From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Lan Tianyu <tianyu.lan@intel.com>,
Sergey Dyasli <sergey.dyasli@citrix.com>,
Kevin Tian <kevin.tian@intel.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>, Juergen Gross <jgross@suse.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
TimDeegan <tim@xen.org>, Anshul Makkar <anshul.makkar@citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Xen-devel <xen-devel@lists.xen.org>,
Euan Harris <euan.harris@citrix.com>,
Joao Martins <joao.m.martins@oracle.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Paul C Lai <paul.c.lai@intel.com>
Subject: Re: DESIGN: CPUID part 3
Date: Mon, 12 Jun 2017 14:07:10 +0100 [thread overview]
Message-ID: <0e497e01-2e07-5957-f4c1-034e686bedea@citrix.com> (raw)
In-Reply-To: <5939717F0200007800160DF0@prv-mh.provo.novell.com>
On 08/06/17 14:47, Jan Beulich wrote:
>>>> On 08.06.17 at 15:12, <andrew.cooper3@citrix.com> wrote:
>> # Proposal
>>
>> First and foremost, split the current **max\_policy** notion into separate
>> **max** and **default** policies. This allows for the provision of features
>> which are unused by default, but may be opted in to, both at the hypervisor
>> level and the toolstack level.
>>
>> At the hypervisor level, **max** constitutes all the features Xen can use on
>> the current hardware, while **default** is the subset thereof which are
>> supported features, the features which the user has explicitly opted in to,
>> and excluding any features the user has explicitly opted out of.
>>
>> A new `cpuid=` command line option shall be introduced, whose internals are
>> generated automatically from the featureset ABI. This means that all features
>> added to `include/public/arch-x86/cpufeatureset.h` automatically gain command
>> line control. (RFC: The same top level option can probably be used for
>> non-feature CPUID data control, although I can't currently think of any cases
>> where this would be used Also find a sensible way to express 'available but
>> not to be used by Xen', as per the current `smep` and `smap` options.)
> Especially for disabling individual features I'm not sure "cpuid=" is
> an appropriate name. After all CPUID is only a manifestation of
> behavior elsewhere, and hence we don't really want CPUID
> behavior be controlled, but behavior which CPUID output reflects.
> I can't, however, think of an alternative name I would consider
> more suitable.
I suppose I view it a little like "information contained within cpuid"=
I'm happy to use an alternative name if we can think of a better one,
but I definitely want a way to control every feature (rather than the
controls being ad-hoc), and don't want to introduce top level booleans
for each feature.
>
>> At the guest level, **max** constitutes all the features which can be offered
>> to each type of guest on this hardware. Derived from Xen's **default**
>> policy, it includes the supported features and explicitly opted in to
>> features, which are appropriate for the guest.
> There's no provision here at all for features which hardware doesn't
> offer, but which we can emulate in a reasonable way (UMIP being
> the example I'd be thinking of right away). While perhaps this could
> be viewed to be covered by "explicitly opted in to features", I think
> it would be nice to make this explicit.
In this case, I'd include that within "the features which can be offered".
So far, there is only a single feature we emulate to guests without
hardware support, which is x2apic mode for HVM guests.
I should call this distinction out more clearly.
>
>> The guests **default** policy is then derived from its **max**, and includes
>> the supported features which are considered migration safe. (RFC: This
>> distinction is rather fuzzy, but for example it wouldn't include things like
>> ITSC by default, as that is likely to go wrong unless special care is
>> taken.)
> As per above I think the delta between max and default is larger
> than just migration-unsafe pieces. Iirc for UMIP we would mean to
> have it off by default at least in the case where emulation incurs
> side effects.
There is a lot of emulation overhead for UMIP on non-UMIP-capable
hardware. I'd advocate for it needing to be opt-in at both the
hypervisor and toolstack level. In general, I'd expect people to be
more wary of the added emulation than the information leak.
>
>> The `disable_migrate` field shall be dropped. The concept of migrateability
>> is not boolean; it is a large spectrum, all of which needs to be managed by
>> the toolstack. The simple case is picking the common subset of features
>> between the source and destination. This becomes more complicated e.g. if the
>> guest uses LBR/LER, at which point the toolstack needs to consider hardware
>> with the same LBR/LER format in addition to just the plain features.
> Not sure about this - by intercepting the MSR accesses to the involved
> MSRs, it would be possible to mimic the LBR/LER format expected by
> the guest even if different from that of the host.
LER yes, but how would you emulate LBR?
You could set DBG_CTL.BTF/EFLAGS.TF and intercept #DB, but this would be
visible to the guest via pushf/popf. It would also interfere with a
guest trying to single-step itself.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-06-12 13:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-08 13:12 DESIGN: CPUID part 3 Andrew Cooper
2017-06-08 13:47 ` Jan Beulich
2017-06-12 13:07 ` Andrew Cooper [this message]
2017-06-12 13:29 ` Jan Beulich
2017-06-12 13:36 ` Andrew Cooper
2017-06-12 13:42 ` Jan Beulich
2017-06-12 14:02 ` Andrew Cooper
2017-06-12 14:18 ` Jan Beulich
2017-06-09 12:24 ` Anshul Makkar
2017-06-12 13:21 ` Andrew Cooper
2017-07-04 14:55 ` DESIGN v2: " Andrew Cooper
2017-07-05 9:46 ` Joao Martins
2017-07-05 10:32 ` Joao Martins
2017-07-05 11:16 ` Andrew Cooper
2017-07-05 13:22 ` Joao Martins
2017-07-31 19:49 ` Konrad Rzeszutek Wilk
2017-08-01 18:34 ` Andrew Cooper
2017-08-02 10:34 ` Joao Martins
2017-08-03 2:55 ` Dario Faggioli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0e497e01-2e07-5957-f4c1-034e686bedea@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=anshul.makkar@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=euan.harris@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jgross@suse.com \
--cc=joao.m.martins@oracle.com \
--cc=kevin.tian@intel.com \
--cc=paul.c.lai@intel.com \
--cc=sergey.dyasli@citrix.com \
--cc=sstabellini@kernel.org \
--cc=tianyu.lan@intel.com \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).