From patchwork Thu Oct 31 15:09:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 178197 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2980111ill; Thu, 31 Oct 2019 08:11:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwa8gGsoyBd3OYt2jnJpN/xX6anDjH5O0AqFGR4VUx51xngQbd92JsgeYQoqgq0YjYh9L4o X-Received: by 2002:a92:5f0a:: with SMTP id t10mr6937650ilb.264.1572534675513; Thu, 31 Oct 2019 08:11:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572534675; cv=none; d=google.com; s=arc-20160816; b=rpqygC6CxIyRcY31OgCqj/180TbpUFKbnMivRdlRSUarI83tNnXlSrHH3YDrAfI3zj xdw6OFI6aSu4ticHE1vpNMAXcVjci+UTG8cAHGoGq81HHiOEPDs2TUvEPqG+0DvwKyBw Y+++e0iCCQGvLy3EqhlN8dy5vKSkhoeheV3KlhnlHm10P4Mvsn9eHJ8ofrAeYEWE/wGo 80/lSRiS1B5g/ycm+dTwWojARqHZvK7UyuJMj3f+41Sr1NM+NlFOgTvmN9f0ZrtNRJIs byLtbyi4yv5+vpwj5GvitW8q7IJ64C2bC2fTqJarL4iVOLxfr0zpI1X48xAEp5Wx9yZ/ EpXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:cc :list-subscribe:list-help:list-post:list-unsubscribe:list-id :precedence:subject:references:in-reply-to:message-id:date:to:from; bh=2soMRsl4/fzjtIzi3k3dnaZrSR1VxYKVMth1q0gCIkY=; b=s+JPTJDso4u94pNWPeDVqeQ9PqkUXCn0wF1ldV5MPkAiw3XAJe+TuUfNVjJjJqKnqh 0q0lG101TVJa6+9xlzW2cw6L03T5EIx5k7dAp/Hx2O/Qwum8r0Uff3Y7btP+IRD++52G AXEQip/JunS2sC0Y79PXe3tMxQgbg/o/xkVGRIjwfh8+s6nrKubrrRGioV9m+ImOcA0r dTUQay+srQJKHk818S4pCWAA/nO7QXBkgVy9XOMbF7db/KRGoGXE7bXc+CTothszCgA9 Sm+0n5byOysuttZzbPbQidffSY41tRhRgqPQlL2oR3cqu02pS1IGgrCggOUy1kQw4BnH XhNA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org. [192.237.175.120]) by mx.google.com with ESMTPS id s26si6825176iol.8.2019.10.31.08.11.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 31 Oct 2019 08:11:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of xen-devel-bounces@lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iQC4z-0006Sw-GH; Thu, 31 Oct 2019 15:09:41 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iQC4y-0006SI-9q for xen-devel@lists.xenproject.org; Thu, 31 Oct 2019 15:09:40 +0000 X-Inumbo-ID: 73b6f0f8-fbf0-11e9-954c-12813bfff9fa Received: from foss.arm.com (unknown [217.140.110.172]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTP id 73b6f0f8-fbf0-11e9-954c-12813bfff9fa; Thu, 31 Oct 2019 15:09:36 +0000 (UTC) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 064904F5; Thu, 31 Oct 2019 08:09:36 -0700 (PDT) Received: from e108454-lin.cambridge.arm.com (unknown [10.1.196.50]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 6E8523F71E; Thu, 31 Oct 2019 08:09:34 -0700 (PDT) From: Julien Grall To: xen-devel@lists.xenproject.org Date: Thu, 31 Oct 2019 15:09:05 +0000 Message-Id: <20191031150922.22938-3-julien.grall@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20191031150922.22938-1-julien.grall@arm.com> References: <20191031150922.22938-1-julien.grall@arm.com> Subject: [Xen-devel] [PATCH for-4.13 v4 02/19] xen/arm: Remove serrors=forward X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: jgross@suse.com, Stefano Stabellini , Julien Grall , Wei Liu , Konrad Rzeszutek Wilk , George Dunlap , Andrew Cooper , Ian Jackson , Julien Grall , Jan Beulich , Volodymyr Babchuk MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Per the Arm ARM (D4.5 in ARM DDI 0487E.a), SError may be precise or imprecise. Imprecise means the state presented to the exception handler is not guaranteed to be consistent with any point in the excution stream from which the exception was taken. In other words, they are likely to be fatal as you can't return safely from them. Without the RAS extension, the Arm architecture does not provide a way to differentiate between imprecise and precise SError. Furthermore Xen has no support for RAS yet. So from a software POV, there is not much we can do. More generally, forwarding blindly SErrors to the guest is likely to be the wrong thing to do. Indeed, Xen is not able to know what is the content of the SError. This may be a critical device used by the hypervisor that is about to fail. In a nutshell, the option serrors=forward is not safe to use in any environment with the current state of Xen. Therefore the option and any code related to it are completely removed. Take the opportunity to rework the comment in do_trap_data_abort() as all SErrors/External Abort generated by the hypervisor will result in a crash of the system no matter what the user passed on the command line. Signed-off-by: Julien Grall Reviewed-by: Stefano Stabellini --- Changes in v4: - Fix grammar - Add Stefano's reviewed-by Changes in v3: - Fix typo in the commit message - Rework comments in arm32/traps.c Changes in v2: - Patch added --- docs/misc/xen-command-line.pandoc | 13 ++----------- xen/arch/arm/arm32/traps.c | 12 ++++++------ xen/arch/arm/domain.c | 11 ----------- xen/arch/arm/traps.c | 34 +++++++--------------------------- xen/include/asm-arm/cpufeature.h | 11 +++++------ 5 files changed, 20 insertions(+), 61 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 30a04df4db..b8a09ce5c4 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1850,7 +1850,7 @@ accidentally leaking secrets by releasing pages without proper sanitization. Set the serial transmit buffer size. ### serrors (ARM) -> `= diverse | forward | panic` +> `= diverse | panic` > Default: `diverse` @@ -1866,7 +1866,7 @@ on the host will not trigger such SErrors. In this case, the administrator can use this parameter to skip categorizing SErrors and reduce the overhead of dsb/isb. -We provided the following 3 options to administrators to determine how the +We provided the following 2 options to administrators to determine how the hypervisors handle SErrors: * `diverse`: @@ -1878,15 +1878,6 @@ hypervisors handle SErrors: 2. dsb/isb on EL2 -> EL1 return paths to prevent slipping hypervisor SErrors to guests. -* `forward`: - The hypervisor will not distinguish guest SErrors from hypervisor SErrors. - All SErrors will be forwarded to guests, except the SErrors generated when - the idle vCPU is running. The idle domain doesn't have the ability to handle - SErrors, so we have to crash the whole system when we get SErros with the - idle vCPU. This option will avoid most overhead of the dsb/isb, except the - dsb/isb in context switch which is used to isolate the SErrors between 2 - vCPUs. - * `panic`: The hypervisor will not distinguish guest SErrors from hypervisor SErrors. All SErrors will crash the whole system. This option will avoid all overhead diff --git a/xen/arch/arm/arm32/traps.c b/xen/arch/arm/arm32/traps.c index 76f714a168..9c9790a6d1 100644 --- a/xen/arch/arm/arm32/traps.c +++ b/xen/arch/arm/arm32/traps.c @@ -69,12 +69,12 @@ void do_trap_prefetch_abort(struct cpu_user_regs *regs) void do_trap_data_abort(struct cpu_user_regs *regs) { /* - * We cannot distinguish Xen SErrors from synchronous data aborts. We - * want to avoid treating any Xen synchronous aborts as SErrors and - * forwarding them to the guest. Instead, crash the system in all - * cases when the abort comes from Xen. Even if they are Xen SErrors - * it would be a reasonable thing to do, and the default behavior with - * serror_op == DIVERSE. + * We cannot distinguish between Asynchronous External Abort and + * Synchronous Data Abort. + * + * As asynchronous abort (aka SError) generated by the hypervisor will + * result in a crash of the system (see __do_trap_serror()), it is fine to + * do it here. */ if ( VABORT_GEN_BY_GUEST(regs) ) do_trap_guest_serror(regs); diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index 460e968e97..53dc1d11c6 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -353,17 +353,6 @@ void context_switch(struct vcpu *prev, struct vcpu *next) local_irq_disable(); - /* - * If the serrors_op is "FORWARD", we have to prevent forwarding - * SError to wrong vCPU. So before context switch, we have to use - * the SYNCRONIZE_SERROR to guarantee that the pending SError would - * be caught by current vCPU. - * - * The SKIP_CTXT_SWITCH_SERROR_SYNC will be set to cpu_hwcaps when the - * serrors_op is NOT "FORWARD". - */ - SYNCHRONIZE_SERROR(SKIP_CTXT_SWITCH_SERROR_SYNC); - set_current(next); prev = __context_switch(prev, next); diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index a3deb59372..6ed9e66710 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -103,15 +103,12 @@ register_t get_default_hcr_flags(void) static enum { SERRORS_DIVERSE, - SERRORS_FORWARD, SERRORS_PANIC, } serrors_op; static int __init parse_serrors_behavior(const char *str) { - if ( !strcmp(str, "forward") ) - serrors_op = SERRORS_FORWARD; - else if ( !strcmp(str, "panic") ) + if ( !strcmp(str, "panic") ) serrors_op = SERRORS_PANIC; else serrors_op = SERRORS_DIVERSE; @@ -125,9 +122,6 @@ static int __init update_serrors_cpu_caps(void) if ( serrors_op != SERRORS_DIVERSE ) cpus_set_cap(SKIP_SYNCHRONIZE_SERROR_ENTRY_EXIT); - if ( serrors_op != SERRORS_FORWARD ) - cpus_set_cap(SKIP_CTXT_SWITCH_SERROR_SYNC); - return 0; } __initcall(update_serrors_cpu_caps); @@ -675,6 +669,9 @@ static void inject_vabt_exception(struct cpu_user_regs *regs) * 3) Hypervisor generated native SError, that would be a bug. * * A true parameter "guest" means that the SError is type#1 or type#2. + * + * Note that Arm32 asynchronous external abort generated by the + * hypervisor will be handled in do_trap_data_abort(). */ static void __do_trap_serror(struct cpu_user_regs *regs, bool guest) { @@ -692,28 +689,11 @@ static void __do_trap_serror(struct cpu_user_regs *regs, bool guest) goto crash_system; } - /* - * The "FORWARD" option will forward all SErrors to the guests, except - * idle domain generated SErrors. - */ - if ( serrors_op == SERRORS_FORWARD ) - { - /* - * Because the idle domain doesn't have the ability to handle the - * SErrors, we have to crash the whole system while we get a SError - * generated by idle domain. - */ - if ( is_idle_vcpu(current) ) - goto crash_system; - - return inject_vabt_exception(regs); - } - crash_system: - /* Three possibilities to crash the whole system: + /* + * Two possibilities to crash the whole system: * 1) "DIVERSE" option with Hypervisor generated SErrors. - * 2) "FORWARD" option with Idle Domain generated SErrors. - * 3) "PANIC" option with all SErrors. + * 2) "PANIC" option with all SErrors. */ do_unexpected_trap("SError", regs); } diff --git a/xen/include/asm-arm/cpufeature.h b/xen/include/asm-arm/cpufeature.h index d06f09ecfa..9af5666628 100644 --- a/xen/include/asm-arm/cpufeature.h +++ b/xen/include/asm-arm/cpufeature.h @@ -41,13 +41,12 @@ #define ARM64_WORKAROUND_834220 3 #define LIVEPATCH_FEATURE 4 #define SKIP_SYNCHRONIZE_SERROR_ENTRY_EXIT 5 -#define SKIP_CTXT_SWITCH_SERROR_SYNC 6 -#define ARM_HARDEN_BRANCH_PREDICTOR 7 -#define ARM_SSBD 8 -#define ARM_SMCCC_1_1 9 -#define ARM64_WORKAROUND_AT_SPECULATE 10 +#define ARM_HARDEN_BRANCH_PREDICTOR 6 +#define ARM_SSBD 7 +#define ARM_SMCCC_1_1 8 +#define ARM64_WORKAROUND_AT_SPECULATE 9 -#define ARM_NCAPS 11 +#define ARM_NCAPS 10 #ifndef __ASSEMBLY__