lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8636d9iv1q.wl-maz@kernel.org>
Date:   Tue, 24 Dec 2019 15:48:33 +0000
From:   Marc Zyngier <maz@...nel.org>
To:     Andrew Murray <andrew.murray@....com>
Cc:     kvm@...r.kernel.org, Catalin Marinas <catalin.marinas@....com>,
        linux-kernel@...r.kernel.org, Sudeep Holla <sudeep.holla@....com>,
        Will Deacon <will@...nel.org>, kvmarm@...ts.cs.columbia.edu,
        linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH v2 08/18] arm64: KVM: add support to save/restore SPE profiling buffer controls

On Tue, 24 Dec 2019 15:17:39 +0000,
Andrew Murray <andrew.murray@....com> wrote:
> 
> On Tue, Dec 24, 2019 at 10:49:30AM +0000, Andrew Murray wrote:
> > On Sat, Dec 21, 2019 at 01:57:55PM +0000, Marc Zyngier wrote:
> > > On Fri, 20 Dec 2019 14:30:15 +0000
> > > Andrew Murray <andrew.murray@....com> wrote:
> > > 
> > > > From: Sudeep Holla <sudeep.holla@....com>
> > > > 
> > > > Currently since we don't support profiling using SPE in the guests,
> > > > we just save the PMSCR_EL1, flush the profiling buffers and disable
> > > > sampling. However in order to support simultaneous sampling both in
> > > 
> > > Is the sampling actually simultaneous? I don't believe so (the whole
> > > series would be much simpler if it was).
> > 
> > No the SPE is used by either the guest or host at any one time. I guess
> > the term simultaneous was used to refer to illusion given to both guest
> > and host that they are able to use it whenever they like. I'll update
> > the commit message to drop the magic.
> >  
> > 
> > > 
> > > > the host and guests, we need to save and reatore the complete SPE
> > > 
> > > s/reatore/restore/
> > 
> > Noted.
> > 
> > 
> > > 
> > > > profiling buffer controls' context.
> > > > 
> > > > Let's add the support for the same and keep it disabled for now.
> > > > We can enable it conditionally only if guests are allowed to use
> > > > SPE.
> > > > 
> > > > Signed-off-by: Sudeep Holla <sudeep.holla@....com>
> > > > [ Clear PMBSR bit when saving state to prevent spurious interrupts ]
> > > > Signed-off-by: Andrew Murray <andrew.murray@....com>
> > > > ---
> > > >  arch/arm64/kvm/hyp/debug-sr.c | 51 +++++++++++++++++++++++++++++------
> > > >  1 file changed, 43 insertions(+), 8 deletions(-)
> > > > 
> > > > diff --git a/arch/arm64/kvm/hyp/debug-sr.c b/arch/arm64/kvm/hyp/debug-sr.c
> > > > index 8a70a493345e..12429b212a3a 100644
> > > > --- a/arch/arm64/kvm/hyp/debug-sr.c
> > > > +++ b/arch/arm64/kvm/hyp/debug-sr.c
> > > > @@ -85,7 +85,8 @@
> > > >  	default:	write_debug(ptr[0], reg, 0);			\
> > > >  	}
> > > >  
> > > > -static void __hyp_text __debug_save_spe_nvhe(struct kvm_cpu_context *ctxt)
> > > > +static void __hyp_text
> > > > +__debug_save_spe_nvhe(struct kvm_cpu_context *ctxt, bool full_ctxt)
> > > 
> > > nit: don't split lines like this if you can avoid it. You can put the
> > > full_ctxt parameter on a separate line instead.
> > 
> > Yes understood.
> > 
> > 
> > > 
> > > >  {
> > > >  	u64 reg;
> > > >  
> > > > @@ -102,22 +103,46 @@ static void __hyp_text __debug_save_spe_nvhe(struct kvm_cpu_context *ctxt)
> > > >  	if (reg & BIT(SYS_PMBIDR_EL1_P_SHIFT))
> > > >  		return;
> > > >  
> > > > -	/* No; is the host actually using the thing? */
> > > > -	reg = read_sysreg_s(SYS_PMBLIMITR_EL1);
> > > > -	if (!(reg & BIT(SYS_PMBLIMITR_EL1_E_SHIFT)))
> > > > +	/* Save the control register and disable data generation */
> > > > +	ctxt->sys_regs[PMSCR_EL1] = read_sysreg_el1(SYS_PMSCR);
> > > > +
> > > > +	if (!ctxt->sys_regs[PMSCR_EL1])
> > > 
> > > Shouldn't you check the enable bits instead of relying on the whole
> > > thing being zero?
> > 
> > Yes that would make more sense (E1SPE and E0SPE).
> > 
> > I feel that this check makes an assumption about the guest/host SPE
> > driver... What happens if the SPE driver writes to some SPE registers
> > but doesn't enable PMSCR? If the guest is also using SPE then those
> > writes will be lost, when the host returns and the SPE driver enables
> > SPE it won't work.
> >
> > With a quick look at the SPE driver I'm not sure this will happen, but
> > even so it makes me nervous relying on these assumptions. I wonder if
> > this risk is present in other devices?

As a rule of thumb, you should always save whatever you're about to
overwrite if the registers are not under exclusive control of KVM. No
exception.

So if the guest is willing to use SPE *and* that it isn't enabled on
the host, these registers have to be saved on vcpu_load() and restored
on vcpu_put().

If SPE is enabled on the host, then trapping has to be enabled, and no
tracing occurs in the guest for this time slice.

> In fact, this may be a good reason to trap the SPE registers - this would
> allow you to conditionally save/restore based on a dirty bit. It would
> also allow you to re-evaluate the SPE interrupt (for example when the guest
> clears the status register) and thus potentially reduce any black hole.

I don't see what trapping buys you in the expected case (where the
guest is tracing and the host isn't). To clear PMBSR_EL1.S, you first
need to know that an interrupt has fired. So this brings you exactly
nothing in this particular case, and just adds overhead for everything
else. The whole point of the architecture is that in the non-contended
case, we can give SPE to the guest and mostly forget about it.

I strongly suggest that you start with the simplest possible, non
broken implementation. It doesn't matter if the black holes last for
seconds for now. Once you have something that looks reasonable, we can
evaluate how to improve on it by throwing actual HW and workloads at
it.

	M.

-- 
Jazz is not dead, it just smells funny.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ