From: Ram Pai <linuxram@us.ibm.com>
To: Greg Kurz <groug@kaod.org>
Cc: aik@ozlabs.ru, andmike@linux.ibm.com, kvm-ppc@vger.kernel.org,
"Cédric Le Goater" <clg@fr.ibm.com>,
sukadev@linux.vnet.ibm.com, linuxppc-dev@lists.ozlabs.org,
bauerman@linux.ibm.com,
"David Gibson" <david@gibson.dropbear.id.au>
Subject: RE: [RFC PATCH v1] powerpc/prom_init: disable XIVE in Secure VM.
Date: Wed, 4 Mar 2020 07:13:48 -0800 [thread overview]
Message-ID: <20200304151348.GG5416@oc0525413822.ibm.com> (raw)
In-Reply-To: <20200304115948.7b2dfe10@bahia.home>
On Wed, Mar 04, 2020 at 11:59:48AM +0100, Greg Kurz wrote:
> On Tue, 3 Mar 2020 10:56:45 -0800
> Ram Pai <linuxram@us.ibm.com> wrote:
>
> > On Tue, Mar 03, 2020 at 06:45:20PM +0100, Greg Kurz wrote:
> > > On Tue, 3 Mar 2020 09:02:05 -0800
> > > Ram Pai <linuxram@us.ibm.com> wrote:
> > >
> > > > On Tue, Mar 03, 2020 at 07:50:08AM +0100, Cédric Le Goater wrote:
> > > > > On 3/3/20 12:32 AM, David Gibson wrote:
> > > > > > On Fri, Feb 28, 2020 at 11:54:04PM -0800, Ram Pai wrote:
> > > > > >> XIVE is not correctly enabled for Secure VM in the KVM Hypervisor yet.
> > > > > >>
> > > > > >> Hence Secure VM, must always default to XICS interrupt controller.
> > > > > >>
> > > > > >> If XIVE is requested through kernel command line option "xive=on",
> > > > > >> override and turn it off.
> > > > > >>
> > > > > >> If XIVE is the only supported platform interrupt controller; specified
> > > > > >> through qemu option "ic-mode=xive", simply abort. Otherwise default to
> > > > > >> XICS.
> > > > > >
> > > > > > Uh... the discussion thread here seems to have gotten oddly off
> > > > > > track.
> > > > >
> > > > > There seem to be multiple issues. It is difficult to have a clear status.
> > > > >
> > > > > > So, to try to clean up some misunderstandings on both sides:
> > > > > >
> > > > > > 1) The guest is the main thing that knows that it will be in secure
> > > > > > mode, so it's reasonable for it to conditionally use XIVE based
> > > > > > on that
> > > > >
> > > > > FW support is required AFAIUI.
> > > > > > 2) The mechanism by which we do it here isn't quite right. Here the
> > > > > > guest is checking itself that the host only allows XIVE, but we
> > > > > > can't do XIVE and is panic()ing. Instead, in the SVM case we
> > > > > > should force support->xive to false, and send that in the CAS
> > > > > > request to the host. We expect the host to just terminate
> > > > > > us because of the mismatch, but this will interact better with
> > > > > > host side options setting policy for panic states and the like.
> > > > > > Essentially an SVM kernel should behave like an old kernel with
> > > > > > no XIVE support at all, at least w.r.t. the CAS irq mode flags.
> > > > >
> > > > > Yes. XIVE shouldn't be requested by the guest.
> > > >
> > > > Ok.
> > > >
> > > > > This is the last option
> > > > > I proposed but I thought there was some negotiation with the hypervisor
> > > > > which is not the case.
> > > > >
> > > > > > 3) Although there are means by which the hypervisor can kind of know
> > > > > > a guest is in secure mode, there's not really an "svm=on" option
> > > > > > on the host side. For the most part secure mode is based on
> > > > > > discussion directly between the guest and the ultravisor with
> > > > > > almost no hypervisor intervention.
> > > > >
> > > > > Is there a negotiation with the ultravisor ?
> > > >
> > > > The VM has no negotiation with the ultravisor w.r.t CAS.
> > > >
> > > > >
> > > > > > 4) I'm guessing the problem with XIVE in SVM mode is that XIVE needs
> > > > > > to write to event queues in guest memory, which would have to be
> > > > > > explicitly shared for secure mode. That's true whether it's KVM
> > > > > > or qemu accessing the guest memory, so kernel_irqchip=on/off is
> > > > > > entirely irrelevant.
> > > > >
> > > > > This problem should be already fixed.
> > > > > The XIVE event queues are shared
> > > >
> > > > Yes i have a patch for the guest kernel that shares the event
> > > > queue page with the hypervisor. This is done using the
> > > > UV_SHARE_PAGE ultracall. This patch is not sent out to any any mailing
> > > > lists yet.
> > >
> > > Why ?
> >
> > At this point I am not sure if this is the only change, I need to the
> > guest kernel.
>
> Maybe but we're already sure that this change is needed. I don't really see
> the point in holding this any longer.
>
> > I also need changes to KVM and to the ultravisor. Its bit
> > premature to send the patch without having figured out everything
> > to get xive working on a Secure VM.
> >
>
> I'm a bit confused... why did you send this workaround patch in
> the first place then ? I mean, this raises a concern and we're
> just trying to move forward.
The upstream kernel in its current form, will hang as of today if qemu
has 'ic-mode=xive'. The kernel hangs without giving any indication as to
'why?'. This is a bad state to be in.
This patch was a temporary solution. It is there to inform the user, not
to use 'xive' in secureVM. The user is atleast informed/guided, instead
of lost/confused.
The permanent solution, is to fix the problem in KVM and ultravisor,
along with sharing the EQ-page in the SVM, and get a holistic solution
in place. But that will take time, and may not happen by the time 5.6
releases.
RP
WARNING: multiple messages have this Message-ID (diff)
From: Ram Pai <linuxram@us.ibm.com>
To: Greg Kurz <groug@kaod.org>
Cc: aik@ozlabs.ru, andmike@linux.ibm.com, kvm-ppc@vger.kernel.org,
"Cédric Le Goater" <clg@fr.ibm.com>,
sukadev@linux.vnet.ibm.com, linuxppc-dev@lists.ozlabs.org,
bauerman@linux.ibm.com,
"David Gibson" <david@gibson.dropbear.id.au>
Subject: RE: [RFC PATCH v1] powerpc/prom_init: disable XIVE in Secure VM.
Date: Wed, 04 Mar 2020 15:13:48 +0000 [thread overview]
Message-ID: <20200304151348.GG5416@oc0525413822.ibm.com> (raw)
In-Reply-To: <20200304115948.7b2dfe10@bahia.home>
On Wed, Mar 04, 2020 at 11:59:48AM +0100, Greg Kurz wrote:
> On Tue, 3 Mar 2020 10:56:45 -0800
> Ram Pai <linuxram@us.ibm.com> wrote:
>
> > On Tue, Mar 03, 2020 at 06:45:20PM +0100, Greg Kurz wrote:
> > > On Tue, 3 Mar 2020 09:02:05 -0800
> > > Ram Pai <linuxram@us.ibm.com> wrote:
> > >
> > > > On Tue, Mar 03, 2020 at 07:50:08AM +0100, Cédric Le Goater wrote:
> > > > > On 3/3/20 12:32 AM, David Gibson wrote:
> > > > > > On Fri, Feb 28, 2020 at 11:54:04PM -0800, Ram Pai wrote:
> > > > > >> XIVE is not correctly enabled for Secure VM in the KVM Hypervisor yet.
> > > > > >>
> > > > > >> Hence Secure VM, must always default to XICS interrupt controller.
> > > > > >>
> > > > > >> If XIVE is requested through kernel command line option "xive=on",
> > > > > >> override and turn it off.
> > > > > >>
> > > > > >> If XIVE is the only supported platform interrupt controller; specified
> > > > > >> through qemu option "ic-mode=xive", simply abort. Otherwise default to
> > > > > >> XICS.
> > > > > >
> > > > > > Uh... the discussion thread here seems to have gotten oddly off
> > > > > > track.
> > > > >
> > > > > There seem to be multiple issues. It is difficult to have a clear status.
> > > > >
> > > > > > So, to try to clean up some misunderstandings on both sides:
> > > > > >
> > > > > > 1) The guest is the main thing that knows that it will be in secure
> > > > > > mode, so it's reasonable for it to conditionally use XIVE based
> > > > > > on that
> > > > >
> > > > > FW support is required AFAIUI.
> > > > > > 2) The mechanism by which we do it here isn't quite right. Here the
> > > > > > guest is checking itself that the host only allows XIVE, but we
> > > > > > can't do XIVE and is panic()ing. Instead, in the SVM case we
> > > > > > should force support->xive to false, and send that in the CAS
> > > > > > request to the host. We expect the host to just terminate
> > > > > > us because of the mismatch, but this will interact better with
> > > > > > host side options setting policy for panic states and the like.
> > > > > > Essentially an SVM kernel should behave like an old kernel with
> > > > > > no XIVE support at all, at least w.r.t. the CAS irq mode flags.
> > > > >
> > > > > Yes. XIVE shouldn't be requested by the guest.
> > > >
> > > > Ok.
> > > >
> > > > > This is the last option
> > > > > I proposed but I thought there was some negotiation with the hypervisor
> > > > > which is not the case.
> > > > >
> > > > > > 3) Although there are means by which the hypervisor can kind of know
> > > > > > a guest is in secure mode, there's not really an "svm=on" option
> > > > > > on the host side. For the most part secure mode is based on
> > > > > > discussion directly between the guest and the ultravisor with
> > > > > > almost no hypervisor intervention.
> > > > >
> > > > > Is there a negotiation with the ultravisor ?
> > > >
> > > > The VM has no negotiation with the ultravisor w.r.t CAS.
> > > >
> > > > >
> > > > > > 4) I'm guessing the problem with XIVE in SVM mode is that XIVE needs
> > > > > > to write to event queues in guest memory, which would have to be
> > > > > > explicitly shared for secure mode. That's true whether it's KVM
> > > > > > or qemu accessing the guest memory, so kernel_irqchip=on/off is
> > > > > > entirely irrelevant.
> > > > >
> > > > > This problem should be already fixed.
> > > > > The XIVE event queues are shared
> > > >
> > > > Yes i have a patch for the guest kernel that shares the event
> > > > queue page with the hypervisor. This is done using the
> > > > UV_SHARE_PAGE ultracall. This patch is not sent out to any any mailing
> > > > lists yet.
> > >
> > > Why ?
> >
> > At this point I am not sure if this is the only change, I need to the
> > guest kernel.
>
> Maybe but we're already sure that this change is needed. I don't really see
> the point in holding this any longer.
>
> > I also need changes to KVM and to the ultravisor. Its bit
> > premature to send the patch without having figured out everything
> > to get xive working on a Secure VM.
> >
>
> I'm a bit confused... why did you send this workaround patch in
> the first place then ? I mean, this raises a concern and we're
> just trying to move forward.
The upstream kernel in its current form, will hang as of today if qemu
has 'ic-mode=xive'. The kernel hangs without giving any indication as to
'why?'. This is a bad state to be in.
This patch was a temporary solution. It is there to inform the user, not
to use 'xive' in secureVM. The user is atleast informed/guided, instead
of lost/confused.
The permanent solution, is to fix the problem in KVM and ultravisor,
along with sharing the EQ-page in the SVM, and get a holistic solution
in place. But that will take time, and may not happen by the time 5.6
releases.
RP
next prev parent reply other threads:[~2020-03-04 15:16 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-29 7:54 [RFC PATCH v1] powerpc/prom_init: disable XIVE in Secure VM Ram Pai
2020-02-29 7:54 ` Ram Pai
2020-02-29 8:27 ` Cédric Le Goater
2020-02-29 8:27 ` Cédric Le Goater
2020-02-29 22:51 ` Ram Pai
2020-02-29 22:51 ` Ram Pai
2020-03-02 7:34 ` Cédric Le Goater
2020-03-02 7:34 ` Cédric Le Goater
2020-03-02 20:54 ` Greg Kurz
2020-03-02 20:54 ` Greg Kurz
2020-03-02 23:32 ` David Gibson
2020-03-02 23:32 ` David Gibson
2020-03-03 6:50 ` Cédric Le Goater
2020-03-03 6:50 ` Cédric Le Goater
2020-03-03 17:02 ` Ram Pai
2020-03-03 17:02 ` Ram Pai
2020-03-03 17:45 ` Greg Kurz
2020-03-03 17:45 ` Greg Kurz
2020-03-03 18:56 ` Ram Pai
2020-03-03 18:56 ` Ram Pai
2020-03-04 10:59 ` Greg Kurz
2020-03-04 10:59 ` Greg Kurz
2020-03-04 15:13 ` Ram Pai [this message]
2020-03-04 15:13 ` Ram Pai
2020-03-04 15:37 ` Ram Pai
2020-03-04 15:37 ` Ram Pai
2020-03-04 15:56 ` Cédric Le Goater
2020-03-04 15:56 ` Cédric Le Goater
2020-03-04 23:55 ` David Gibson
2020-03-04 23:55 ` David Gibson
2020-03-05 7:15 ` Cédric Le Goater
2020-03-05 7:15 ` Cédric Le Goater
2020-03-05 15:15 ` Ram Pai
2020-03-05 15:15 ` Ram Pai
2020-03-05 15:36 ` Cédric Le Goater
2020-03-05 15:36 ` Cédric Le Goater
2020-03-03 19:18 ` [EXTERNAL] " Cédric Le Goater
2020-03-03 19:18 ` Cédric Le Goater
2020-03-04 8:34 ` Greg Kurz
2020-03-04 8:34 ` Greg Kurz
2020-03-03 19:08 ` Cédric Le Goater
2020-03-03 19:08 ` Cédric Le Goater
2020-03-03 20:29 ` Ram Pai
2020-03-03 20:29 ` Ram Pai
2020-03-05 11:41 ` Cédric Le Goater
2020-03-05 11:41 ` Cédric Le Goater
-- strict thread matches above, loose matches on Subject: below --
2020-02-29 7:27 Ram Pai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200304151348.GG5416@oc0525413822.ibm.com \
--to=linuxram@us.ibm.com \
--cc=aik@ozlabs.ru \
--cc=andmike@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=clg@fr.ibm.com \
--cc=david@gibson.dropbear.id.au \
--cc=groug@kaod.org \
--cc=kvm-ppc@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=sukadev@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.