Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp361972rdg;
        Thu, 12 Oct 2023 07:48:30 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF6nvIN2bedWW34ej+74mYrYBnyN7kr8QvFsQKxpJ4cRo1aajp/4Qic4n8Vv+CszP5tJR0f
X-Received: by 2002:a17:903:228c:b0:1b7:f64b:379b with SMTP id b12-20020a170903228c00b001b7f64b379bmr37418048plh.17.1697122110121;
        Thu, 12 Oct 2023 07:48:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697122110; cv=none;
        d=google.com; s=arc-20160816;
        b=IgaWgIT2cid2daFT9+oC4Cipt4WKRQ85kLGIEmFHzro5BBeEB2w0cztkVNOP1SliAv
         9lhcEcml7yuusmWpPzyoydKK7vqm+W0U4MfmXMCVa12KGg/VdLbZYKnnld0tOOQkJyUZ
         AyMLbMQJKCcb1lql+w/DDq3JfO5T/0MeK6KikhklHJOzFEyUBro38FxugIC8xcbVP97R
         hQZeENO6WIv8+lGIyEXeMhIEcLFsxpDJVem3+u45qM1cvncWo7ELVX/TVWljhHBB6h6d
         5t+TwR3wGrL+u8EFH411+kwbljqn5LNn0xftxD6EClCbHdGR9XC6h6kE3R9edm+OZwfh
         R4cQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=U2K1C0Pj84ZrqJehtDgN09C31kBPbd7+aWDDFAj/gE4=;
        fh=10K+fIoA4tSC1+OqRth9DXOttzjE+U3XgycKcu2PfjY=;
        b=mJdHiamIUpj4SBS3OH7RDGYPaxMi8Iio/bThjILgobfUOIYpv8vg1yfd5A6jjNYjFc
         FFn3GKpx7qW0YmRvS/CRrGyxcnaQftrBZI3Vdwwa4i0dW8payyDEgQBflcHXowKGP5n2
         bAWLTtv6CFOsITZ1CYl2cwSMLcvkbcfp045TwUQJ6Xj15FKomXS5s6oHr3EZp7GhDDQt
         lyUEIAtrL68+uw9q3EASFDLvAssnHrUfo663+Gon7eVq9qd+NdTbGrcsndCpu0TR1M8n
         bN3C1W61Xr2uNr8bn6Xa2c9hVtFT1FimT+wjd8aVZx0WchXxQbSr504Rg20Rwo4WHSgc
         oF+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=AZNUnXC1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1])
        by mx.google.com with ESMTPS id bf8-20020a170902b90800b001c746bca05dsi2251579plb.69.2023.10.12.07.48.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 Oct 2023 07:48:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=AZNUnXC1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id 9F14C83B1EA6;
	Thu, 12 Oct 2023 07:48:26 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1379009AbjJLOsT (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Thu, 12 Oct 2023 10:48:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36520 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1378354AbjJLOsR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 12 Oct 2023 10:48:17 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D843AB8
        for <linux-kernel@vger.kernel.org>; Thu, 12 Oct 2023 07:48:15 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4C4EBC433C7;
        Thu, 12 Oct 2023 14:48:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1697122095;
        bh=iZPYvU5wRljfApCM+MJ581owf29pPt1A+Y/BqRAY+FE=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=AZNUnXC1YMmjFRqVniBnW419vtLsGYUrow79j6TNfhCrFDGuF9rRWfIhvSl6PXOQQ
         QlxMhbim0buZILGg9x254gcDzAA8uXbN2gl9sLMQdtZQKHLdqKGRv4vs57zRG4BBj8
         bXHZTOeNMsrpzuPQKtTExlGtpRtmZawU4lCfhv5iQMDnwe21bUy/k8bWm81aSOOqPe
         dCpw/6x6ixPvpOCPg8rdcXZNZ/arpenL/pyzZSoyPQb8nuYxonJ0DbpEuIrm3qh/i1
         YDFsQ71W+evua2BfFNImFU7X+t9CIDoFzcn9ytjtnSyCuCKPt099BMfkeF7DPWKWFD
         Kn5fFXtEV1djw==
Date:   Thu, 12 Oct 2023 15:48:08 +0100
From:   Will Deacon <will@kernel.org>
To:     Catalin Marinas <catalin.marinas@arm.com>
Cc:     Lorenzo Pieralisi <lpieralisi@kernel.org>,
        Jason Gunthorpe <jgg@nvidia.com>, ankita@nvidia.com,
        maz@kernel.org, oliver.upton@linux.dev, aniketa@nvidia.com,
        cjia@nvidia.com, kwankhede@nvidia.com, targupta@nvidia.com,
        vsethi@nvidia.com, acurrid@nvidia.com, apopple@nvidia.com,
        jhubbard@nvidia.com, danw@nvidia.com,
        linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 2/2] KVM: arm64: allow the VM to select DEVICE_* and
 NORMAL_NC for IO memory
Message-ID: <20231012144807.GA12374@willie-the-truck>
References: <20230907181459.18145-3-ankita@nvidia.com>
 <ZP8q71+YXoU6O9uh@lpieralisi>
 <ZP9MQdRYmlawNsbC@nvidia.com>
 <ZQHUifAfJ+lZikAn@lpieralisi>
 <ZQIFfqgR5zcidRR3@nvidia.com>
 <ZRKW6uDR/+eXYMzl@lpieralisi>
 <ZRLiDf204zCpO6Mv@arm.com>
 <ZR6IZwcFNw55asW0@lpieralisi>
 <20231012123541.GB11824@willie-the-truck>
 <ZSf6Ue09IO6QMBs1@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZSf6Ue09IO6QMBs1@arm.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Thu, 12 Oct 2023 07:48:26 -0700 (PDT)

On Thu, Oct 12, 2023 at 02:53:21PM +0100, Catalin Marinas wrote:
> On Thu, Oct 12, 2023 at 01:35:41PM +0100, Will Deacon wrote:
> > On Thu, Oct 05, 2023 at 11:56:55AM +0200, Lorenzo Pieralisi wrote:
> > > For all these reasons, relax the KVM stage 2 device
> > > memory attributes from DEVICE_nGnRE to NormalNC.
> > 
> > The reasoning above suggests to me that this should probably just be
> > Normal cacheable, as that is what actually allows the guest to control
> > the attributes. So what is the rationale behind stopping at Normal-NC?
> 
> It's more like we don't have any clue on what may happen. MTE is
> obviously a case where it can go wrong (we can blame the architecture
> design here) but I recall years ago where a malicious guest could bring
> the platform down by mapping the GIC CPU interface as cacheable.

... and do we know that isn't the case for non-cacheable? If not, why not?

Also, are you saying we used to map the GIC CPU interface as cacheable
at stage-2? I remember exclusives causing a problem, but I don't remember
the guest having a cacheable mapping.

> Not sure how error containment works with cacheable memory. A cacheable
> access to a device may stay in the cache a lot longer after the guest
> has been scheduled out, only evicted at some random time.

But similarly, non-cacheable stores can be buffered. Why isn't that a
problem?

> We may no longer be able to associate it with the guest, especially if the
> guest exited. Also not sure about claiming back the device after killing
> the guest, do we need cache maintenance?

Claiming back the device also seems strange if the guest has been using
non-cacheable accesses since I think you could get write merging and
reordering with subsequent device accesses trying to reset the device.

> So, for now I'd only relax this if we know there's RAM(-like) on the
> other side and won't trigger some potentially uncontainable errors as a
> result.

I guess my wider point is that I'm not convinced that non-cacheable is
actually much better and I think we're going way off the deep end looking
at what particular implementations do and trying to justify to ourselves
that non-cacheable is safe, even though it's still a normal memory type
at the end of the day.

Obviously, it's up to Marc and Oliver if they want to do this, but I'm
wary without an official statement from Arm to say that Normal-NC is
correct. There's mention of such a statement in the cover letter:

  > We hope ARM will publish information helping platform designers
  > follow these guidelines.

but imo we shouldn't merge this without either:

  (a) _Architectural_ guidance (as opposed to some random whitepaper or
      half-baked certification scheme).

- or -

  (b) A concrete justification based on the current architecture as to
      why Normal-NC is the right thing to do for KVM.

The current wording talks about use-cases (I get this) and error containment
(it's a property of the system) but doesn't talk at all about why Normal-NC
is the right result.

Will