Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752627AbdFNSFq (ORCPT <rfc822;w@1wt.eu>);
        Wed, 14 Jun 2017 14:05:46 -0400
Received: from smtp.ctxuk.citrix.com ([185.25.65.24]:5143 "EHLO
        SMTP.EU.CITRIX.COM" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752554AbdFNSFp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Jun 2017 14:05:45 -0400
X-IronPort-AV: E=Sophos;i="5.39,341,1493683200"; 
   d="scan'208";a="47780981"
Subject: Re: [PATCH 3/3] x86/xen: Move paravirt IOPL switching to slow the
 path
To: Andy Lutomirski <luto@kernel.org>, Brian Gerst <brgerst@gmail.com>
References: <20170614124032.4159-1-brgerst@gmail.com>
 <20170614124032.4159-4-brgerst@gmail.com>
 <CALCETrXa9vW6yr8tDYE4fR1V61xMOc0W=Zbi5h-2PW-Od61X8Q@mail.gmail.com>
CC: X86 ML <x86@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Ingo Molnar <mingo@kernel.org>, "H . Peter Anvin" <hpa@zytor.com>,
        Juergen Gross <jgross@suse.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>
From: Andrew Cooper <andrew.cooper3@citrix.com>
Message-ID: <8f1ceb4d-72ba-db57-c468-5059c0227b6b@citrix.com>
Date: Wed, 14 Jun 2017 19:02:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CALCETrXa9vW6yr8tDYE4fR1V61xMOc0W=Zbi5h-2PW-Od61X8Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: AMSPEX02CAS02.citrite.net (10.69.22.113) To
 AMSPEX02CL02.citrite.net (10.69.22.126)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1174
Lines: 30

On 14/06/17 18:40, Andy Lutomirski wrote:
> On Wed, Jun 14, 2017 at 5:40 AM, Brian Gerst <brgerst@gmail.com> wrote:
>> Since tasks using IOPL are very rare, move the switching code to the slow
>> path for lower impact on normal tasks.
> I think that Andrew Cooper added a vmassist that we could opt in to
> that makes Xen PV IOPL switching work more or less just like native.
> We could maybe opt in to that and avoid needing this stuff at all on
> newer hypervisors.

Indeed.

HYPERVISOR_vm_assist(VMASST_CMD_enable, VMASST_TYPE_architectural_iopl);

(if recognised) does two things.

1) virtual IOPL is picked up from EFLAGS in the iret frame, exactly like
native.
2) The guest kernel is assumed to have virtual CPL0 for the purpose of
privilege calculations.

Xen never runs with the real IOPL different to 0, or a PV guests could
disable interrupts with popf.  As a result, all IO port access does trap
to Xen for auditing.  What part 2) does is avoid having the awkward
double-step of Linux needing to set IOPL to 1 for kernel level IO access
to avoid faulting.

The assist should be available in Xen 4.7 and later (or wherever vendors
have backported it to).

~Andrew