Re: DESIGN: CPUID part 3

["Jan Beulich" <JBeulich@suse.com>]

>>> On 08.06.17 at 15:12, <andrew.cooper3@citrix.com> wrote:
> # Proposal
> 
> First and foremost, split the current **max\_policy** notion into separate
> **max** and **default** policies.  This allows for the provision of features
> which are unused by default, but may be opted in to, both at the hypervisor
> level and the toolstack level.
> 
> At the hypervisor level, **max** constitutes all the features Xen can use on
> the current hardware, while **default** is the subset thereof which are
> supported features, the features which the user has explicitly opted in to,
> and excluding any features the user has explicitly opted out of.
> 
> A new `cpuid=` command line option shall be introduced, whose internals are
> generated automatically from the featureset ABI.  This means that all features
> added to `include/public/arch-x86/cpufeatureset.h` automatically gain command
> line control.  (RFC: The same top level option can probably be used for
> non-feature CPUID data control, although I can't currently think of any cases
> where this would be used Also find a sensible way to express 'available but
> not to be used by Xen', as per the current `smep` and `smap` options.)

Especially for disabling individual features I'm not sure "cpuid=" is
an appropriate name. After all CPUID is only a manifestation of
behavior elsewhere, and hence we don't really want CPUID
behavior be controlled, but behavior which CPUID output reflects.
I can't, however, think of an alternative name I would consider
more suitable.

> At the guest level, **max** constitutes all the features which can be offered
> to each type of guest on this hardware.  Derived from Xen's **default**
> policy, it includes the supported features and explicitly opted in to
> features, which are appropriate for the guest.

There's no provision here at all for features which hardware doesn't
offer, but which we can emulate in a reasonable way (UMIP being
the example I'd be thinking of right away). While perhaps this could
be viewed to be covered by "explicitly opted in to features", I think
it would be nice to make this explicit.

> The guests **default** policy is then derived from its **max**, and includes
> the supported features which are considered migration safe.  (RFC: This
> distinction is rather fuzzy, but for example it wouldn't include things like
> ITSC by default, as that is likely to go wrong unless special care is 
> taken.)

As per above I think the delta between max and default is larger
than just migration-unsafe pieces. Iirc for UMIP we would mean to
have it off by default at least in the case where emulation incurs
side effects.

> The `disable_migrate` field shall be dropped.  The concept of migrateability
> is not boolean; it is a large spectrum, all of which needs to be managed by
> the toolstack.  The simple case is picking the common subset of features
> between the source and destination.  This becomes more complicated e.g. if the
> guest uses LBR/LER, at which point the toolstack needs to consider hardware
> with the same LBR/LER format in addition to just the plain features.

Not sure about this - by intercepting the MSR accesses to the involved
MSRs, it would be possible to mimic the LBR/LER format expected by
the guest even if different from that of the host.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel