lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 22 Jul 2021 09:11:02 +0100
From:   Marc Zyngier <maz@...nel.org>
To:     Jianyong Wu <Jianyong.Wu@....com>
Cc:     James Morse <James.Morse@....com>,
        Andre Przywara <Andre.Przywara@....com>,
        "lushenming@...wei.com" <lushenming@...wei.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "kvmarm@...ts.cs.columbia.edu" <kvmarm@...ts.cs.columbia.edu>,
        "linux-doc@...r.kernel.org" <linux-doc@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Justin He <Justin.He@....com>
Subject: Re: [PATCH] doc/arm: take care restore order of GICR_* in ITS restore

On Thu, 22 Jul 2021 03:49:52 +0100,
Jianyong Wu <Jianyong.Wu@....com> wrote:
> 
> Hello Marc,
> 
> > -----Original Message-----
> > From: Marc Zyngier <maz@...nel.org>
> > Sent: Wednesday, July 21, 2021 5:54 PM
> > To: Jianyong Wu <Jianyong.Wu@....com>
> > Cc: James Morse <James.Morse@....com>; Andre Przywara
> > <Andre.Przywara@....com>; lushenming@...wei.com;
> > kvm@...r.kernel.org; kvmarm@...ts.cs.columbia.edu; linux-
> > doc@...r.kernel.org; linux-kernel@...r.kernel.org; Justin He
> > <Justin.He@....com>
> > Subject: Re: [PATCH] doc/arm: take care restore order of GICR_* in ITS
> > restore
> >
> > On Wed, 21 Jul 2021 10:20:19 +0100,
> > Jianyong Wu <jianyong.wu@....com> wrote:
> > >
> > > When restore GIC/ITS, GICR_CTLR must be restored after GICR_PROPBASER
> > > and GICR_PENDBASER. That is important, as both of GICR_PROPBASER and
> > > GICR_PENDBASER will fail to be loaded when lpi has enabled yet in
> > > GICR_CTLR. Keep the restore order above will avoid that issue.
> > > Shout it out at the doc is very helpful that may avoid lots of debug work.
> >
> > But that's something that is already mandated by the architecture, isn't it?
> > See "5.1 LPIs" in the architecture spec:
> >
> > <quote>
> >
> > If GICR_PROPBASER is updated when GICR_CTLR.EnableLPIs == 1, the effects
> > are UNPREDICTABLE.
> >
> > [...]
> >
> > If GICR_PENDBASER is updated when GICR_CTLR.EnableLPIs == 1, the effects
> > are UNPREDICTABLE.
> >
> 
> I think this "UNPREDICTABLE" related with the "physical machine". Am
> I right?

No, you are unfortunately wrong. The architecture applies to *any*
implementation, and makes no distinction between a HW implementation
of a SW version. This is why we call it an architecture, and not an
implementation.

> In virtualization environment, kernel gives the definite answer that
> we should not enable GICR_CTLR.EnableLPIs before restoring
> GICR_PROPBASER(GICR_PENDBASER either) when restore GIC ITS in VMM,
> see [1]. Thus, should we consider the virtualization environment as
> a special case?

Absolutely not.  If you start special casing things, then we end-up
having stupidly designed SW that tries to do stupid things based on
the supposed properties of an implementation.

We follow the architecture, all the architecture, nothing but the
architecture. The architecture is the only barrier between insanity
and pure madness! ;-)

>
> [1] linux/arch/arm64/kvm/vgic/vgic-mmio-v3.c
> static void vgic_mmio_write_propbase(struct kvm_vcpu *vcpu,
>                                      gpa_t addr, unsigned int len,
>                                      unsigned long val)
> {
>         struct vgic_dist *dist = &vcpu->kvm->arch.vgic;
>         struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
>         u64 old_propbaser, propbaser;
> 
>         /* Storing a value with LPIs already enabled is undefined */
>         if (vgic_cpu->lpis_enabled)
>            return;
> ...
> }

Do you see how the kernel does exactly what the architecture says we
can do? Ignoring the write is a perfectly valid implementation of
UNPREDICTABLE.

So what we do is completely in line with the architecture. As such, no
need to document it any further, everything is already where it should
be. If someone tries to write code dealing with the GIC without
understanding the architecture, no amount of additional documentation
will help.

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.

Powered by blists - more mailing lists