is XEN_DOMCTL_vmtrace_reset_and_enable not permitted
when ipt_active is true? And, considering ...
> + if ( reset )
> + {
> + msrs->rtit.status = 0;
> + msrs->rtit.output_offset = 0;
> + }
> +
> + new_ctl = msrs->rtit.ctl & ~RTIT_CTL_TRACE_EN;
> + if ( enable )
> + new_ctl |= RTIT_CTL_TRACE_EN;
> +
> + rc = vmtrace_set_option(v, MSR_RTIT_CTL, new_ctl);
... this is just a wrapper around a function directly
reachable via XEN_DOMCTL_vmtrace_set_option, why any
restriction at all?
> + if ( rc )
> + return rc;
> +
> + v->arch.hvm.vmx.ipt_active = enable;
Shouldn't this be done in vmtrace_set_option(), to also
cover the other path leading there?
Jan
next prev parent reply other threads:[~2021-01-26 14:18 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-21 21:27 [PATCH v7 00/10] Implement support for external IPT monitoring Andrew Cooper
2021-01-21 21:27 ` [PATCH v7 01/10] xen+tools: Introduce XEN_SYSCTL_PHYSCAP_vmtrace Andrew Cooper
2021-01-22 15:28 ` Ian Jackson
2021-01-26 8:58 ` Julien Grall
2021-01-26 10:04 ` Andrew Cooper
2021-01-21 21:27 ` [PATCH v7 02/10] xen/domain: Add vmtrace_frames domain creation parameter Andrew Cooper
2021-01-25 15:08 ` Jan Beulich
2021-01-25 17:17 ` Andrew Cooper
2021-01-26 10:51 ` Jan Beulich
2021-01-29 16:37 ` Jan Beulich
2021-01-21 21:27 ` [PATCH v7 03/10] tools/[lib]xl: Add vmtrace_buf_size parameter Andrew Cooper
2021-01-22 15:29 ` Ian Jackson
2021-01-21 21:27 ` [PATCH v7 04/10] xen/memory: Add a vmtrace_buf resource type Andrew Cooper
2021-01-25 16:31 ` Jan Beulich
2021-01-26 7:37 ` Jan Beulich
2021-01-26 9:58 ` Andrew Cooper
2021-01-26 10:30 ` Jan Beulich
2021-01-21 21:27 ` [PATCH v7 05/10] x86/vmx: Add Intel Processor Trace support Andrew Cooper
2021-01-26 13:35 ` Jan Beulich
2021-01-29 22:08 ` Andrew Cooper
2021-01-21 21:27 ` [PATCH v7 06/10] xen/domctl: Add XEN_DOMCTL_vmtrace_op Andrew Cooper
2021-01-26 14:18 ` Jan Beulich [this message]
2021-01-29 23:01 ` Andrew Cooper
2021-01-21 21:27 ` [PATCH v7 07/10] tools/libxc: Add xc_vmtrace_* functions Andrew Cooper
2021-01-22 15:29 ` Ian Jackson
2021-01-21 21:27 ` [PATCH v7 08/10] tools/misc: Add xen-vmtrace tool Andrew Cooper
2021-01-22 15:33 ` Ian Jackson
2021-01-25 15:30 ` Andrew Cooper
2021-01-26 11:59 ` Ian Jackson
2021-01-26 12:55 ` Andrew Cooper
2021-01-26 13:32 ` Ian Jackson
2021-01-26 15:59 ` Andrew Cooper
2021-01-21 21:27 ` [PATCH v7 09/10] xen/vmtrace: support for VM forks Andrew Cooper
2021-01-26 14:21 ` Jan Beulich
2021-01-27 15:50 ` Lengyel, Tamas
2021-01-21 21:27 ` [PATCH v7 10/10] x86/vm_event: Carry Processor Trace buffer offset in vm_event Andrew Cooper
2021-01-26 14:27 ` Jan Beulich
2021-01-29 23:22 ` Andrew Cooper
2021-01-29 23:40 ` Tamas K Lengyel
2021-02-01 8:55 ` Jan Beulich
2021-02-01 9:06 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=04f34381-92b4-7965-8c6f-76cfa2312f2a@suse.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=jun.nakajima@intel.com \
--cc=kevin.tian@intel.com \
--cc=michal.leszczynski@cert.pl \
--cc=roger.pau@citrix.com \
--cc=tamas@tklengyel.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.