Received: by 10.213.65.68 with SMTP id h4csp2596224imn; Mon, 9 Apr 2018 06:10:01 -0700 (PDT) X-Google-Smtp-Source: AIpwx49aelrhoRk2YPl0CgGRNzOHclRk7nI7xXyHFg40c+oPikoNwq0m0S6jhA4y8ouZo03VbZjw X-Received: by 10.101.100.130 with SMTP id e2mr19854771pgv.301.1523279401932; Mon, 09 Apr 2018 06:10:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523279401; cv=none; d=google.com; s=arc-20160816; b=q1PakFd5dglrJYzM1apFpyIFc6XVMpiNnbecAB74FjEt/JRy9ATgLPqeykEiTXY/Mf j36vKbD/Nj5UXz//owz3gL+r5xIzqbIf89NWGZqzVbPkbvPXn7s6Kw1bM4u0DXJ/rW37 OEc1mk/Uc7wqNgSQZ2MLjdUcwrLLI188IWWplDBDZ3cpX+lzVFtIsMqJLhYkhbEPo+du OG7Csou/S5pAFE26pYL2/L+e3wS/+lGk0Yf2888N6T3FKUphneOeOaUHfXcwscBqLryJ 1RY0W9O/lw7JmOSRoarqgX4uKmU+bOU6UHpg9GjUvECdWLxO15fMdURKkuJodyT72wle GIBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=QxpcTY0oNv3BN9f/a44OgPMbYNyvI9HoYyj0eO2QWzc=; b=vvoOJYZlwmj+za93Tl2UvUwoODs18UyLTfwzcFxTBdwWYtpWVINwGhE382mPYGGLDw 74K+/v1bW/bjL9HzGEmCNDcs7VYIaZRlvUiQkZG10d4/qpQefheOITC7q8XPIfUgtigq /Y4Brrmk1Z3dra698b5frrinl02na6YmNsKRp0uayMqbLsKdyPpGAgpQMhfUEnxsvYFS fKnQwsTWbMqojtd3X1uV11P+v6rtA7X+3l3nlqoEJCztLFEKy4AQHPcpBgfs+pM4dq8b y0yVDQSBDXzju1u2/vEDxL5smcVSrpGGqerupRL6dVypMqltsZgTxYeLRuqFlpGfcDy1 lDxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@christofferdall-dk.20150623.gappssmtp.com header.s=20150623 header.b=BNjvXvRf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 196si207947pgb.674.2018.04.09.06.09.24; Mon, 09 Apr 2018 06:10:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@christofferdall-dk.20150623.gappssmtp.com header.s=20150623 header.b=BNjvXvRf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751863AbeDINFQ (ORCPT + 99 others); Mon, 9 Apr 2018 09:05:16 -0400 Received: from mail-wm0-f46.google.com ([74.125.82.46]:36165 "EHLO mail-wm0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751291AbeDINFO (ORCPT ); Mon, 9 Apr 2018 09:05:14 -0400 Received: by mail-wm0-f46.google.com with SMTP id x82so16642912wmg.1 for ; Mon, 09 Apr 2018 06:05:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=christofferdall-dk.20150623.gappssmtp.com; s=20150623; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=QxpcTY0oNv3BN9f/a44OgPMbYNyvI9HoYyj0eO2QWzc=; b=BNjvXvRf6WwqPZPI+Y2Yq8e9+J/xkKCNhtleT+caWDlhy2Pz0MenZHXbGJqTTiPzjs qNxvwGrKMDEZ6bAsewRLKWejqYOJ6eOjtkh7LdMel1MmvytyGXxJRp90u/8Ohek6L/nJ IoFdIhBip2nspFOD4aqHDZPCjNYXnn4S3ZC8/pT0H5inpucibUtEe4grDlbaIw0h31yk d5wKdeWMlyXE4Z0t2BiaBGGWB/XjYKaXloMmSivoSykDUmG41OS7XV1anmzruabP59Mb qMjUZoLHYCfz/GGVkfbKszj+IYQgphYw3aFVdWr10p4LedgpJIZtzGNMShNh1Qgx4KLj u2NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent; bh=QxpcTY0oNv3BN9f/a44OgPMbYNyvI9HoYyj0eO2QWzc=; b=KZHpLkMS1NHWMmVlYSexLXyk62wkYmFNpfMzq1LaUEI98ZqlZTFnK2KXP98YoJ5TBe EDkcO0ZRaTGtpkvTLNadAAvS8mgFV3sIMg6eo7/WpThmE2IWsfZTKSoZs0UurpuIsFb9 YFSjP1HZKV5rhsgJUdicgBQyNjqG9kk0m0DfRDBVNVyi1PbeG9kk+jdQdAV9QtFIIZhe mYu/hHOFeO69uGdAgN0LUq0R8z5so7N0LpTYdau28sKhsWEWg47uLMrBHC5YiK/GmZvd ieNdGOeXvd3zc5sVjwwndIzTstr6ayjtGcJXgVJZ/TpV1Q6oKqZxiqCHPxZT4/d8/wsy iwFA== X-Gm-Message-State: ALQs6tDXR/+HPwL66OzTvGwPKVfIBB3LguCcKkemM0y6DHnk6uak9wV+ GJ+OIqmvp/5D0ziIAP2US3g0wg== X-Received: by 10.80.247.77 with SMTP id j13mr21749875edn.18.1523279113514; Mon, 09 Apr 2018 06:05:13 -0700 (PDT) Received: from localhost (x50d2404e.cust.hiper.dk. [80.210.64.78]) by smtp.gmail.com with ESMTPSA id s27sm329353edm.78.2018.04.09.06.05.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Apr 2018 06:05:12 -0700 (PDT) Date: Mon, 9 Apr 2018 15:05:12 +0200 From: Christoffer Dall To: Marc Zyngier Cc: Peter Maydell , lkml - Kernel Mailing List , arm-mail-list , kvmarm@lists.cs.columbia.edu, Andrew Jones Subject: Re: [REPOST PATCH] arm/arm64: KVM: Add PSCI version selection API Message-ID: <20180409130512.GF10904@cbox> References: <20180215175803.6870-1-marc.zyngier@arm.com> <86o9k63f7a.wl-marc.zyngier@arm.com> <20180306092134.4bfbz34yhqfrfdlf@kamzik.brq.redhat.com> <8042f946-49bf-5fc1-f513-4b76ccd5f7d6@arm.com> <86169dc0-b13c-fab9-eaca-363d3873ad10@arm.com> <20180409123042.GD10904@cbox> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 09, 2018 at 01:47:50PM +0100, Marc Zyngier wrote: > +Drew, who's look at the whole save/restore thing extensively > > On 09/04/18 13:30, Christoffer Dall wrote: > > On Thu, Mar 15, 2018 at 07:26:48PM +0000, Marc Zyngier wrote: > >> On 15/03/18 19:13, Peter Maydell wrote: > >>> On 15 March 2018 at 19:00, Marc Zyngier wrote: > >>>> On 06/03/18 09:21, Andrew Jones wrote: > >>>>> On Mon, Mar 05, 2018 at 04:47:55PM +0000, Peter Maydell wrote: > >>>>>> On 2 March 2018 at 11:11, Marc Zyngier wrote: > >>>>>>> On Fri, 02 Mar 2018 10:44:48 +0000, > >>>>>>> Auger Eric wrote: > >>>>>>>> I understand the get/set is called as part of the migration process. > >>>>>>>> So my understanding is the benefit of this series is migration fails in > >>>>>>>> those cases: > >>>>>>>> > >>>>>>>>> =0.2 source -> 0.1 destination > >>>>>>>> 0.1 source -> >=0.2 destination > >>>>>>> > >>>>>>> It also fails in the case where you migrate a 1.0 guest to something > >>>>>>> that cannot support it. > >>>>>> > >>>>>> I think it would be useful if we could write out the various > >>>>>> combinations of source, destination and what we expect/want to > >>>>>> have happen. My gut feeling here is that we're sacrificing > >>>>>> exact migration compatibility in favour of having the guest > >>>>>> automatically get the variant-2 mitigations, but it's not clear > >>>>>> to me exactly which migration combinations that's intended to > >>>>>> happen for. Marc? > >>>>>> > >>>>>> If this wasn't a mitigation issue the desired behaviour would be > >>>>>> straightforward: > >>>>>> * kernel should default to 0.2 on the basis that > >>>>>> that's what it did before > >>>>>> * new QEMU version should enable 1.0 by default for virt-2.12 > >>>>>> and 0.2 for virt-2.11 and earlier > >>>>>> * PSCI version info shouldn't appear in migration stream unless > >>>>>> it's something other than 0.2 > >>>>>> But that would leave some setups (which?) unnecessarily without the > >>>>>> mitigation, so we're not doing that. The question is, exactly > >>>>>> what *are* we aiming for? > >>>>> > >>>>> The reason Marc dropped this patch from the series it was first introduced > >>>>> in was because we didn't have the aim 100% understood. We want the > >>>>> mitigation by default, but also to have the least chance of migration > >>>>> failure, and when we must fail (because we're not doing the > >>>>> straightforward approach listed above, which would prevent failures), then > >>>>> we want to fail with the least amount of damage to the user. > >>>>> > >>>>> I experimented with a couple different approaches and provided tables[1] > >>>>> with my results. I even recommended an approach, but I may have changed > >>>>> my mind after reading Marc's follow-up[2]. The thread continues from > >>>>> there as well with follow-ups from Christoffer, Marc, and myself. Anyway, > >>>>> Marc did this repost for us to debate it and work out the best approach > >>>>> here. > >>>> It doesn't look like we've made much progress on this, which makes me > >>>> think that we probably don't need anything of the like. > >>> > >>> I was waiting for a better explanation from you of what we're trying to > >>> achieve. If you want to take the "do nothing" approach then a list > >>> also of what migrations succeed/fail/break in that case would also > >>> be useful. > >>> > >>> (I am somewhat lazily trying to avoid having to spend time reverse > >>> engineering the "what are we trying to do and what effects are > >>> we accepting" parts from the patch and the code that's already gone > >>> into the kernel.) > >> > >> OK, let me (re)state the problem: > >> > >> For a guest that requests PSCI 0.2 (i.e. all guests from the past 4 or 5 > >> years), we now silently upgrade the PSCI version to 1.0 allowing the new > >> SMCCC to be discovered, and the ARCH_WORKAROUND_1 service to be called. > >> > >> Things get funny, specially with migration (and the way QEMU works). > >> > >> If we "do nothing": > >> > >> (1) A guest migrating from an "old" host to a "new" host will silently > >> see its PSCI version upgraded. Not a big deal in my opinion, as 1.0 is a > >> strict superset of 0.2 (apart from the version number...). > >> > >> (2) A guest migrating from a "new" host to an "old" host will silently > >> loose its Spectre v2 mitigation. That's quite a big deal. > >> > >> (3, not related to migration) A guest having a hardcoded knowledge of > >> PSCI 0.2 will se that we've changed something, and may decide to catch > >> fire. Oh well. > >> > >> If we take this patch: > >> > >> (1) still exists > > > > No problem, IMHO. > > > >> > >> (2) will now fail to migrate. I see this as a feature. > > > > Yes, I agree. This is actually the most important reason for doing > > anything beyond what's already merged. > > Indeed, and that's the reason I wrote this patch the first place. > > > > >> > >> (3) can be worked around by setting the "PSCI version pseudo register" > >> to 0.2. > > > > Nice to have, but we're probably not expecting this to be of major > > concern. I initially thought it was a nice debugging feature as well, > > but that may be a ridiculous point. > > > >> > >> These are the main things I can think of at the moment. > > > > So I think we we should merge this patch. > > > > If userspace then wants to support "migrate from explicitly set v0.2 new > > kernel to old kernel", then it must add specific support to filter out > > the register from the register list; not that I think anyone will need > > that or bother to implement it. > > > > In other words, I think you should merge this: > > > > Reviewed-by: Christoffer Dall > > > > Thanks. One issue is that we've now missed the 4.16 train, and that this > effectively is an ABI change (a fairly minor one, but still). Would we > consider slapping this as a retrospective fix to 4.16-stable, or keep it > as a 4.17 feature? Given that it fixes a potentially dangerous migration, and it's a fairly simple patch, I think it's reasonable to apply as a fix to the next 4.16 release. Would we be violating any hard-set rules in doing so? Thanks, -Christoffer