Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp467475rdg; Thu, 12 Oct 2023 10:37:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFsROTsnoWZLeYIiU1puNa7JOjiWCzgHp0h3ZXvYEj6PaRI2hCPPo0yQz1mTip7LdXqh36G X-Received: by 2002:a05:6a20:8f08:b0:154:d3ac:2076 with SMTP id b8-20020a056a208f0800b00154d3ac2076mr27597793pzk.40.1697132272570; Thu, 12 Oct 2023 10:37:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697132272; cv=none; d=google.com; s=arc-20160816; b=IzocMiZ6IHWJQWemw6W/g6a94+jW+MSrTN2prr5lj5Z6Jm2N2spJ7YJtbVHtJzQjkE xUfFxjENwBDu2/SVG2CAdJqS9zroAMYmk9Qi/CCID07iwa4PCinTnOCuDVY3Vh+Vbv2i 7B/preIOvsb8yfD6lm/RuxligpRs/O1BQ3qPz0fnXpYB6Uj8YQ64CRsw+HGtPF4pvkvF rTc3JdY6y24FVfh6VEX/FHMlKlGQr107tM8/KctBK37sjIhLsE/2ni2GeTcO9QbdGCBQ OhPGKzh9LMnpJ6p+mB3T2SgvPWkxMHrzwDVzrqRUzZR5W51XS/Qni27guBSuwg9uI1uI ynrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=6bOCO5Bk8k6ZVJN14/vskVt4OjGax/Tp9skI4ACJPt4=; fh=3jcJIL3+j/4vL3mdWb6qW4zMQlah4YMufGwp4BPpsqo=; b=IXEmufNIL90h1q/FwUHrLMY4AOM/rMkVJ/6HHlxxW3aDTDL1fgXxzgO+K9FXjcq0Oa 8VsD3kYk3N4bJKumEU60UE9PrZjgFwCb2sm8c4ZxsuY47w/RtRkmCBr/imu+dSp6qhNf MZxixTsbV656VO8dmsl7QEIDaqUPKFKKV/IHd/8uWenZOMnViOoHkyyHzlJ/iRb5DbCN L6fcPwAdan6HEidMKzAnNu0xKL+/1QxYklp502626M8L8aODtG42XyFv9m3Cy2gl/617 3WPNSDMdrnOHFqOkWHn56ja9PIgSUFEXgeuQO9i7wuNswa4KA+MNir6qImo9Mq/B02jM 1Wkg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id m23-20020a63fd57000000b005898d648224si2727347pgj.12.2023.10.12.10.37.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 10:37:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id E0D6E819BB74; Thu, 12 Oct 2023 10:37:37 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347411AbjJLRha (ORCPT + 99 others); Thu, 12 Oct 2023 13:37:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347473AbjJLRhQ (ORCPT ); Thu, 12 Oct 2023 13:37:16 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBD855B98 for ; Thu, 12 Oct 2023 10:26:07 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 538F5C433C9; Thu, 12 Oct 2023 17:26:04 +0000 (UTC) Date: Thu, 12 Oct 2023 18:26:01 +0100 From: Catalin Marinas To: Will Deacon Cc: Lorenzo Pieralisi , Jason Gunthorpe , ankita@nvidia.com, maz@kernel.org, oliver.upton@linux.dev, aniketa@nvidia.com, cjia@nvidia.com, kwankhede@nvidia.com, targupta@nvidia.com, vsethi@nvidia.com, acurrid@nvidia.com, apopple@nvidia.com, jhubbard@nvidia.com, danw@nvidia.com, linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH v1 2/2] KVM: arm64: allow the VM to select DEVICE_* and NORMAL_NC for IO memory Message-ID: References: <20231012123541.GB11824@willie-the-truck> <20231012144807.GA12374@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231012144807.GA12374@willie-the-truck> X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 12 Oct 2023 10:37:38 -0700 (PDT) On Thu, Oct 12, 2023 at 03:48:08PM +0100, Will Deacon wrote: > On Thu, Oct 12, 2023 at 02:53:21PM +0100, Catalin Marinas wrote: > > On Thu, Oct 12, 2023 at 01:35:41PM +0100, Will Deacon wrote: > > > On Thu, Oct 05, 2023 at 11:56:55AM +0200, Lorenzo Pieralisi wrote: > > > > For all these reasons, relax the KVM stage 2 device > > > > memory attributes from DEVICE_nGnRE to NormalNC. > > > > > > The reasoning above suggests to me that this should probably just be > > > Normal cacheable, as that is what actually allows the guest to control > > > the attributes. So what is the rationale behind stopping at Normal-NC? > > > > It's more like we don't have any clue on what may happen. MTE is > > obviously a case where it can go wrong (we can blame the architecture > > design here) but I recall years ago where a malicious guest could bring > > the platform down by mapping the GIC CPU interface as cacheable. > > ... and do we know that isn't the case for non-cacheable? If not, why not? Trying to get this information from the hw folk and architects is really hard. So we only relax it one step at a time ;). But given the MTE problems, I'd not go for cacheable Stage 2 unless we have FEAT_MTE_PERM implemented (both hw and sw). S2 cacheable allows the guest to map it as Normal Tagged. > Also, are you saying we used to map the GIC CPU interface as cacheable > at stage-2? I remember exclusives causing a problem, but I don't remember > the guest having a cacheable mapping. The guest never had a cacheable mapping, IIRC it was more of a theoretical problem, plugging a hole. Now, maybe I misremember, it's pretty hard to search the git logs given how the code was moved around (but I do remember the building we were in when discussing this, it was on the ground floor ;)). > > Not sure how error containment works with cacheable memory. A cacheable > > access to a device may stay in the cache a lot longer after the guest > > has been scheduled out, only evicted at some random time. > > But similarly, non-cacheable stores can be buffered. Why isn't that a > problem? RAS might track this for cacheable mappings as well, I just haven't figured out the details. > > We may no longer be able to associate it with the guest, especially if the > > guest exited. Also not sure about claiming back the device after killing > > the guest, do we need cache maintenance? > > Claiming back the device also seems strange if the guest has been using > non-cacheable accesses since I think you could get write merging and > reordering with subsequent device accesses trying to reset the device. True. Not sure we have a good story here (maybe reinvent the DWB barrier ;)). > > So, for now I'd only relax this if we know there's RAM(-like) on the > > other side and won't trigger some potentially uncontainable errors as a > > result. > > I guess my wider point is that I'm not convinced that non-cacheable is > actually much better and I think we're going way off the deep end looking > at what particular implementations do and trying to justify to ourselves > that non-cacheable is safe, even though it's still a normal memory type > at the end of the day. Is this about Device vs NC or Device/NC vs Normal Cacheable? The justification for the former has been summarised in Lorenzo's write-up. How the hardware behaves, it depends a lot on the RAS implementation. The BSA has some statements but not sure it covers everything. Things can go wrong but that's not because Device does anything better. Given the RAS implementation, external aborts caused on Device memory (e.g. wrong size access) is uncontainable. For Normal NC it can be contained (I can dig out the reasoning behind this if you want, IIUC something to do with not being able to cancel an already issued Device access since such accesses don't allow speculation due to side-effects; for Normal NC, it's just about the software not getting the data). > Obviously, it's up to Marc and Oliver if they want to do this, but I'm > wary without an official statement from Arm to say that Normal-NC is > correct. There's mention of such a statement in the cover letter: > > > We hope ARM will publish information helping platform designers > > follow these guidelines. > > but imo we shouldn't merge this without either: > > (a) _Architectural_ guidance (as opposed to some random whitepaper or > half-baked certification scheme). Well, you know the story, the architects will probably make it a SoC or integration issue, PCIe etc., not something that can live in the Arm ARM. The best we could get is more recommendations in the RAS spec around containment but not for things that might happen outside the CPU, e.g. PCIe root complex. > - or - > > (b) A concrete justification based on the current architecture as to > why Normal-NC is the right thing to do for KVM. To put it differently, we don't have any strong arguments why Device is the right thing to do. We chose Device based on some understanding software people had about how the hardware behaves, which apparently wasn't entirely correct (and summarised by Lorenzo). -- Catalin