Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5551417pxb; Mon, 14 Feb 2022 01:39:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJztvCuH/vpUs+PoOnTx6tjfm7Whm88F2Qzwx2pktDQ4umacPL6xdPgPEFRjxy2N9jNinuNF X-Received: by 2002:a17:90a:840a:: with SMTP id j10mr13355883pjn.50.1644831553255; Mon, 14 Feb 2022 01:39:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644831553; cv=none; d=google.com; s=arc-20160816; b=e19NLazfmnfW9MJncSY7Cwy0rRiHZrXyP9YoYh8UQiaRurAR0XP9p8e1UCZvhgq3Or stWRFTIBHUtJVP9QLUcaE4TRKIRNkkjNe11nMx4KPbB1MbyQ1b44J1VFku/3dtuPvVoC QulclcDpMGQCT1OZP+wLB0JKa1cB2rvB9nIZCRTN8xzM+PHDjgaGepxQYsbgO0chLFcl fNANkSmWiWkHjZibEE1UTUU4d2AcZ1l2PmXwWyBMR58AiIVTMwhyC+hvP3w7/5bM7ePQ nfD5Y/vDIFPSFzX8/2L9ndNtiPQcaclFOEjWf8Jh7RtnIvdBiKOG49OV1cC8R5AX+G/j PRfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=1JvWh818HSwyByKURfrR7CWWqjhqS9rtqWKqKohtLUk=; b=gz9V50Mb7eWwz9A8HXRYjsIJezlBqxZ3Pio96AeRsq/PACaiq/b5nx4atmVEt+0wlb FtHYkmXoS5FAL7V/kAmc1/S4kspgWlaLGJRMFuZN5ck8JbS3Wnu+PXablnpLUEDc4iFE M/dGmMX72hFqzZ0J/2PxQCs3cKJ1Z7swqWh27Szlwr9w/AMHHyDKkJw7XNgGKoHRVCYI oMQiwYOY3dM+QpMzHdyB9Tm+6s/PqWeUhM7m5rpbZqAZASmwNN8DNOh5a+crUu4g3Ful /1FhSsk8sn6xSf+e5lQfYxA1SoAq73moCy0q57bAWTqWQMvDGSSXA09pRC5XpGfJpZv4 PwXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=RXcSaFQP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x18si7886837pjh.155.2022.02.14.01.38.58; Mon, 14 Feb 2022 01:39:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=RXcSaFQP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232541AbiBLXbl (ORCPT + 99 others); Sat, 12 Feb 2022 18:31:41 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232277AbiBLXbk (ORCPT ); Sat, 12 Feb 2022 18:31:40 -0500 Received: from mail-oo1-xc2c.google.com (mail-oo1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0BEA5FF23 for ; Sat, 12 Feb 2022 15:31:35 -0800 (PST) Received: by mail-oo1-xc2c.google.com with SMTP id o128-20020a4a4486000000b003181707ed40so14892778ooa.11 for ; Sat, 12 Feb 2022 15:31:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1JvWh818HSwyByKURfrR7CWWqjhqS9rtqWKqKohtLUk=; b=RXcSaFQPcpSmfaYbe4neY2ZS+2/rGm+c2h5VDDOLsSrZexZjmS9qDQLN6l10AxEL2a J+76Z7pvQk5A3oNz7HVY4t/S/9jF6TxcWlsvMNcq67JzwErPb1OTosgrxzRTLski4+Gc FYSNG9wfXbR/HNdCAut36GV5Bcls6Jh7dU23oKe59IAAOavePC++/SUXp7IAR1p9PMDi KQ0vKglEAbysPz6cRvOzPJRY0hfhvlrd8DooX5XFo1IiHhYJBQ4QKcKC+6CugfR/o584 2W1H10oI8Qw59w+cKjkT8mv7YbEvebU6rPsBLwLkCjT7JuMwx6nzSKMMzMDHBnBW3QxN LFGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1JvWh818HSwyByKURfrR7CWWqjhqS9rtqWKqKohtLUk=; b=5PUAxm1HdyHmED2rILOgDCc7227vjlsdyhdkpjgxcZo/JDlKEL+Vmy5NfoSVzxpFh5 zaQ5Gn65qmkatoljWYTSOxNPAwjvudGx9SnhS7DoALKcuW7R0xNO5iJtPsDm6hFn4DMt 2w3zPF+hkV4/vCiIqWNpMPPg7DG4zQNlvlJE0bW38XnCtBTpXmYAsO61o+18Ohsc9mhT hP3vWmhApQLUUaqGRizPMgvDPhHR05gFiYf+OpnyWFB7Q3y3yv7EgXdEx5kp0Ji2pIjb QD9S8Se+eI4322tcheqg6JphBSP910w+xHfaSDab+cESbGNK2RruIvcI9AYHTzRs3qHW S+kQ== X-Gm-Message-State: AOAM533RvyGQAYu2TA6245frr6mdQ9ck7IZAedtCr/532CBPRxOQkq8a sRHjv/xXs0nxqRXb8ZC8JwMOCISol1hkAlYBlYesCg== X-Received: by 2002:a05:6871:581:: with SMTP id u1mr2067111oan.139.1644708694863; Sat, 12 Feb 2022 15:31:34 -0800 (PST) MIME-Version: 1.0 References: <20220117085307.93030-1-likexu@tencent.com> <20220202144308.GB20638@worktop.programming.kicks-ass.net> <69c0fc41-a5bd-fea9-43f6-4724368baf66@intel.com> <67a731dd-53ba-0eb8-377f-9707e5c9be1b@intel.com> <7b5012d8-6ae1-7cde-a381-e82685dfed4f@linux.intel.com> <6afcec02-fb44-7b72-e527-6517a94855d4@linux.intel.com> <2180ea93-5f05-b1c1-7253-e3707da29f8c@linux.intel.com> In-Reply-To: <2180ea93-5f05-b1c1-7253-e3707da29f8c@linux.intel.com> From: Jim Mattson Date: Sat, 12 Feb 2022 15:31:23 -0800 Message-ID: Subject: Re: [PATCH kvm/queue v2 2/3] perf: x86/core: Add interface to query perfmon_event_map[] directly To: "Liang, Kan" Cc: David Dunn , Dave Hansen , Peter Zijlstra , Like Xu , Paolo Bonzini , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Like Xu , Stephane Eranian Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 11, 2022 at 1:47 PM Liang, Kan wrote: > > > > On 2/11/2022 1:08 PM, Jim Mattson wrote: > > On Fri, Feb 11, 2022 at 6:11 AM Liang, Kan wrote: > >> > >> > >> > >> On 2/10/2022 2:55 PM, David Dunn wrote: > >>> Kan, > >>> > >>> On Thu, Feb 10, 2022 at 11:46 AM Liang, Kan wrote: > >>> > >>>> No, we don't, at least for Linux. Because the host own everything. It > >>>> doesn't need the MSR to tell which one is in use. We track it in an SW way. > >>>> > >>>> For the new request from the guest to own a counter, I guess maybe it is > >>>> worth implementing it. But yes, the existing/legacy guest never check > >>>> the MSR. > >>> > >>> This is the expectation of all software that uses the PMU in every > >>> guest. It isn't just the Linux perf system. > >>> > >>> The KVM vPMU model we have today results in the PMU utilizing software > >>> simply not working properly in a guest. The only case that can > >>> consistently "work" today is not giving the guest a PMU at all. > >>> > >>> And that's why you are hearing requests to gift the entire PMU to the > >>> guest while it is running. All existing PMU software knows about the > >>> various constraints on exactly how each MSR must be used to get sane > >>> data. And by gifting the entire PMU it allows that software to work > >>> properly. But that has to be controlled by policy at host level such > >>> that the owner of the host knows that they are not going to have PMU > >>> visibility into guests that have control of PMU. > >>> > >> > >> I think here is how a guest event works today with KVM and perf subsystem. > >> - Guest create an event A > >> - The guest kernel assigns a guest counter M to event A, and config > >> the related MSRs of the guest counter M. > >> - KVM intercepts the MSR access and create a host event B. (The > >> host event B is based on the settings of the guest counter M. As I said, > >> at least for Linux, some SW config impacts the counter assignment. KVM > >> never knows it. Event B can only be a similar event to A.) > >> - Linux perf subsystem assigns a physical counter N to a host event > >> B according to event B's constraint. (N may not be the same as M, > >> because A and B may have different event constraints) > >> > >> As you can see, even the entire PMU is given to the guest, we still > >> cannot guarantee that the physical counter M can be assigned to the > >> guest event A. > > > > All we know about the guest is that it has programmed virtual counter > > M. It seems obvious to me that we can satisfy that request by giving > > it physical counter M. If, for whatever reason, we give it physical > > counter N isntead, and M and N are not completely fungible, then we > > have failed. > > > >> How to fix it? The only thing I can imagine is "passthrough". Let KVM > >> directly assign the counter M to guest. So, to me, this policy sounds > >> like let KVM replace the perf to control the whole PMU resources, and we > >> will handover them to our guest then. Is it what we want? > > > > We want PMU virtualization to work. There are at least two ways of doing that: > > 1) Cede the entire PMU to the guest while it's running. > > So the guest will take over the control of the entire PMUs while it's > running. I know someone wants to do system-wide monitoring. This case > will be failed. We have system-wide monitoring for fleet efficiency, but since there's nothing we can do about the efficiency of the guest (and those cycles are paid for by the customer, anyway), I don't think our efficiency experts lose any important insights if guest cycles are a blind spot. > I'm not sure whether you can fully trust the guest. If malware runs in > the guest, I don't know whether it will harm the entire system. I'm not > a security expert, but it sounds dangerous. > Hope the administrators know what they are doing when choosing this policy. Virtual machines are inherently dangerous. :-) Despite our concerns about PMU side-channels, Intel is constantly reminding us that no such attacks are yet known. We would probably restrict some events to guests that occupy an entire socket, just to be safe. Note that on the flip side, TDX and SEV are all about catering to guests that don't trust the host. Those customers probably don't want the host to be able to use the PMU to snoop on guest activity. > > 2) Introduce a new "ultimate" priority level in the host perf > > subsystem. Only KVM can request events at the ultimate priority, and > > these requests supersede any other requests. > > The "ultimate" priority level doesn't help in the above case. The > counter M may not bring the precise which guest requests. I remember you > called it "broken". Ideally, ultimate priority also comes with the ability to request specific counters. > KVM can fails the case, but KVM cannot notify the guest. The guest still > see wrong result. > > > > > Other solutions are welcome. > > I don't have a perfect solution to achieve all your requirements. Based > on my understanding, the guest has to be compromised by either > tolerating some errors or dropping some features (e.g., some special > events). With that, we may consider the above "ultimate" priority level > policy. The default policy would be the same as the current > implementation, where the host perf treats all the users, including the > guest, equally. The administrators can set the "ultimate" priority level > policy, which may let the KVM/guest pin/own some regular counters via > perf subsystem. That's just my personal opinion for your reference. I disagree. The guest does not have to be compromised. For a proof of concept, see VMware ESXi. Probably Microsoft Hyper-V as well, though I haven't checked.