Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp376627pxa;
        Wed, 12 Aug 2020 04:34:05 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzw9h4unT1/9pEBcSHGneZzr4yJwKH9mPXBNr0NStkIm2QDljvxZHpkRT0YOWS/+iKwPon2
X-Received: by 2002:a17:906:95d4:: with SMTP id n20mr32849726ejy.485.1597232045332;
        Wed, 12 Aug 2020 04:34:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597232045; cv=none;
        d=google.com; s=arc-20160816;
        b=TjBBIpNdx9bq85Iz/F+gxMrBPChLVHSwkf1CDSkLwnRiCHNH1k3pE8SyKwzKvy0sjk
         RDq4E6fABD3YIRTf6JOWm3k3hlBysCPhojzIsmpjGxy7K9TBuJUaWbp3l5c3pOZt5Xxs
         YSomNKGNzHWcb+CwEODX9WSWrzhOYi1YPZ8PnHus9+rIt+ktITHmcpNPpiJG1cY8AvH/
         +1GM102+3ew3CIr6WI5WxiShTZo8JxPXX+2R/jzQ2lziVZRuAVa2WwVOjOh8i+6h5DCj
         xMSCscZKn3SC+1lkT6AZR3T1//spG39Bz6DpZ1jxL2GuxhtafUVmvKSW0jvztVv+C1tb
         iyFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=RoczEJbTRhp4E6+m43og6G2+lF41l5//y8mz5TyVbNM=;
        b=m5+XjL2odm0bhtsKL5XQPDOLZxOBgCf2qjFJjOdAZUZcgugU9bwe5OFw+bhXg5pmw0
         h1k2UnMCU03YdKADf0VCOSR1Na4RRpi1PFjEDUyonLj8B2Te38zeg2WOXtnag2GMcL+Q
         NMsmeBb4t8MYk/tVSIzigKU/o8K8k0rCW4btXjn6FPC+84E8BjEM16SEYHmiyjrRyL+P
         KZiQXN8llu1d+MZikYOffuRURgWAzDP8tzOUo9JrAELY1ZlJPyjxTEjPvwnMzJbBUP1/
         N+ASS7euOXIPIHaKBZeBWHi4MGgBh66sjwNvbmwuR5ZvuzWAq1pnpO+OM5DCL7TPLo19
         ArOg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DMG3ailN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id sd25si957953ejb.341.2020.08.12.04.33.42;
        Wed, 12 Aug 2020 04:34:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DMG3ailN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727854AbgHLLdH (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Wed, 12 Aug 2020 07:33:07 -0400
Received: from us-smtp-1.mimecast.com ([205.139.110.61]:59711 "EHLO
        us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726698AbgHLLdF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Aug 2020 07:33:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1597231983;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=RoczEJbTRhp4E6+m43og6G2+lF41l5//y8mz5TyVbNM=;
        b=DMG3ailNkDHlTMsWzCJrO6l6TI+fwDh1IfCJgC0jPPZavwixLwWFh61EAeNs2Nb9OZ9BoH
        EiasU7jjC7sE+CTWibN3ASXTkWwy2BrtlAsSGX+gOPk+5XjtC/YlU1OaICKj9I51EsA6BF
        J3c8vyk3+anoSRSvDE+OuJd+cyE2bSA=
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-104-6MV7vWY4MIOhoGY5s-RWIw-1; Wed, 12 Aug 2020 07:33:01 -0400
X-MC-Unique: 6MV7vWY4MIOhoGY5s-RWIw-1
Received: by mail-wr1-f72.google.com with SMTP id s23so792896wrb.12
        for <linux-kernel@vger.kernel.org>; Wed, 12 Aug 2020 04:33:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=RoczEJbTRhp4E6+m43og6G2+lF41l5//y8mz5TyVbNM=;
        b=YHAna4li54OSa/cQS/ZgXcjF4OiYzicLSpy2XYvuRewa+zMqgyR3X0H1sCrpX2/Nwq
         ayFVOxMOtDwHiGCiB+zOU8hQ1Ylfc4mZcYT9NlicjEIIg4zcvShOtB5q8KJaxMiIomuv
         HrRIhLvEtSiTksWzHbP3RpTvQ1jj9eK2OpVVYWrT8ZgLr+xdJr5Wz7iELijM4qW1xYeG
         0BJ9e2+BjHL3aRMpqUUGBHUskYLrzPZqw49PaJMFnyOy+pInYH+e+E+2dRLIOAr/phyk
         WN9z14SLPtUqaab8CrEBiD3dsym4n6wr2dBU1x8L+Zxpb8VksUDjxD7+Hq1ZwPmqf0Rn
         vH9Q==
X-Gm-Message-State: AOAM533Yd0b/rqaWiI74JeR5+fKvCfIQX6R9sBhM02JFco3DoKA1/FPJ
        i1ISF86hk+PkqslXSnkr1JVZbcggZ39B/xg8X9CGEkXb0PKO8f0BLN8/5RbumkRPNfZFxIXlHRb
        wixOaQ7fDg2j0+fUdt5KQglwj
X-Received: by 2002:a5d:4749:: with SMTP id o9mr33576518wrs.68.1597231980350;
        Wed, 12 Aug 2020 04:33:00 -0700 (PDT)
X-Received: by 2002:a5d:4749:: with SMTP id o9mr33576497wrs.68.1597231980079;
        Wed, 12 Aug 2020 04:33:00 -0700 (PDT)
Received: from ?IPv6:2001:b07:6468:f312:fcdc:39e8:d361:7e30? ([2001:b07:6468:f312:fcdc:39e8:d361:7e30])
        by smtp.gmail.com with ESMTPSA id o3sm3596446wru.64.2020.08.12.04.32.59
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 12 Aug 2020 04:32:59 -0700 (PDT)
Subject: Re: [PATCH] KVM: x86/pmu: Add '.exclude_hv = 1' for guest perf_event
To:     peterz@infradead.org
Cc:     Like Xu <like.xu@linux.intel.com>, Yao <yao.jin@linux.intel.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>
References: <20200812050722.25824-1-like.xu@linux.intel.com>
 <5c41978e-8341-a179-b724-9aa6e7e8a073@redhat.com>
 <20200812111115.GO2674@hirez.programming.kicks-ass.net>
From:   Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <65eddd3c-c901-1c5a-681f-f0cb07b5fbb1@redhat.com>
Date:   Wed, 12 Aug 2020 13:32:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <20200812111115.GO2674@hirez.programming.kicks-ass.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 12/08/20 13:11, peterz@infradead.org wrote:
>> x86 does not have a hypervisor privilege level, so it never uses
> 
> Arguably it does when Xen, but I don't think we support that, so *phew*.

Yeah, I suppose you could imagine having paravirtualized perf counters
where the Xen privileged domain could ask Xen to run perf counters on
itself.

>> exclude_hv; exclude_host already excludes all root mode activity for
>> both ring0 and ring3.
> 
> Right, but we want to tighten the permission checks and not excluding_hv
> is just sloppy.

I would just document that it's ignored as it doesn't make sense.  ARM64
does that too, for new processors where the kernel is not itself split
between supervisor and hypervisor privilege levels.

There are people that are trying to run Linux-based firmware and have
SMM handlers as part of the kernel.  Perhaps they could use exclude_hv
to exclude the SMM handlers from perf (if including them is possible at
all).

> The thing is, we very much do not want to allow unpriv user to be able
> to create: exclude_host=1, exclude_guest=0 counters (they currently
> can).

That would be the case of an unprivileged user that wants to measure
performance of its guests.  It's a scenario that makes a lot of sense,
are you worried about side channels?  Can perf-events on guests leak
more about the host than perf-events on a random userspace program?

> Also, exclude_host is really poorly defined:
> 
>   https://lkml.kernel.org/r/20200806091827.GY2674@hirez.programming.kicks-ass.net
> 
>   "Suppose we have nested virt:
> 
> 	  L0-hv
> 	  |
> 	  G0/L1-hv
> 	     |
> 	     G1
> 
>   And we're running in G0, then:
> 
>   - 'exclude_hv' would exclude L0 events
>   - 'exclude_host' would ... exclude L1-hv events?
>   - 'exclude_guest' would ... exclude G1 events?

From the point of view of G0, L0 *does not exist at all*.  You just
cannot see L0 events if you're running in G0.

exclude_host/exclude_guest are the right definition.

>   Then the next question is, if G0 is a host, does the L1-hv run in
>   G0 userspace or G0 kernel space?

It's mostly kernel, but sometimes you're interested in events from QEMU
or whoever else has opened /dev/kvm.  In that case you care about G0
userspace too.

> The way it is implemented, you basically have to always set
> exclude_host=0, even if there is no virt at all and you want to measure
> your own userspace thing -- which is just weird.

I understand regretting having exclude_guest that way; include_guest
(defaulting to 0!) would have made more sense.  But defaulting to
exclude_host==0 makes sense: if there is no virt at all, memset(0) does
the right thing so it does not seem weird to me.

> I suppose the 'best' option at this point is something like:
> 
> 	/*
> 	 * comment that explains the trainwreck.
> 	 */
> 	if (!exclude_host && !exclude_guest)
> 		exclude_guest = 1;
> 
> 	if ((!exclude_hv || !exclude_guest) && !perf_allow_kernel())
> 		return -EPERM;
> 
> But that takes away the possibility of actually having:
> 'exclude_host=0, exclude_guest=0' to create an event that measures both,
> which also sucks.

In fact both of the above "if"s suck. :(

Paolo