From: Jing Zhang <jingzhangos@google.com> To: Marc Zyngier <maz@kernel.org> Cc: KVM <kvm@vger.kernel.org>, KVMARM <kvmarm@lists.linux.dev>, ARMLinux <linux-arm-kernel@lists.infradead.org>, Oliver Upton <oupton@google.com>, Will Deacon <will@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>, James Morse <james.morse@arm.com>, Alexandru Elisei <alexandru.elisei@arm.com>, Suzuki K Poulose <suzuki.poulose@arm.com>, Fuad Tabba <tabba@google.com>, Reiji Watanabe <reijiw@google.com>, Raghavendra Rao Ananta <rananta@google.com> Subject: Re: [PATCH v10 5/5] KVM: arm64: Refactor writings for PMUVer/CSV2/CSV3 Date: Tue, 30 May 2023 14:18:04 -0700 [thread overview] Message-ID: <CAAdAUtjJ8n8+jt=Y=oJFuRvERzRY4DQr6S7JThobU=wWMOYaRQ@mail.gmail.com> (raw) In-Reply-To: <87pm6kogx8.wl-maz@kernel.org> Hi Marc, On Sun, May 28, 2023 at 4:05 AM Marc Zyngier <maz@kernel.org> wrote: > > On Mon, 22 May 2023 23:18:35 +0100, > Jing Zhang <jingzhangos@google.com> wrote: > > > > Refactor writings for ID_AA64PFR0_EL1.[CSV2|CSV3], > > ID_AA64DFR0_EL1.PMUVer and ID_DFR0_ELF.PerfMon based on utilities > > specific to ID register. > > > > Signed-off-by: Jing Zhang <jingzhangos@google.com> > > --- > > arch/arm64/include/asm/cpufeature.h | 1 + > > arch/arm64/kernel/cpufeature.c | 2 +- > > arch/arm64/kvm/sys_regs.c | 365 ++++++++++++++++++---------- > > 3 files changed, 243 insertions(+), 125 deletions(-) > > Reading the result after applying this series, I feel like a stuck > record. This final series still contains gems like this: > > static int set_id_aa64pfr0_el1(struct kvm_vcpu *vcpu, > const struct sys_reg_desc *rd, > u64 val) > { > u8 csv2, csv3; > > /* > * Allow AA64PFR0_EL1.CSV2 to be set from userspace as long as > * it doesn't promise more than what is actually provided (the > * guest could otherwise be covered in ectoplasmic residue). > */ > csv2 = cpuid_feature_extract_unsigned_field(val, ID_AA64PFR0_EL1_CSV2_SHIFT); > if (csv2 > 1 || > (csv2 && arm64_get_spectre_v2_state() != SPECTRE_UNAFFECTED)) > return -EINVAL; > > /* Same thing for CSV3 */ > csv3 = cpuid_feature_extract_unsigned_field(val, ID_AA64PFR0_EL1_CSV3_SHIFT); > if (csv3 > 1 || > (csv3 && arm64_get_meltdown_state() != SPECTRE_UNAFFECTED)) > return -EINVAL; > > return set_id_reg(vcpu, rd, val); > } > > Why do we have this? I've asked the question at least 3 times in the > previous versions, and I still see the same code. > > If we have sane limits, the call to arm64_check_features() in > set_id_reg() will catch the illegal write. So why do we have this at > all? The whole point of the exercise was to unify the handling. But > you're actually making it worse. > > So what's the catch? Sorry, I am only aware of one discussion of this code in v8. The reason I still keep the check here is that the arm64_check_features() can not catch all illegal writes as this code does. For example, for CSV2, one concern is: When arm64_get_spectre_v2_state() != SPECTRE_UNAFFECTED, this code only allows guest CSV2 to be set to 0, any non-zero value would lead to -EINVAL. If we remove the check here, the guest CSV2 can be set to any value lower or equal to host CSV2. Of course, we can set the sane limit of CSV2 to 0 when arm64_get_spectre_v2_state() != SPECTRE_UNAFFECTED in read_sanitised_id_aa64pfr0_el1(). Then we can remove all the checks here and no specific set_id function for AA64PFR0_EL1 is needed. > > M. > > -- > Without deviation from the norm, progress is not possible. Thanks, Jing
WARNING: multiple messages have this Message-ID (diff)
From: Jing Zhang <jingzhangos@google.com> To: Marc Zyngier <maz@kernel.org> Cc: KVM <kvm@vger.kernel.org>, KVMARM <kvmarm@lists.linux.dev>, ARMLinux <linux-arm-kernel@lists.infradead.org>, Oliver Upton <oupton@google.com>, Will Deacon <will@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>, James Morse <james.morse@arm.com>, Alexandru Elisei <alexandru.elisei@arm.com>, Suzuki K Poulose <suzuki.poulose@arm.com>, Fuad Tabba <tabba@google.com>, Reiji Watanabe <reijiw@google.com>, Raghavendra Rao Ananta <rananta@google.com> Subject: Re: [PATCH v10 5/5] KVM: arm64: Refactor writings for PMUVer/CSV2/CSV3 Date: Tue, 30 May 2023 14:18:04 -0700 [thread overview] Message-ID: <CAAdAUtjJ8n8+jt=Y=oJFuRvERzRY4DQr6S7JThobU=wWMOYaRQ@mail.gmail.com> (raw) In-Reply-To: <87pm6kogx8.wl-maz@kernel.org> Hi Marc, On Sun, May 28, 2023 at 4:05 AM Marc Zyngier <maz@kernel.org> wrote: > > On Mon, 22 May 2023 23:18:35 +0100, > Jing Zhang <jingzhangos@google.com> wrote: > > > > Refactor writings for ID_AA64PFR0_EL1.[CSV2|CSV3], > > ID_AA64DFR0_EL1.PMUVer and ID_DFR0_ELF.PerfMon based on utilities > > specific to ID register. > > > > Signed-off-by: Jing Zhang <jingzhangos@google.com> > > --- > > arch/arm64/include/asm/cpufeature.h | 1 + > > arch/arm64/kernel/cpufeature.c | 2 +- > > arch/arm64/kvm/sys_regs.c | 365 ++++++++++++++++++---------- > > 3 files changed, 243 insertions(+), 125 deletions(-) > > Reading the result after applying this series, I feel like a stuck > record. This final series still contains gems like this: > > static int set_id_aa64pfr0_el1(struct kvm_vcpu *vcpu, > const struct sys_reg_desc *rd, > u64 val) > { > u8 csv2, csv3; > > /* > * Allow AA64PFR0_EL1.CSV2 to be set from userspace as long as > * it doesn't promise more than what is actually provided (the > * guest could otherwise be covered in ectoplasmic residue). > */ > csv2 = cpuid_feature_extract_unsigned_field(val, ID_AA64PFR0_EL1_CSV2_SHIFT); > if (csv2 > 1 || > (csv2 && arm64_get_spectre_v2_state() != SPECTRE_UNAFFECTED)) > return -EINVAL; > > /* Same thing for CSV3 */ > csv3 = cpuid_feature_extract_unsigned_field(val, ID_AA64PFR0_EL1_CSV3_SHIFT); > if (csv3 > 1 || > (csv3 && arm64_get_meltdown_state() != SPECTRE_UNAFFECTED)) > return -EINVAL; > > return set_id_reg(vcpu, rd, val); > } > > Why do we have this? I've asked the question at least 3 times in the > previous versions, and I still see the same code. > > If we have sane limits, the call to arm64_check_features() in > set_id_reg() will catch the illegal write. So why do we have this at > all? The whole point of the exercise was to unify the handling. But > you're actually making it worse. > > So what's the catch? Sorry, I am only aware of one discussion of this code in v8. The reason I still keep the check here is that the arm64_check_features() can not catch all illegal writes as this code does. For example, for CSV2, one concern is: When arm64_get_spectre_v2_state() != SPECTRE_UNAFFECTED, this code only allows guest CSV2 to be set to 0, any non-zero value would lead to -EINVAL. If we remove the check here, the guest CSV2 can be set to any value lower or equal to host CSV2. Of course, we can set the sane limit of CSV2 to 0 when arm64_get_spectre_v2_state() != SPECTRE_UNAFFECTED in read_sanitised_id_aa64pfr0_el1(). Then we can remove all the checks here and no specific set_id function for AA64PFR0_EL1 is needed. > > M. > > -- > Without deviation from the norm, progress is not possible. Thanks, Jing _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2023-05-30 21:18 UTC|newest] Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-05-22 22:18 [PATCH v10 0/5] Support writable CPU ID registers from userspace Jing Zhang 2023-05-22 22:18 ` Jing Zhang 2023-05-22 22:18 ` [PATCH v10 1/5] KVM: arm64: Save ID registers' sanitized value per guest Jing Zhang 2023-05-22 22:18 ` Jing Zhang 2023-05-28 9:56 ` Marc Zyngier 2023-05-28 9:56 ` Marc Zyngier 2023-05-30 18:02 ` Jing Zhang 2023-05-30 18:02 ` Jing Zhang 2023-05-31 7:24 ` Marc Zyngier 2023-05-31 7:24 ` Marc Zyngier 2023-05-31 17:25 ` Jing Zhang 2023-05-22 22:18 ` [PATCH v10 2/5] KVM: arm64: Use per guest ID register for ID_AA64PFR0_EL1.[CSV2|CSV3] Jing Zhang 2023-05-22 22:18 ` Jing Zhang 2023-05-28 10:29 ` Marc Zyngier 2023-05-28 10:29 ` Marc Zyngier 2023-05-30 18:32 ` Jing Zhang 2023-05-30 18:32 ` Jing Zhang 2023-05-22 22:18 ` [PATCH v10 3/5] KVM: arm64: Use per guest ID register for ID_AA64DFR0_EL1.PMUVer Jing Zhang 2023-05-22 22:18 ` Jing Zhang 2023-05-28 10:52 ` Marc Zyngier 2023-05-28 10:52 ` Marc Zyngier 2023-05-30 18:35 ` Jing Zhang 2023-05-30 18:35 ` Jing Zhang 2023-05-22 22:18 ` [PATCH v10 4/5] KVM: arm64: Reuse fields of sys_reg_desc for idreg Jing Zhang 2023-05-22 22:18 ` Jing Zhang 2023-05-26 21:37 ` Oliver Upton 2023-05-26 21:37 ` Oliver Upton 2023-05-27 13:41 ` Marc Zyngier 2023-05-27 13:41 ` Marc Zyngier 2023-05-22 22:18 ` [PATCH v10 5/5] KVM: arm64: Refactor writings for PMUVer/CSV2/CSV3 Jing Zhang 2023-05-22 22:18 ` Jing Zhang 2023-05-28 11:04 ` Marc Zyngier 2023-05-28 11:04 ` Marc Zyngier 2023-05-30 21:18 ` Jing Zhang [this message] 2023-05-30 21:18 ` Jing Zhang 2023-05-31 7:31 ` Marc Zyngier 2023-05-31 7:31 ` Marc Zyngier 2023-05-31 17:29 ` Jing Zhang 2023-05-31 17:29 ` Jing Zhang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAAdAUtjJ8n8+jt=Y=oJFuRvERzRY4DQr6S7JThobU=wWMOYaRQ@mail.gmail.com' \ --to=jingzhangos@google.com \ --cc=alexandru.elisei@arm.com \ --cc=james.morse@arm.com \ --cc=kvm@vger.kernel.org \ --cc=kvmarm@lists.linux.dev \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=maz@kernel.org \ --cc=oupton@google.com \ --cc=pbonzini@redhat.com \ --cc=rananta@google.com \ --cc=reijiw@google.com \ --cc=suzuki.poulose@arm.com \ --cc=tabba@google.com \ --cc=will@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.