Re: [PATCH v1] x86/hvm: Generic instruction re-execution mechanism for execute faults

From: Alexandru Stefan ISAILA <aisaila@bitdefender.com>
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: "kevin.tian@intel.com" <kevin.tian@intel.com>,
	"tamas@tklengyel.com" <tamas@tklengyel.com>,
	"wei.liu2@citrix.com" <wei.liu2@citrix.com>,
	"jun.nakajima@intel.com" <jun.nakajima@intel.com>,
	"rcojocaru@bitdefender.com" <rcojocaru@bitdefender.com>,
	"george.dunlap@eu.citrix.com" <george.dunlap@eu.citrix.com>,
	"andrew.cooper3@citrix.com" <andrew.cooper3@citrix.com>,
	"Mihai Donțu" <mdontu@bitdefender.com>,
	"Andrei Vlad LUTAS" <vlutas@bitdefender.com>,
	"jbeulich@suse.com" <jbeulich@suse.com>,
	"xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	"Anshul Makkar" <anshul.makkar@citrix.com>
Subject: Re: [PATCH v1] x86/hvm: Generic instruction re-execution mechanism for execute faults
Date: Mon, 19 Nov 2018 13:30:09 +0000	[thread overview]
Message-ID: <3d3ae38a-bfae-9908-dac6-163216f900e3@bitdefender.com> (raw)
In-Reply-To: <20181116170412.xrwuun3cqxll22l3@mac>

>> +    /* Now transform our RWX values in a XENMEM_access_* constant. */
>> +    if ( r == 0 && w == 0 && x == 0 )
>> +        new_access = XENMEM_access_n;
>> +    else if ( r == 0 && w == 0 && x == 1 )
>> +        new_access = XENMEM_access_x;
>> +    else if ( r == 0 && w == 1 && x == 0 )
>> +        new_access = XENMEM_access_w;
>> +    else if ( r == 0 && w == 1 && x == 1 )
>> +        new_access = XENMEM_access_wx;
>> +    else if ( r == 1 && w == 0 && x == 0 )
>> +        new_access = XENMEM_access_r;
>> +    else if ( r == 1 && w == 0 && x == 1 )
>> +        new_access = XENMEM_access_rx;
>> +    else if ( r == 1 && w == 1 && x == 0 )
>> +        new_access = XENMEM_access_rw;
>> +    else if ( r == 1 && w == 1 && x == 1 )
>> +        new_access = XENMEM_access_rwx;
>> +    else
>> +        new_access = required_access; /* Should never get here. */
> 
> There seems to be a lot of translation from xenmem_access_t to bool
> fields and then to xenmem_access_t again. Can't you just avoid the
> booleans?

The translation is done because the rights are cumulative and I think 
this is the clear way to do this.

>>       if ( vm_event_check_ring(d->vm_event_monitor) &&
>>            d->arch.monitor.inguest_pagefault_disabled &&
>> -         npfec.kind != npfec_kind_with_gla ) /* don't send a mem_event */
>> +         npfec.kind != npfec_kind_with_gla &&
>> +         hvm_funcs.start_reexecute_instruction ) /* don't send a mem_event */
>>       {
>> -        hvm_emulate_one_vm_event(EMUL_KIND_NORMAL, TRAP_invalid_op, X86_EVENT_NO_EC);
>> -
>> +        v->arch.vm_event->emulate_flags = 0;
>> +        hvm_funcs.start_reexecute_instruction(v, gpa, XENMEM_access_rw);
>>           return true;
>>       }
> 
> Don't you need to fallback to using hvm_emulate_one_vm_event if
> start_reexecute_instruction is not available?

Fallback with hvm_emulate_one_vm_event can result in loosing events.

>> +        for_each_vcpu(d, v)
>> +        {
>> +            if ( !v->arch.rexec_level )
>> +                continue;
>> +
>> +            for ( i = v->arch.rexec_level - 1; i >= 0; i-- )
> 
> Is there any reason this has to be done backwards?
> 
> If you do it from 0 to v->arch.rexec_level you could use an unsigned
> int as the index.

This is done backwards because of the corresponding code in 
vmx_stop_reexecute_instruction() but here it can be turned the other way 
if you insist on i to be unsigned.

>> +#define REEXECUTION_MAX_DEPTH 8
>> +    struct rexec_context_t {
>> +        unsigned long gpa;
>> +        xenmem_access_t old_access;
>> +        xenmem_access_t cur_access;
>> +        bool_t old_single_step;
> 
> bool please
> 
>> +    } rexec_context[REEXECUTION_MAX_DEPTH];
> 
> This is fairly big amount of data that's only used if vm events are
> enabled, could this be allocated on a per-guest basis?

Yes, this can be moved to d->arch.monitor in the next version.

> 
>> +
>> +    int rexec_level;
>> +
>> +    /*
>> +     *  Will be true when the vcpu is in VMX root,
>> +     * false when it is not.
>> +     */
>> +    bool_t in_host;
> 
> bool.
> 
>> +
>>       struct arch_vm_event *vm_event;
>>   
>>       struct vcpu_msrs *msrs;
>> diff --git a/xen/include/asm-x86/hvm/hvm.h b/xen/include/asm-x86/hvm/hvm.h
>> index 3d3250dff0..1f5d43a98d 100644
>> --- a/xen/include/asm-x86/hvm/hvm.h
>> +++ b/xen/include/asm-x86/hvm/hvm.h
>> @@ -167,6 +167,8 @@ struct hvm_function_table {
>>   
>>       int  (*cpu_up)(void);
>>       void (*cpu_down)(void);
>> +    int  (*start_reexecute_instruction)(struct vcpu *v, unsigned long gpa,
>> +                                        xenmem_access_t required_access);
> 
> I would name this reexecute_instruction, I don't think the start_
> prefix adds any value to the handler.

Sure, I will drop the start on the next version

Regards,
Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel