Introduce an option to allow selecting a behavior similar to the pre
Xen 4.15 one for accesses to MSRs not explicitly handled. Since commit
84e848fd7a162f669 and
322ec7c89f6640e accesses to MSRs not explicitly
handled by Xen result in the injection of a #GP to the guest. This
is a behavior change since previously a #GP was only injected if
accessing the MSR on the real hardware would also trigger a #GP, or if
the attempted to be set bits wouldn't match the hardware values (for
PV). The reasons for not leaking hardware MSR values and injecting a
#GP are fully valid, so the solution proposed here should be
considered a temporary workaround until all the required MSRs are
properly handled.
This seems to be problematic for some guests, so introduce an option
to fallback to this kind of legacy behavior without leaking the
underlying MSR values to the guest.
When the option is set, for both PV and HVM don't inject a #GP to the
guest on MSR read if reading the underlying MSR doesn't result in a
#GP, do the same for writes and simply discard the value to be written
on that case.
Note that for guests restored or migrated from previous Xen versions
the option is enabled by default, in order to keep a compatible
MSR behavior. Such compatibility is done at the libxl layer, to avoid
higher-level toolstacks from having to know the details about this flag.
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Acked-by: Christian Lindig <christian.lindig@citrix.com>
Reviewed-by: Ian Jackson <iwj@xenproject.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Tested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Release-Acked-by: Ian Jackson <iwj@xenproject.org>
=back
+=item B<msr_relaxed=BOOLEAN>
+
+The "msr_relaxed" boolean is an interim option, and defaults to false.
+
+In Xen 4.15, the default behaviour for unhandled MSRs has been changed,
+to avoid leaking host data into guests, and to avoid breaking guest
+logic which uses #GP probing to identify the availability of MSRs.
+
+However, this new stricter behaviour has the possibility to break
+guests, and a more 4.14-like behaviour can be selected by setting this
+option.
+
+If using this option is necessary to fix an issue, please report a bug.
+
=back
=head1 SEE ALSO
### dom0
= List of [ pv | pvh, shadow=<bool>, verbose=<bool>,
- cpuid-faulting=<bool> ]
+ cpuid-faulting=<bool>, msr-relaxed=<bool> ]
Applicability: x86
restore the pre-4.13 behaviour. If specifying `no-cpuid-faulting` fixes
an issue in dom0, please report a bug.
+* The `msr-relaxed` boolean is an interim option, and defaults to false.
+
+ In Xen 4.15, the default behaviour for unhandled MSRs has been changed,
+ to avoid leaking host data into guests, and to avoid breaking guest
+ logic which uses \#GP probing to identify the availability of MSRs.
+
+ However, this new stricter behaviour has the possibility to break
+ guests, and a more 4.14-like behaviour can be selected by specifying
+ `dom0=msr-relaxed`.
+
+ If using this option is necessary to fix an issue, please report a bug.
+
### dom0-iommu
= List of [ passthrough=<bool>, strict=<bool>, map-inclusive=<bool>,
map-reserved=<bool>, none ]
*/
#define LIBXL_HAVE_VMTRACE_BUF_KB 1
+/*
+ * LIBXL_HAVE_X86_MSR_RELAXED indicates the toolstack has support for switching
+ * the MSR access handling in the hypervisor to relaxed mode. This is done by
+ * setting the libxl_domain_build_info arch_x86.msr_relaxed field.
+ */
+#define LIBXL_HAVE_X86_MSR_RELAXED 1
+
/*
* libxl ABI compatibility
*
const libxl_domain_build_info *info,
uint64_t *out);
+_hidden
+void libxl__arch_update_domain_config(libxl__gc *gc,
+ libxl_domain_config *dst,
+ const libxl_domain_config *src);
+
#if defined(__i386__) || defined(__x86_64__)
#define LAPIC_BASE_ADDRESS 0xfee00000
return rc;
}
+void libxl__arch_update_domain_config(libxl__gc *gc,
+ libxl_domain_config *dst,
+ const libxl_domain_config *src)
+{
+}
+
/*
* Local variables:
* mode: C
unset_disk_colo_restore(d_config);
}
+ /*
+ * When restoring (either from a save file or for a migration domain) set
+ * the MSR relaxed mode for compatibility with older Xen versions if the
+ * option is not set as part of the original configuration.
+ */
+ libxl_defbool_setdefault(&d_config->b_info.arch_x86.msr_relaxed, true);
+
return do_domain_create(ctx, d_config, domid, restore_fd, send_back_fd,
params, ao_how, aop_console_how);
}
#include "libxl_osdeps.h" /* must come before any other headers */
#include "libxl_internal.h"
+#include "libxl_arch.h"
void libxl__alloc_failed(libxl_ctx *ctx, const char *func,
size_t nmemb, size_t size) {
/* video ram */
dst->b_info.video_memkb = src->b_info.video_memkb;
+
+ libxl__arch_update_domain_config(gc, dst, src);
}
static void ev_slowlock_init_internal(libxl__ev_slowlock *lock,
("arch_arm", Struct(None, [("gic_version", libxl_gic_version),
("vuart", libxl_vuart_type),
])),
+ ("arch_x86", Struct(None, [("msr_relaxed", libxl_defbool),
+ ])),
# Alternate p2m is not bound to any architecture or guest type, as it is
# supported by x86 HVM and ARM support is planned.
("altp2m", libxl_altp2m_mode),
abort();
}
+ config->arch.misc_flags = 0;
+ if (libxl_defbool_val(d_config->b_info.arch_x86.msr_relaxed))
+ config->arch.misc_flags |= XEN_X86_MSR_RELAXED;
+
return 0;
}
libxl_domain_build_info *b_info)
{
libxl_defbool_setdefault(&b_info->acpi, true);
+ libxl_defbool_setdefault(&b_info->arch_x86.msr_relaxed, false);
}
int libxl__arch_passthrough_mode_setdefault(libxl__gc *gc,
return rc;
}
+void libxl__arch_update_domain_config(libxl__gc *gc,
+ libxl_domain_config *dst,
+ const libxl_domain_config *src)
+{
+ /*
+ * Force MSR relaxed to be set (either to true or false) so it's part of
+ * the domain configuration when saving or performing a live-migration.
+ *
+ * Doing so allows the recovery side to figure out whether the flag should
+ * be set to true in order to keep backwards compatibility with already
+ * started domains.
+ */
+ libxl_defbool_setdefault(&dst->b_info.arch_x86.msr_relaxed,
+ libxl_defbool_val(src->b_info.arch_x86.msr_relaxed));
+}
/*
* Local variables:
| X86_EMU_USE_PIRQ
| X86_EMU_VPCI
+type x86_arch_misc_flags =
+ | X86_MSR_RELAXED
+
type xen_x86_arch_domainconfig =
{
emulation_flags: x86_arch_emulation_flags list;
+ misc_flags: x86_arch_misc_flags list;
}
type arch_domainconfig =
| X86_EMU_USE_PIRQ
| X86_EMU_VPCI
+type x86_arch_misc_flags =
+ | X86_MSR_RELAXED
+
type xen_x86_arch_domainconfig = {
emulation_flags: x86_arch_emulation_flags list;
+ misc_flags: x86_arch_misc_flags list;
}
type arch_domainconfig =
#undef VAL_EMUL_FLAGS
+#define VAL_MISC_FLAGS Field(arch_domconfig, 1)
+
+ cfg.arch.misc_flags = ocaml_list_to_c_bitmap
+ /* ! x86_arch_misc_flags X86_ none */
+ /* ! XEN_X86_ XEN_X86_MSR_RELAXED all */
+ (VAL_MISC_FLAGS);
+
+#undef VAL_MISC_FLAGS
+
#else
caml_failwith("Unhandled: x86");
#endif
xlu_cfg_get_defbool(config, "xend_suspend_evtchn_compat",
&c_info->xend_suspend_evtchn_compat, 0);
+ if (!xlu_cfg_get_defbool(config, "msr_relaxed",
+ &b_info->arch_x86.msr_relaxed, 0))
+ fprintf(stderr,
+ "WARNING: msr_relaxed will be removed in future versions.\n"
+ "If it fixes an issue you are having please report to "
+ "xen-devel@lists.xenproject.org.\n");
+
xlu_cfg_destroy(config);
}
#endif
bool __initdata opt_dom0_pvh = !IS_ENABLED(CONFIG_PV);
bool __initdata opt_dom0_verbose = IS_ENABLED(CONFIG_VERBOSE_DEBUG);
+bool __initdata opt_dom0_msr_relaxed;
static int __init parse_dom0_param(const char *s)
{
else if ( IS_ENABLED(CONFIG_PV) &&
(val = parse_boolean("cpuid-faulting", s, ss)) >= 0 )
opt_dom0_cpuid_faulting = val;
+ else if ( (val = parse_boolean("msr-relaxed", s, ss)) >= 0 )
+ opt_dom0_msr_relaxed = val;
else
rc = -EINVAL;
}
}
+ if ( config->arch.misc_flags & ~XEN_X86_MSR_RELAXED )
+ {
+ dprintk(XENLOG_INFO, "Invalid arch misc flags %#x\n",
+ config->arch.misc_flags);
+ return -EINVAL;
+ }
+
return 0;
}
domain_cpu_policy_changed(d);
+ d->arch.msr_relaxed = config->arch.misc_flags & XEN_X86_MSR_RELAXED;
+
return 0;
fail:
const struct domain *d = v->domain;
struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb;
const struct nestedsvm *nsvm = &vcpu_nestedsvm(v);
+ uint64_t tmp;
switch ( msr )
{
break;
default:
+ if ( d->arch.msr_relaxed && !rdmsr_safe(msr, tmp) )
+ {
+ *msr_content = 0;
+ break;
+ }
+
gdprintk(XENLOG_WARNING, "RDMSR 0x%08x unimplemented\n", msr);
goto gpf;
}
break;
default:
+ if ( d->arch.msr_relaxed && !rdmsr_safe(msr, msr_content) )
+ break;
+
gdprintk(XENLOG_WARNING,
"WRMSR 0x%08x val 0x%016"PRIx64" unimplemented\n",
msr, msr_content);
static int vmx_msr_read_intercept(unsigned int msr, uint64_t *msr_content)
{
struct vcpu *curr = current;
+ uint64_t tmp;
HVM_DBG_LOG(DBG_LEVEL_MSR, "ecx=%#x", msr);
break;
}
+ if ( curr->domain->arch.msr_relaxed && !rdmsr_safe(msr, tmp) )
+ {
+ *msr_content = 0;
+ break;
+ }
+
gdprintk(XENLOG_WARNING, "RDMSR 0x%08x unimplemented\n", msr);
goto gp_fault;
}
is_last_branch_msr(msr) )
break;
+ if ( v->domain->arch.msr_relaxed && !rdmsr_safe(msr, msr_content) )
+ break;
+
gdprintk(XENLOG_WARNING,
"WRMSR 0x%08x val 0x%016"PRIx64" unimplemented\n",
msr, msr_content);
const struct domain *currd = curr->domain;
const struct cpuid_policy *cp = currd->arch.cpuid;
bool vpmu_msr = false;
+ uint64_t tmp;
int ret;
if ( (ret = guest_rdmsr(curr, reg, val)) != X86EMUL_UNHANDLEABLE )
}
/* fall through */
default:
+ if ( currd->arch.msr_relaxed && !rdmsr_safe(reg, tmp) )
+ {
+ *val = 0;
+ return X86EMUL_OKAY;
+ }
+
gdprintk(XENLOG_WARNING, "RDMSR 0x%08x unimplemented\n", reg);
break;
}
/* fall through */
default:
+ if ( currd->arch.msr_relaxed && !rdmsr_safe(reg, val) )
+ return X86EMUL_OKAY;
+
gdprintk(XENLOG_WARNING,
"WRMSR 0x%08x val 0x%016"PRIx64" unimplemented\n",
reg, val);
.max_grant_frames = -1,
.max_maptrack_frames = -1,
.max_vcpus = dom0_max_vcpus(),
+ .arch = {
+ .misc_flags = opt_dom0_msr_relaxed ? XEN_X86_MSR_RELAXED : 0,
+ },
};
struct domain *d;
char *cmdline;
/* Mem_access emulation control */
bool_t mem_access_emulate_each_rep;
+ /* Don't unconditionally inject #GP for unhandled MSRs. */
+ bool msr_relaxed;
+
/* Emulated devices enabled bitmap. */
uint32_t emulation_flags;
} __cacheline_aligned;
extern bool opt_dom0_pvh;
extern bool opt_dom0_verbose;
extern bool opt_dom0_cpuid_faulting;
+extern bool opt_dom0_msr_relaxed;
#define max_init_domid (0)
XEN_X86_EMU_PIT | XEN_X86_EMU_USE_PIRQ |\
XEN_X86_EMU_VPCI)
uint32_t emulation_flags;
+
+/*
+ * Select whether to use a relaxed behavior for accesses to MSRs not explicitly
+ * handled by Xen instead of injecting a #GP to the guest. Note this option
+ * doesn't allow the guest to read or write to the underlying MSR.
+ */
+#define XEN_X86_MSR_RELAXED (1u << 0)
+ uint32_t misc_flags;
};
/* Location of online VCPU bitmap. */
projects / people / sstabellini / xen-unstable.git / .git / commitdiff