From: Andrea Arcangeli <aarcange@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Marcel Apfelbaum <marcel@redhat.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] Default for phys-addr-bits? (was Re: [PATCH 4/5] x86: Allow physical address bits to be set)
Date: Thu, 23 Jun 2016 01:15:57 +0200 [thread overview]
Message-ID: <20160622231557.GP30202@redhat.com> (raw)
In-Reply-To: <20160622224042.GA29641@redhat.com>
On Thu, Jun 23, 2016 at 01:40:42AM +0300, Michael S. Tsirkin wrote:
> Where's a problem then?
If EPT/NPT is enabled, the guest pagetables are parsed by the hardware
and not by the KVM shadow MMU in software. The hardware speaks host
phys bits and AFIK the hardware will behave different depending on the
host phys bits.
In fact the guest could probe those the host phys bits anyway.
Now the breakage with guest phys bits < host phys bits happens only
with EPT/NPT if the guest instead of "probing" the host phys bits, it
just runs cpuid and it assumes the value it receives would be the same
as the effect of a "probe".
Then guest could assume the probing effect would match the guest phys
bits returned by the guest cpuid insn, and do important stuff in
function of that (i.e. expecting a GPF which won't materialize if the
host phys bits is > guest phys bits).
The guest must do somewhat weird for any breakage to happen (notably
changing pagetable format in function of cpuid retval). The guest of
course could also be changed to stop being weird and then it wouldn't
break anymore.
So just in case there's any weird proprietary OS like that, we can
still add a -cpu=force_host_phys_bits fallback, to prevent the
discrepancy between cpuid and probing effect, in turn eliminating any
risk of guest failures (but then we should also prevent live migration
if source host phys bits != destination host phys bits to provide the
same guarantee to the weird guest, through live migration).
> So I think that all we need is a way to let libvirt control
> the _CRS range. Teach it that _CRS must fit within what
> host can support. Also check and fail kvm init if _CRS exceeds
> what host can support.
Right.
The production solution is such a simple patch that I certainly agree
it can be applied first, along with the mtrr fix.
The complexity in dealing with _CSR and all the up layers about this
subtle phys bits detail, to calculate the highest possible guest
physical address, is what makes the production solution attractive in
the short term.
Then if we implement the "soft" guest phys bits exercise, that is all
about adding robustness to live migration (and save/restore). So for
it not to risk to be futile, it'd be nice if the phys bits checks were
all contained inside qemu.
Initially libvirt/ovirt/OpenStack would just return some live
migration generic error to the user, in the unlikely case there's a
phys bits mismatch during the live migration or restore (i.e. "soft"
guest phys bits > destination host phys bits). That will still avoid
us getting weird bugreports and way more important it'll avoid any
risk of customer unexpected guest crashes.
The managers that load-balance the load in the cloud if they want they
can still do their own calculation on the host/guest phys bits
matching the qemu internal calculation and guarantee themselves that
they'll never run into the qemu live migration error because of too
low destination host phys bits (either that or they can check a proper
error from the migration command).
Thanks,
Andrea
next prev parent reply other threads:[~2016-06-22 23:16 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-16 17:12 [Qemu-devel] [PATCH 0/5] x86: Physical address limit patches Dr. David Alan Gilbert (git)
2016-06-16 17:12 ` [Qemu-devel] [PATCH 1/5] BIT_RANGE convenience macro Dr. David Alan Gilbert (git)
2016-06-16 17:23 ` Paolo Bonzini
2016-06-16 17:24 ` Dr. David Alan Gilbert
2016-06-16 18:01 ` Peter Maydell
2016-06-16 18:05 ` Paolo Bonzini
2016-06-20 14:11 ` Dr. David Alan Gilbert
2016-06-20 14:17 ` Peter Maydell
2016-06-16 17:12 ` [Qemu-devel] [PATCH 2/5] x86: Mask mtrr mask based on CPU physical address limits Dr. David Alan Gilbert (git)
2016-06-16 19:59 ` Eduardo Habkost
2016-06-17 8:23 ` Dr. David Alan Gilbert
2016-06-17 12:13 ` Paolo Bonzini
2016-06-16 17:12 ` [Qemu-devel] [PATCH 3/5] x86: fill high bits of mtrr mask Dr. David Alan Gilbert (git)
2016-06-16 20:14 ` Eduardo Habkost
2016-06-17 7:47 ` Paolo Bonzini
2016-06-17 12:46 ` Eduardo Habkost
2016-06-17 13:01 ` Paolo Bonzini
2016-06-17 13:41 ` Eduardo Habkost
2016-06-17 14:25 ` Paolo Bonzini
2016-06-17 15:27 ` Eduardo Habkost
2016-06-17 15:29 ` Paolo Bonzini
2016-06-17 15:35 ` Eduardo Habkost
2016-06-17 13:51 ` Dr. David Alan Gilbert
2016-06-17 14:19 ` Paolo Bonzini
2016-06-17 8:53 ` Dr. David Alan Gilbert
2016-06-16 17:12 ` [Qemu-devel] [PATCH 4/5] x86: Allow physical address bits to be set Dr. David Alan Gilbert (git)
2016-06-16 17:26 ` Paolo Bonzini
2016-06-16 18:09 ` Eduardo Habkost
2016-06-16 20:24 ` Eduardo Habkost
2016-06-17 8:15 ` Dr. David Alan Gilbert
2016-06-17 8:43 ` Paolo Bonzini
2016-06-17 9:17 ` Gerd Hoffmann
2016-06-17 9:52 ` Igor Mammedov
2016-06-17 11:20 ` Gerd Hoffmann
2016-06-17 16:20 ` Laszlo Ersek
2016-06-17 16:07 ` Laszlo Ersek
2016-06-19 16:13 ` Marcel Apfelbaum
2016-06-20 10:42 ` Igor Mammedov
2016-06-20 11:13 ` Marcel Apfelbaum
2016-06-17 9:37 ` Dr. David Alan Gilbert
2016-06-17 9:54 ` Paolo Bonzini
2016-06-17 13:18 ` Eduardo Habkost
2016-06-17 13:38 ` Paolo Bonzini
2016-06-17 15:19 ` Eduardo Habkost
2016-06-17 15:28 ` Paolo Bonzini
2016-06-17 15:49 ` Eduardo Habkost
2016-06-21 19:44 ` [Qemu-devel] Default for phys-addr-bits? (was Re: [PATCH 4/5] x86: Allow physical address bits to be set) Eduardo Habkost
2016-06-22 12:41 ` Paolo Bonzini
2016-06-22 14:24 ` Andrea Arcangeli
2016-06-22 14:33 ` Paolo Bonzini
2016-06-22 14:44 ` Andrea Arcangeli
2016-06-22 14:48 ` Paolo Bonzini
2016-06-22 15:02 ` Andrea Arcangeli
2016-06-22 22:44 ` Michael S. Tsirkin
2016-06-22 23:23 ` Andrea Arcangeli
2016-06-22 23:45 ` Michael S. Tsirkin
2016-06-23 8:40 ` Gerd Hoffmann
2016-06-23 16:38 ` Michael S. Tsirkin
2016-06-24 5:55 ` Gerd Hoffmann
2016-06-24 23:12 ` Michael S. Tsirkin
2016-06-29 16:42 ` Dr. David Alan Gilbert
2016-06-30 6:10 ` Gerd Hoffmann
2016-06-30 10:59 ` Dr. David Alan Gilbert
2016-06-30 16:14 ` Gerd Hoffmann
2016-06-30 17:12 ` Dr. David Alan Gilbert
2016-07-01 19:03 ` Dr. David Alan Gilbert
2016-06-22 22:40 ` Michael S. Tsirkin
2016-06-22 23:15 ` Andrea Arcangeli [this message]
2016-06-19 3:36 ` [Qemu-devel] [PATCH 4/5] x86: Allow physical address bits to be set Michael S. Tsirkin
2016-06-20 7:04 ` Paolo Bonzini
2016-06-17 14:24 ` Marcel Apfelbaum
2016-06-16 17:12 ` [Qemu-devel] [PATCH 5/5] x86: Set physical address bits based on host Dr. David Alan Gilbert (git)
2016-06-17 7:25 ` Igor Mammedov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160622231557.GP30202@redhat.com \
--to=aarcange@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=marcel@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.