Re: [kvm-unit-tests PATCH 00/39] x86/access: nVMX: Big overhaul

From: Paolo Bonzini <pbonzini@redhat.com>
To: Sean Christopherson <seanjc@google.com>
Cc: kvm@vger.kernel.org
Subject: Re: [kvm-unit-tests PATCH 00/39] x86/access: nVMX: Big overhaul
Date: Fri, 26 Nov 2021 19:43:12 +0100	[thread overview]
Message-ID: <34ff357d-c073-4a68-117d-63ccff1085cb@redhat.com> (raw)
In-Reply-To: <20211125012857.508243-1-seanjc@google.com>

On 11/25/21 02:28, Sean Christopherson wrote:
> This started out as a very simple test (patch 39/39) to expose a KVM bug
> where KVM doesn't sync a shadow MMU on a vmcs12->vpid change.  Except the
> test didn't fail.  And it turns out, completely removing INVLPG from the
> base access test doesn't fail when using shadow paging either.
> 
> The underlying problem in both cases is that the access test is flat out
> stupid when it comes to handling page tables.  Instead of allocating page
> tables once and manipulating them on each iteration, it "allocates" a new
> paging structure when necessary on every. single. iteration.  In addition
> to being incredibly inefficient (allocation also zeros the entire 4kb page,
> so the test zeros absurd amounts of memory), writing upper level PTEs on
> every iteration triggers write-protection mechanisms in KVM.  In effect,
> KVM ends up synchronizing the relevant SPTEs on every iteration, which
> again is ridiculously slow and makes it all but impossible to actually
> test that KVM handles other TLB invalidation scenarios.
> 
> Trying to solve that mess by pre-allocating the page tables exposed a
> whole pile of 5-level paging issues.  I'd say the test's 5-level support
> is held together by duct tape, but I've fixed many things with duct tape
> that are far less fragile.
> 
> The second half of this series is cleanups in the nVMX code to prepare
> for adding the (INV)VPID variants.  Not directly related to the access
> tests, but it annoyed me to no end that simply checking if INVVPID is
> supported was non-trivial.

Queued, thanks.  The new tests are pretty slow on debug kernels (about 3 
minutes each).  I'll check next week if there's any low hanging 
fruit---or anything broken.

Paolo

> Sean Christopherson (39):
>    x86/access: Add proper defines for hardcoded addresses
>    x86/access: Cache CR3 to improve performance
>    x86/access:  Use do-while loop for what is obviously a do-while loop
>    x86/access: Stop pretending the test is SMP friendly
>    x86/access: Refactor so called "page table pool" logic
>    x86/access: Stash root page table level in test environment
>    x86/access: Hoist page table allocator helpers above "init" helper
>    x86/access: Rename variables in page table walkers
>    x86/access: Abort if page table insertion hits an unexpected level
>    x86/access: Make SMEP place nice with 5-level paging
>    x86/access: Use upper half of virtual address space
>    x86/access: Print the index when dumping PTEs
>    x86/access: Pre-allocate all page tables at (sub)test init
>    x86/access: Don't write page tables if desired PTE is same as current
>      PTE
>    x86/access: Preserve A/D bits when writing paging structure entries
>    x86/access: Make toggling of PRESENT bit a "higher order" action
>    x86/access: Manually override PMD in effective permissions sub-test
>    x86/access: Remove manual override of PUD/PMD in prefetch sub-test
>    x86/access: Remove PMD/PT target overrides
>    x86/access: Remove timeout overrides now that performance doesn't suck
>    nVMX: Skip EPT tests if INVEPT(SINGLE_CONTEXT) is unsupported
>    nVMX: Hoist assert macros to the top of vmx.h
>    nVMX: Add a non-reporting assertion macro
>    nVMX: Assert success in unchecked INVEPT/INVVPID helpers
>    nVMX: Drop less-than-useless ept_sync() wrapper
>    nVMX: Move EPT capability check helpers to vmx.h
>    nVMX: Drop unused and useless vpid_sync() helper
>    nVMX: Remove "v1" version of INVVPID test
>    nVMX: Add helper to check if INVVPID type is supported
>    nVMX: Add helper to check if INVVPID is supported
>    nVMX: Add helper to get first supported INVVPID type
>    nVMX: Use helper to check for EPT A/D support
>    nVMX: Add helpers to check for 4/5-level EPT support
>    nVMX: Fix name of macro defining EPT execute only capability
>    nVMX: Add helper to check if a memtype is supported for EPT structures
>    nVMX: Get rid of horribly named "ctrl" boolean in test_ept_eptp()
>    nVMX: Rename awful "ctrl" booleans to "is_ctrl_valid"
>    nVMX: Add helper to check if VPID is supported
>    x86/access: nVMX: Add "access" test variants to invalidate via
>      (INV)VPID
> 
>   x86/access.c      | 391 ++++++++++++++++++++++++++++------------------
>   x86/unittests.cfg |  10 +-
>   x86/vmx.c         |  71 +--------
>   x86/vmx.h         | 229 ++++++++++++++++++---------
>   x86/vmx_tests.c   | 327 +++++++++++++++++---------------------
>   5 files changed, 543 insertions(+), 485 deletions(-)
> 