From nobody Fri May 3 04:51:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1622121948; cv=none; d=zohomail.com; s=zohoarc; b=BePec/FZZjGG3sBsd49yCbrWB6PEoJ2toVAf1L/7ZhCrgDM+FauiaUeCKizUv6g5Ij5I4Fsx43pW5eX4BXa3nvIKmurumW0iQJ0qehiq2QCOpDgMSbxpRW8dOzwCHllEKzNYlpVOPlwjfRDF1AKMD2B/bwUah7YwMAxqcH9YTJc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1622121948; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=32u6NevcWXrp2rAJe4kgTeUnpLM4zy2jsJ/zhedOyfw=; b=CpJmXjdnoKDtq8OBGVgMSpxx18OSgVzz5qlzF1VeYQ17sMoDplhnSNKnoO/2UvxYtGeUayZxVd59koSPzyetpiAFiNhJcILaoSXSK+Mf27+HeO6GA2FX6fw+l66Y1ASdmKc8vDSJNPUUfYiTDFjMIYKy2AufyTIgLxASH5z5JNw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1622121948285231.25268424092326; Thu, 27 May 2021 06:25:48 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.133372.248642 (Exim 4.92) (envelope-from ) id 1lmG11-0006YF-AZ; Thu, 27 May 2021 13:25:35 +0000 Received: by outflank-mailman (output) from mailman id 133372.248642; Thu, 27 May 2021 13:25:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lmG11-0006Y4-79; Thu, 27 May 2021 13:25:35 +0000 Received: by outflank-mailman (input) for mailman id 133372; Thu, 27 May 2021 13:25:33 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lmG0z-0006Vp-Bx for xen-devel@lists.xenproject.org; Thu, 27 May 2021 13:25:33 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id d5590923-66fe-478c-957a-1b070d481308; Thu, 27 May 2021 13:25:31 +0000 (UTC) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: d5590923-66fe-478c-957a-1b070d481308 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1622121931; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=m9QjH0cMMuHCQVPpDVT4R/qor7cqmBRJec5W9WeQMWI=; b=CCvrJWHEFqL/KPm9u7kpq+Uv9f3MXekSOuzCymZoEeV3n21th/xziL9C GfV3bC8fwZvyA3+LPM9+Mu53rWCLBPwDaZGdwjfyR0a3P15xr5EPc7HlZ 0xVC8JFrLiccPLjEXhElrJ0GrUIcBqt3/LRjCS0CIdpT8XIFLja8faFYr o=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: RPC8Wl/AUgpsC6I+ScZyKvRYyEfw9QAESKL4QptfhG5ddSJOw/WTQQdTUsQxCkrGLfc4kbJblf v4bBHOObommyCNSwlKbezknANoDRFYsmrV9NQbLMUW+Zp3YAMhqGDa3ZqpZdNvy4KG7gQ3Ov6T YM2Bk2tXhOfGa8D6X4IddPhhc0vh18AbRt4kv3TjDYhIm+t9dwl1R2d8d0P5azv7CxmCbWlLhN 6pFViN5H6FpMm9HXB2yKQk88jwwV9VJcJtMN+5Jtkik2cy4NjY3CKL8JL6qXOUmXa6gHIuczce K5w= X-SBRS: 5.1 X-MesageID: 44745591 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED IronPort-HdrOrdr: A9a23:s3Gyoq/gv3zs8gQ3zrZuk+DgI+orL9Y04lQ7vn2YSXRuHPBw8P re5cjztCWE7gr5N0tBpTntAsW9qDbnhPtICOoqTNCftWvdyQiVxehZhOOIqVDd8m/Fh4pgPM 9bAtBD4bbLbGSS4/yU3ODBKadD/OW6 X-IronPort-AV: E=Sophos;i="5.82,334,1613451600"; d="scan'208";a="44745591" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH 1/3] x86/cpuid: Rework HLE and RTM handling Date: Thu, 27 May 2021 14:25:17 +0100 Message-ID: <20210527132519.21730-2-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20210527132519.21730-1-andrew.cooper3@citrix.com> References: <20210527132519.21730-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) The TAA mitigation offered the option to hide the HLE and RTM CPUID bits, which has caused some migration compatibility problems. These two bits are special. Annotate them with ! to emphasise this point. Hardware Lock Elision (HLE) may or may not be visible in CPUID, but is disabled in microcode on all CPUs, and has been removed from the architectu= re. Do not advertise it to VMs by default. Restricted Transactional Memory (RTM) may or may not be visible in CPUID, a= nd may or may not be configured in force-abort mode. Have tsx_init() note whether RTM has been configured into force-abort mode, so guest_common_feature_adjustments() can conditionally hide it from VMs by default. The host policy values for HLE/RTM may or may not be set, depending on any previous running kernel's choice of visibility, and Xen's choice. TSX is available on any CPU which enumerates a TSX-hiding mechanism, so instead of doing a two-step to clobber any hiding, scan CPUID, then set the visibility, just force visibility of the bits in the first place. With the HLE/RTM bits now unilaterally visible in the host policy, xc_cpuid_apply_policy() can construct a more appropriate policy out of thin air for pre-4.13 VMs with no CPUID data in their migration stream, and specifically one where HLE/RTM doesn't potentially disappear behind the back of a running VM. Fixes: 8c4330818f6 ("x86/spec-ctrl: Mitigate the TSX Asynchronous Abort sid= echannel") Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Reviewed-by: Roger Pau Monn=C3=A9 --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu --- tools/libs/guest/xg_cpuid_x86.c | 2 ++ xen/arch/x86/cpuid.c | 24 ++++++++++------------ xen/arch/x86/spec_ctrl.c | 3 --- xen/arch/x86/tsx.c | 31 +++++++++++++++++++++++++= ++-- xen/include/asm-x86/processor.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 6 files changed, 44 insertions(+), 21 deletions(-) diff --git a/tools/libs/guest/xg_cpuid_x86.c b/tools/libs/guest/xg_cpuid_x8= 6.c index 1ebc108213..ec5a47fde4 100644 --- a/tools/libs/guest/xg_cpuid_x86.c +++ b/tools/libs/guest/xg_cpuid_x86.c @@ -511,6 +511,8 @@ int xc_cpuid_apply_policy(xc_interface *xch, uint32_t d= omid, bool restore, * so migrated-in VM's don't risk seeing features disappearing. */ p->basic.rdrand =3D test_bit(X86_FEATURE_RDRAND, host_featureset); + p->feat.hle =3D test_bit(X86_FEATURE_HLE, host_featureset); + p->feat.rtm =3D test_bit(X86_FEATURE_RTM, host_featureset); =20 if ( di.hvm ) { diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c index 752bf244ea..55a7b16342 100644 --- a/xen/arch/x86/cpuid.c +++ b/xen/arch/x86/cpuid.c @@ -375,6 +375,16 @@ static void __init guest_common_default_feature_adjust= ments(uint32_t *fs) boot_cpu_data.x86 =3D=3D 6 && boot_cpu_data.x86_model =3D=3D 0x3a= && cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + + /* + * On certain hardware, speculative or errata workarounds can result in + * TSX being placed in "force-abort" mode, where it doesn't actually + * function as expected, but is technically compatible with the ISA. + * + * Do not advertise RTM to guests by default if it won't actually work. + */ + if ( rtm_disabled ) + __clear_bit(X86_FEATURE_RTM, fs); } =20 static void __init guest_common_feature_adjustments(uint32_t *fs) @@ -652,20 +662,6 @@ void recalculate_cpuid_policy(struct domain *d) __clear_bit(X86_FEATURE_SYSCALL, max_fs); } =20 - /* - * On hardware with MSR_TSX_CTRL, the admin may have elected to disable - * TSX and hide the feature bits. Migrating-in VMs may have been boot= ed - * pre-mitigation when the TSX features were visbile. - * - * This situation is compatible (albeit with a perf hit to any TSX cod= e in - * the guest), so allow the feature bits to remain set. - */ - if ( cpu_has_tsx_ctrl ) - { - __set_bit(X86_FEATURE_HLE, max_fs); - __set_bit(X86_FEATURE_RTM, max_fs); - } - /* Clamp the toolstacks choices to reality. */ for ( i =3D 0; i < ARRAY_SIZE(fs); i++ ) fs[i] &=3D max_fs[i]; diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index cd05f42394..f2782b2d55 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1158,9 +1158,6 @@ void __init init_speculation_mitigations(void) ((hw_smt_enabled && opt_smt) || !boot_cpu_has(X86_FEATURE_SC_VERW_IDLE)) ) { - setup_clear_cpu_cap(X86_FEATURE_HLE); - setup_clear_cpu_cap(X86_FEATURE_RTM); - opt_tsx =3D 0; tsx_init(); } diff --git a/xen/arch/x86/tsx.c b/xen/arch/x86/tsx.c index 39e483640a..e09e819dce 100644 --- a/xen/arch/x86/tsx.c +++ b/xen/arch/x86/tsx.c @@ -15,6 +15,7 @@ */ int8_t __read_mostly opt_tsx =3D -1; int8_t __read_mostly cpu_has_tsx_ctrl =3D -1; +bool __read_mostly rtm_disabled; =20 static int __init parse_tsx(const char *s) { @@ -45,6 +46,30 @@ void tsx_init(void) rdmsrl(MSR_ARCH_CAPABILITIES, caps); =20 cpu_has_tsx_ctrl =3D !!(caps & ARCH_CAPS_TSX_CTRL); + + /* + * The TSX features (HLE/RTM) are handled specially. They both + * enumerate features but, on certain parts, have mechanisms to be + * hidden without disrupting running software. + * + * At the moment, we're running in an unknown context (WRT hiding - + * particularly if another fully fledged kernel ran before us) and + * depending on user settings, may elect to continue hiding them f= rom + * native CPUID instructions. + * + * Xen doesn't use TSX itself, but use cpu_has_{hle,rtm} for vario= us + * system reasons, mostly errata detection, so the meaning is more + * useful as "TSX infrastructure available", as opposed to "featur= es + * advertised and working". + * + * Force the features to be visible in Xen's view if we see any of= the + * infrastructure capable of hiding them. + */ + if ( cpu_has_tsx_ctrl ) + { + setup_force_cpu_cap(X86_FEATURE_HLE); + setup_force_cpu_cap(X86_FEATURE_RTM); + } } =20 if ( cpu_has_tsx_ctrl ) @@ -53,9 +78,11 @@ void tsx_init(void) =20 rdmsrl(MSR_TSX_CTRL, val); =20 + /* Check bottom bit only. Higher bits are various sentinels. */ + rtm_disabled =3D !(opt_tsx & 1); + val &=3D ~(TSX_CTRL_RTM_DISABLE | TSX_CTRL_CPUID_CLEAR); - /* Check bottom bit only. Higher bits are various sentinals. */ - if ( !(opt_tsx & 1) ) + if ( rtm_disabled ) val |=3D TSX_CTRL_RTM_DISABLE | TSX_CTRL_CPUID_CLEAR; =20 wrmsrl(MSR_TSX_CTRL, val); diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processo= r.h index 83143d4df8..bc4dc69253 100644 --- a/xen/include/asm-x86/processor.h +++ b/xen/include/asm-x86/processor.h @@ -627,6 +627,7 @@ static inline uint8_t get_cpu_family(uint32_t raw, uint= 8_t *model, } =20 extern int8_t opt_tsx, cpu_has_tsx_ctrl; +extern bool rtm_disabled; void tsx_init(void); =20 enum ap_boot_method { diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/publ= ic/arch-x86/cpufeatureset.h index c42f56bdd4..b65af42436 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -197,14 +197,14 @@ XEN_CPUFEATURE(FSGSBASE, 5*32+ 0) /*A {RD,WR}{F= S,GS}BASE instructions */ XEN_CPUFEATURE(TSC_ADJUST, 5*32+ 1) /*S TSC_ADJUST MSR available */ XEN_CPUFEATURE(SGX, 5*32+ 2) /* Software Guard extensions */ XEN_CPUFEATURE(BMI1, 5*32+ 3) /*A 1st bit manipulation extension= s */ -XEN_CPUFEATURE(HLE, 5*32+ 4) /*A Hardware Lock Elision */ +XEN_CPUFEATURE(HLE, 5*32+ 4) /*!a Hardware Lock Elision */ XEN_CPUFEATURE(AVX2, 5*32+ 5) /*A AVX2 instructions */ XEN_CPUFEATURE(FDP_EXCP_ONLY, 5*32+ 6) /*! x87 FDP only updated on except= ion. */ XEN_CPUFEATURE(SMEP, 5*32+ 7) /*S Supervisor Mode Execution Prot= ection */ XEN_CPUFEATURE(BMI2, 5*32+ 8) /*A 2nd bit manipulation extension= s */ XEN_CPUFEATURE(ERMS, 5*32+ 9) /*A Enhanced REP MOVSB/STOSB */ XEN_CPUFEATURE(INVPCID, 5*32+10) /*H Invalidate Process Context ID = */ -XEN_CPUFEATURE(RTM, 5*32+11) /*A Restricted Transactional Memor= y */ +XEN_CPUFEATURE(RTM, 5*32+11) /*!A Restricted Transactional Memor= y */ XEN_CPUFEATURE(PQM, 5*32+12) /* Platform QoS Monitoring */ XEN_CPUFEATURE(NO_FPU_SEL, 5*32+13) /*! FPU CS/DS stored as zero */ XEN_CPUFEATURE(MPX, 5*32+14) /*s Memory Protection Extensions */ --=20 2.11.0 From nobody Fri May 3 04:51:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1622121956; cv=none; d=zohomail.com; s=zohoarc; b=XZ3DEMMK1LGMS1gWg55DuU4z7qEeqn8FmbgKy0xMjBjOZzLVRUdMh6doFLIHGUnC0khwy2ZL0mdeqZEAtoHf5U8+/5BaZw74qay0l7ZWrjVnoml/BtASYH3ivaemhMYND5z3tCsA9Ko1P/igKpidUoImk25YGaT+/t5iBRTnqAg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1622121956; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=AUdlj1JpkjbCKO454EB/X/ZdCeIGlsDtwRqvqtF9Uow=; b=TC+9IXhMnEXjGZf5qYEnbQmktUeZl3qpocCXBEZy0PZx1m94sdq9Hhr2Gijc76+wHahpf9IiPr/wHplPMp6OIRjS1n+1ZEJG7tMeZAkntLLLAjObR0sJHX4X1P/ylebqdYBEBFyYHK/FOf3RxZaGhnN0CPeYxAnE/ewllcYOnl4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1622121956047231.0665423533867; Thu, 27 May 2021 06:25:56 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.133373.248653 (Exim 4.92) (envelope-from ) id 1lmG15-0006tZ-Jx; Thu, 27 May 2021 13:25:39 +0000 Received: by outflank-mailman (output) from mailman id 133373.248653; Thu, 27 May 2021 13:25:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lmG15-0006tO-Fn; Thu, 27 May 2021 13:25:39 +0000 Received: by outflank-mailman (input) for mailman id 133373; Thu, 27 May 2021 13:25:38 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lmG14-0006Vp-AW for xen-devel@lists.xenproject.org; Thu, 27 May 2021 13:25:38 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id acc3c51a-8119-4370-96de-e858d9f5694d; Thu, 27 May 2021 13:25:33 +0000 (UTC) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: acc3c51a-8119-4370-96de-e858d9f5694d DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1622121933; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=qWEul1M27l1E3zd/VjLDe6HsUX+pKdhbkISaVGQCUfo=; b=HolpBQfTK1UEM8/8ZI4HFZN6XpB9QmVxpn4yfGimtFk8BI3GygFdFQmh hwLLims9h7Mmb3SC/lcA9eq0d/drTVKHXHNQEit+s3zcqXdhPFcu6J/ON wSUbepkPmlIOhx4bdN1VtPDngV8IRgTpnkQfXAZhA5QKvaHj0smBSPfoV U=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: OslH3wq/eT+OxgiMFSRtAJC3H5CmagPR9LvlkqcbGzgH9f+mTgUOmEoSiBhs1AYFkqnU+8Gu/X 3qG1i8rXG362h/VvhDCECbEzNgt2WHdNjDEjGSQwpye0r/EMkPZXVAeENdcX/zsVwo41IHFZas qLPJUM6Sm0k7RVeU7hN7IUY/wLZ9gS8K2p/RwocQP0lZXFiSOSG+AqL1djctO5tsi/PbpX5c93 E1X7H4Q7F91DO6nQVZlUmnw2xz6mIqoxgajbnbLOM56yUI8B0WgDzRRANPJ1ZUh8e0wBrGhDyV nbM= X-SBRS: 5.1 X-MesageID: 44745595 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED IronPort-HdrOrdr: A9a23:fb7g9KBnIig7KSXlHemW55DYdb4zR+YMi2TC1yhKKCC9Ffbo7/ xG/c5rrCMc5wxhO03I9eruBEDEewK5yXcX2/h2AV7BZniFhILAFugLhuGOrwEIWReOkdK1vZ 0QCJSWY+eRMbEVt6jHCXGDYrMd/OU= X-IronPort-AV: E=Sophos;i="5.82,334,1613451600"; d="scan'208";a="44745595" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH 2/3] x86/tsx: Minor cleanup and improvements Date: Thu, 27 May 2021 14:25:18 +0100 Message-ID: <20210527132519.21730-3-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20210527132519.21730-1-andrew.cooper3@citrix.com> References: <20210527132519.21730-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) * Introduce cpu_has_arch_caps and replace boot_cpu_has(X86_FEATURE_ARCH_CA= PS) * Read CPUID data into the appropriate boot_cpu_data.x86_capability[] element, as subsequent changes are going to need more cpu_has_* logic. * Use the hi/lo MSR helpers, which substantially improves code generation. No practical change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich Reviewed-by: Roger Pau Monn=C3=A9 --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu --- xen/arch/x86/cpuid.c | 2 +- xen/arch/x86/hvm/vmx/vmx.c | 2 +- xen/arch/x86/msr.c | 2 +- xen/arch/x86/spec_ctrl.c | 2 +- xen/arch/x86/tsx.c | 21 ++++++++++++--------- xen/include/asm-x86/cpufeature.h | 1 + 6 files changed, 17 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/cpuid.c b/xen/arch/x86/cpuid.c index 55a7b16342..f3c8950aa3 100644 --- a/xen/arch/x86/cpuid.c +++ b/xen/arch/x86/cpuid.c @@ -747,7 +747,7 @@ int init_domain_cpuid_policy(struct domain *d) * so dom0 can turn off workarounds as appropriate. Temporary, until = the * domain policy logic gains a better understanding of MSRs. */ - if ( is_hardware_domain(d) && boot_cpu_has(X86_FEATURE_ARCH_CAPS) ) + if ( is_hardware_domain(d) && cpu_has_arch_caps ) p->feat.arch_caps =3D true; =20 d->arch.cpuid =3D p; diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c index 1450fd1991..7e3e67fdc3 100644 --- a/xen/arch/x86/hvm/vmx/vmx.c +++ b/xen/arch/x86/hvm/vmx/vmx.c @@ -2566,7 +2566,7 @@ static bool __init has_if_pschange_mc(void) if ( cpu_has_hypervisor ) return false; =20 - if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) ) + if ( cpu_has_arch_caps ) rdmsrl(MSR_ARCH_CAPABILITIES, caps); =20 if ( caps & ARCH_CAPS_IF_PSCHANGE_MC_NO ) diff --git a/xen/arch/x86/msr.c b/xen/arch/x86/msr.c index c3a988bd11..374f92b2c5 100644 --- a/xen/arch/x86/msr.c +++ b/xen/arch/x86/msr.c @@ -136,7 +136,7 @@ int init_domain_msr_policy(struct domain *d) * so dom0 can turn off workarounds as appropriate. Temporary, until = the * domain policy logic gains a better understanding of MSRs. */ - if ( is_hardware_domain(d) && boot_cpu_has(X86_FEATURE_ARCH_CAPS) ) + if ( is_hardware_domain(d) && cpu_has_arch_caps ) { uint64_t val; =20 diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index f2782b2d55..739b7913ff 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -885,7 +885,7 @@ void __init init_speculation_mitigations(void) bool cpu_has_bug_taa; uint64_t caps =3D 0; =20 - if ( boot_cpu_has(X86_FEATURE_ARCH_CAPS) ) + if ( cpu_has_arch_caps ) rdmsrl(MSR_ARCH_CAPABILITIES, caps); =20 hw_smt_enabled =3D check_smt_enabled(); diff --git a/xen/arch/x86/tsx.c b/xen/arch/x86/tsx.c index e09e819dce..98ecb71a4a 100644 --- a/xen/arch/x86/tsx.c +++ b/xen/arch/x86/tsx.c @@ -34,15 +34,18 @@ void tsx_init(void) { /* * This function is first called between microcode being loaded, and C= PUID - * being scanned generally. Calculate from raw data whether MSR_TSX_C= TRL - * is available. + * being scanned generally. Read into boot_cpu_data.x86_capability[] = for + * the cpu_has_* bits we care about using here. */ if ( unlikely(cpu_has_tsx_ctrl < 0) ) { uint64_t caps =3D 0; =20 - if ( boot_cpu_data.cpuid_level >=3D 7 && - (cpuid_count_edx(7, 0) & cpufeat_mask(X86_FEATURE_ARCH_CAPS))= ) + if ( boot_cpu_data.cpuid_level >=3D 7 ) + boot_cpu_data.x86_capability[cpufeat_word(X86_FEATURE_ARCH_CAP= S)] + =3D cpuid_count_edx(7, 0); + + if ( cpu_has_arch_caps ) rdmsrl(MSR_ARCH_CAPABILITIES, caps); =20 cpu_has_tsx_ctrl =3D !!(caps & ARCH_CAPS_TSX_CTRL); @@ -74,18 +77,18 @@ void tsx_init(void) =20 if ( cpu_has_tsx_ctrl ) { - uint64_t val; + uint32_t hi, lo; =20 - rdmsrl(MSR_TSX_CTRL, val); + rdmsr(MSR_TSX_CTRL, lo, hi); =20 /* Check bottom bit only. Higher bits are various sentinels. */ rtm_disabled =3D !(opt_tsx & 1); =20 - val &=3D ~(TSX_CTRL_RTM_DISABLE | TSX_CTRL_CPUID_CLEAR); + lo &=3D ~(TSX_CTRL_RTM_DISABLE | TSX_CTRL_CPUID_CLEAR); if ( rtm_disabled ) - val |=3D TSX_CTRL_RTM_DISABLE | TSX_CTRL_CPUID_CLEAR; + lo |=3D TSX_CTRL_RTM_DISABLE | TSX_CTRL_CPUID_CLEAR; =20 - wrmsrl(MSR_TSX_CTRL, val); + wrmsr(MSR_TSX_CTRL, lo, hi); } else if ( opt_tsx >=3D 0 ) printk_once(XENLOG_WARNING diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeat= ure.h index 33b2257888..9f5ae3aa0d 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -133,6 +133,7 @@ #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INT= ERSECT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) =20 /* CPUID level 0x00000007:1.eax */ #define cpu_has_avx_vnni boot_cpu_has(X86_FEATURE_AVX_VNNI) --=20 2.11.0 From nobody Fri May 3 04:51:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1622121959; cv=none; d=zohomail.com; s=zohoarc; b=dRKJZjFaAGzBFr9oh7a1JjB9KXUtjVJG18bJfK6c9AbS0YID8sBjmZfVCoJcb0AOJjv/fe3mZzQSQJJESb5OD3NnuhbZE3e+xkS7G0GuVmCBPrNvqO7mzoelM6AHmND3ORs4V2ujvDqpNh0rlwU73/INiARSgh/WlXXhFV0V4H8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1622121959; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=yFuUSMrhL6AOMmssLDB/pX8etPeEthHG1ntkUAEoF84=; b=BDVy2gN95/pOxRpDzhRNrPTVK51YQH90fwL3Dy3Rg0utWPvIc9GSH8/1t7GRse1+3EquS3E5No04oINlGyxmli77Yg86NI84Yc5bhBDaNzorglrnqSMQEjtXYgglbSfv7cHuLlUSGmxBfT6CFkBNdSVYEMpfY5oeSKuG+DhJUrI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1622121959935955.53343378874; Thu, 27 May 2021 06:25:59 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.133375.248664 (Exim 4.92) (envelope-from ) id 1lmG1B-0007NE-2n; Thu, 27 May 2021 13:25:45 +0000 Received: by outflank-mailman (output) from mailman id 133375.248664; Thu, 27 May 2021 13:25:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lmG1A-0007Mu-Uy; Thu, 27 May 2021 13:25:44 +0000 Received: by outflank-mailman (input) for mailman id 133375; Thu, 27 May 2021 13:25:43 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1lmG19-0006Vp-Ai for xen-devel@lists.xenproject.org; Thu, 27 May 2021 13:25:43 +0000 Received: from esa2.hc3370-68.iphmx.com (unknown [216.71.145.153]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id cf710b61-4d57-4556-b0a8-9d504384264d; Thu, 27 May 2021 13:25:34 +0000 (UTC) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: cf710b61-4d57-4556-b0a8-9d504384264d DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1622121933; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=hbSlZ0t4S9qZJpcVYcxxqV9AHueCrBm5p1+6QD2gkF4=; b=csYiggvlHewb61k3daWwtqDdhjw4KFDx9PFeGnnpHI6UfkzHLkd0UPOJ G0mQPlqcEXjzbPBZLxaKjIzWVUWO/fpssFFNyxb87fNQt+h1FcrQBXqFK kqi2XzBBTub5ShVWT4i/yaUoO0E2rn8hy+2ozVNlbq9ZDv3VkXEHRnV55 w=; Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: ctaQJrHedHNfZbi6TXiP7BmYX0i1rU9TXyaIQ/8KlLN8FshKN2kUXpPMnC9bm7KSL/Pxc1gFpL /25S6z2vUk5qBFuqjpppiefS7ySJ6/FWs+0L0DcrRuKsMYY8XqO9nAbHvZHuoJBLq4EGG4p1gr Z6FLRC05zgQLO/7B5sVfZjDRlQOoZF6CFNuOFGTtjpBn5jfNPnfehX7hhfGpH0hNaYsQizx22v JXoJkfzWljgcev3I62BY2uGZhMpeLdSAeCZrvWYVBdafbJHC9vkbPYBn7Vp6J1jfa4fq4wwxnq Ptg= X-SBRS: 5.1 X-MesageID: 44745603 X-Ironport-Server: esa2.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED IronPort-HdrOrdr: A9a23:VsOdxaGa6A9bvP6FpLqE0seALOsnbusQ8zAXP0AYc31om6uj5r iTdZUgpGbJYVkqKRIdcLy7V5VoBEmskaKdgrNhW4tKPjOW2ldARbsKheCJrlHd8m/Fh4lgPM 9bAtND4bbLbWSS4/yV3ODBKadE/OW6 X-IronPort-AV: E=Sophos;i="5.82,334,1613451600"; d="scan'208";a="44745603" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Wei Liu Subject: [PATCH 3/3] x86/tsx: Deprecate vpmu=rtm-abort and use tsx= instead Date: Thu, 27 May 2021 14:25:19 +0100 Message-ID: <20210527132519.21730-4-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20210527132519.21730-1-andrew.cooper3@citrix.com> References: <20210527132519.21730-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) This reuses the rtm_disable infrastructure, so CPUID derivation works prope= rly when TSX is disabled in favour of working PCR3. vpmu=3D is not a supported feature, and having this functionality under tsx= =3D centralises all TSX handling. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- CC: Jan Beulich CC: Roger Pau Monn=C3=A9 CC: Wei Liu --- docs/misc/xen-command-line.pandoc | 40 +++++++++++++++--------------- xen/arch/x86/cpu/intel.c | 3 --- xen/arch/x86/cpu/vpmu.c | 4 +-- xen/arch/x86/tsx.c | 51 +++++++++++++++++++++++++++++++++++= ++-- xen/include/asm-x86/vpmu.h | 1 - 5 files changed, 70 insertions(+), 29 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line= .pandoc index c32a397a12..a6facc33ea 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2296,14 +2296,21 @@ pages) must also be specified via the tbuf_size par= ameter. =20 Controls for the use of Transactional Synchronization eXtensions. =20 -On Intel parts released in Q3 2019 (with updated microcode), and future pa= rts, -a control has been introduced which allows TSX to be turned off. +Several microcode updates are relevant: =20 -On systems with the ability to turn TSX off, this boolean offers system wi= de -control of whether TSX is enabled or disabled. + * March 2019, fixing the TSX memory ordering errata on all TSX-enabled CP= Us + to date. Introduced MSR_TSX_FORCE_ABORT on SKL/SKX/KBL/WHL/CFL parts. = The + errata workaround uses Performance Counter 3, so the user can select + between working TSX and working perfcounters. =20 -On parts vulnerable to CVE-2019-11135 / TSX Asynchronous Abort, the follow= ing -logic applies: + * November 2019, fixing the TSX Async Abort speculative vulnerability. + Introduced MSR_TSX_CTRL on all TSX-enabled MDS_NO parts to date, + CLX/WHL-R/CFL-R, with the controls becoming architectural moving forward + and formally retiring HLE from the architecture. The user can disable = TSX + to mitigate TAA, and elect to hide the HLE/RTM CPUID bits. + +On systems with the ability to disable TSX off, this boolean offers system +wide control of whether TSX is enabled or disabled. =20 * An explicit `tsx=3D` choice is honoured, even if it is `true` and would result in a vulnerable system. @@ -2311,10 +2318,14 @@ logic applies: * When no explicit `tsx=3D` choice is given, parts vulnerable to TAA will= be mitigated by disabling TSX, as this is the lowest overhead option. =20 - * If the use of TSX is important, the more expensive TAA mitigations can = be + If the use of TSX is important, the more expensive TAA mitigations can = be opted in to with `smt=3D0 spec-ctrl=3Dmd-clear`, at which point TSX wil= l remain active by default. =20 + * When no explicit `tsx=3D` option is given, parts susceptible to the mem= ory + ordering errata default to `true` to enable working TSX. Alternatively, + selecting `tsx=3D0` will disable TSX and restore PCR3 to a working stat= e. + ### ucode > `=3D List of [ | scan=3D, nmi=3D, allow-same=3D ]` =20 @@ -2456,20 +2467,7 @@ provide access to a wealth of low level processor in= formation. =20 * The `arch` option allows access to the pre-defined architectural event= s. =20 -* The `rtm-abort` boolean controls a trade-off between working Restricted - Transactional Memory, and working performance counters. - - All processors released to date (Q1 2019) supporting Transactional Mem= ory - Extensions suffer an erratum which has been addressed in microcode. - - Processors based on the Skylake microarchitecture with up-to-date - microcode internally use performance counter 3 to work around the erra= tum. - A consequence is that the counter gets reprogrammed whenever an `XBEGI= N` - instruction is executed. - - An alternative mode exists where PCR3 behaves as before, at the cost of - `XBEGIN` unconditionally aborting. Enabling `rtm-abort` mode will - activate this alternative mode. +* The `rtm-abort` boolean has been superseded. Use `tsx=3D0` instead. =20 *Warning:* As the virtualisation is not 100% safe, don't use the vpmu flag on diff --git a/xen/arch/x86/cpu/intel.c b/xen/arch/x86/cpu/intel.c index 37439071d9..abf8e206d7 100644 --- a/xen/arch/x86/cpu/intel.c +++ b/xen/arch/x86/cpu/intel.c @@ -356,9 +356,6 @@ static void Intel_errata_workarounds(struct cpuinfo_x86= *c) (c->x86_model =3D=3D 29 || c->x86_model =3D=3D 46 || c->x86_model =3D= =3D 47)) __set_bit(X86_FEATURE_CLFLUSH_MONITOR, c->x86_capability); =20 - if (cpu_has_tsx_force_abort && opt_rtm_abort) - wrmsrl(MSR_TSX_FORCE_ABORT, TSX_FORCE_ABORT_RTM); - probe_c3_errata(c); } =20 diff --git a/xen/arch/x86/cpu/vpmu.c b/xen/arch/x86/cpu/vpmu.c index d8659c63f8..16e91a3694 100644 --- a/xen/arch/x86/cpu/vpmu.c +++ b/xen/arch/x86/cpu/vpmu.c @@ -49,7 +49,6 @@ CHECK_pmu_params; static unsigned int __read_mostly opt_vpmu_enabled; unsigned int __read_mostly vpmu_mode =3D XENPMU_MODE_OFF; unsigned int __read_mostly vpmu_features =3D 0; -bool __read_mostly opt_rtm_abort; =20 static DEFINE_SPINLOCK(vpmu_lock); static unsigned vpmu_count; @@ -79,7 +78,8 @@ static int __init parse_vpmu_params(const char *s) else if ( !cmdline_strcmp(s, "arch") ) vpmu_features |=3D XENPMU_FEATURE_ARCH_ONLY; else if ( (val =3D parse_boolean("rtm-abort", s, ss)) >=3D 0 ) - opt_rtm_abort =3D val; + printk(XENLOG_WARNING + "'rtm-abort=3D' superseded. Use 'tsx=3D' i= nstead\n"); else rc =3D -EINVAL; =20 diff --git a/xen/arch/x86/tsx.c b/xen/arch/x86/tsx.c index 98ecb71a4a..338191df7f 100644 --- a/xen/arch/x86/tsx.c +++ b/xen/arch/x86/tsx.c @@ -6,7 +6,9 @@ * Valid values: * 1 =3D> Explicit tsx=3D1 * 0 =3D> Explicit tsx=3D0 - * -1 =3D> Default, implicit tsx=3D1, may change to 0 to mitigate TAA + * -1 =3D> Default, altered to 0/1 (if unspecified) by: + * - TAA heuristics/settings for speculative safety + * - "TSX vs PCR3" select for TSX memory ordering safety * -3 =3D> Implicit tsx=3D1 (feed-through from spec-ctrl=3D0) * * This is arranged such that the bottom bit encodes whether TSX is actual= ly @@ -50,6 +52,26 @@ void tsx_init(void) =20 cpu_has_tsx_ctrl =3D !!(caps & ARCH_CAPS_TSX_CTRL); =20 + if ( cpu_has_tsx_force_abort ) + { + /* + * On an early TSX-enable Skylake part subject to the memory + * ordering erratum, with at least the March 2019 microcode. + */ + + /* + * If no explicit tsx=3D option is provided, pick a default. + * + * This deliberately overrides the implicit opt_tsx=3D-3 from + * `spec-ctrl=3D0` because: + * - parse_spec_ctrl() ran before any CPU details where know. + * - We now know we're running on a CPU not affected by TAA (as + * TSX_FORCE_ABORT is enumerated). + */ + if ( opt_tsx < 0 ) + opt_tsx =3D 1; + } + /* * The TSX features (HLE/RTM) are handled specially. They both * enumerate features but, on certain parts, have mechanisms to be @@ -75,6 +97,12 @@ void tsx_init(void) } } =20 + /* + * Note: MSR_TSX_CTRL is enumerated on TSX-enabled MDS_NO and later pa= rts. + * MSR_TSX_FORCE_ABORT is enumerated on TSX-enabled pre-MDS_NO Skylake + * parts only. The two features are on a disjoint set of CPUs, and not + * offered to guests by hypervisors. + */ if ( cpu_has_tsx_ctrl ) { uint32_t hi, lo; @@ -90,9 +118,28 @@ void tsx_init(void) =20 wrmsr(MSR_TSX_CTRL, lo, hi); } + else if ( cpu_has_tsx_force_abort ) + { + /* + * On an early TSX-enable Skylake part subject to the memory order= ing + * erratum, with at least the March 2019 microcode. + */ + uint32_t hi, lo; + + rdmsr(MSR_TSX_FORCE_ABORT, lo, hi); + + /* Check bottom bit only. Higher bits are various sentinels. */ + rtm_disabled =3D !(opt_tsx & 1); + + lo &=3D ~TSX_FORCE_ABORT_RTM; + if ( rtm_disabled ) + lo |=3D TSX_FORCE_ABORT_RTM; + + wrmsr(MSR_TSX_FORCE_ABORT, lo, hi); + } else if ( opt_tsx >=3D 0 ) printk_once(XENLOG_WARNING - "MSR_TSX_CTRL not available - Ignoring tsx=3D setting\= n"); + "TSX controls not available - Ignoring tsx=3D setting\= n"); } =20 /* diff --git a/xen/include/asm-x86/vpmu.h b/xen/include/asm-x86/vpmu.h index 55f85ba00f..4b0a6ba3da 100644 --- a/xen/include/asm-x86/vpmu.h +++ b/xen/include/asm-x86/vpmu.h @@ -126,7 +126,6 @@ static inline int vpmu_do_rdmsr(unsigned int msr, uint6= 4_t *msr_content) =20 extern unsigned int vpmu_mode; extern unsigned int vpmu_features; -extern bool opt_rtm_abort; =20 /* Context switch */ static inline void vpmu_switch_from(struct vcpu *prev) --=20 2.11.0