[v4,3/4] x86: limit issuing of IBPB during context switch

Message ID	29e2b527-16b8-e72d-f625-781aedf21bc4@suse.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> Message-ID: <29e2b527-16b8-e72d-f625-781aedf21bc4@suse.com> Date: Tue, 14 Feb 2023 17:11:40 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.7.2 Subject: [PATCH v4 3/4] x86: limit issuing of IBPB during context switch Content-Language: en-US From: Jan Beulich <jbeulich@suse.com> To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org> Cc: Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>, =?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com> References: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> In-Reply-To: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit MIME-Version: 1.0
Series	x86/spec-ctrl: IBPB improvements \| expand [v4,0/4,+,v1,0/1] x86/spec-ctrl: IBPB improvements [v4,1/4] x86/spec-ctrl: add logic to issue IBPB on exit to guest [v4,2/4] x86/spec-ctrl: defer context-switch IBPB until guest entry [v4,3/4] x86: limit issuing of IBPB during context switch [v4,4/4] x86/PV: issue branch prediction barrier when switching 64-bit guest to kernel mode

Message ID

29e2b527-16b8-e72d-f625-781aedf21bc4@suse.com (mailing list archive)

State

New, archived

Headers

Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Message-ID: <29e2b527-16b8-e72d-f625-781aedf21bc4@suse.com>
Date: Tue, 14 Feb 2023 17:11:40 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.7.2
Subject: [PATCH v4 3/4] x86: limit issuing of IBPB during context switch
Content-Language: en-US
From: Jan Beulich <jbeulich@suse.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wl@xen.org>,
	=?utf-8?q?Roger_Pau_Monn=C3=A9?= <roger.pau@citrix.com>
References: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com>
In-Reply-To: <06591b64-2f05-a4cc-a2f3-a74c3c4a76d6@suse.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?1K1BqOF30/IRv5+ByvJtubovv8O2?=
	=?utf-8?q?jUUgM8BUePstWt7yPA//ovIwZ/+Tj6VLHChmrq7E9j/n66vz4TUL0Ff5QHIJm0sIJ?=
	=?utf-8?q?x/Xh00Xj8Ze9t64CAmTb3404M6eOHqcSU/9oghE+kTpUW3kg0jHfG/Gp5+sCpirLf?=
	=?utf-8?q?1n1a3WcjnSbHP+56AdDgoEE+2abZfUmFWvFyMPPsdfCH3i+XgJzDuMiekp87Pe5fx?=
	=?utf-8?q?GlBdiQ4GYUmSAsO1tpmoMo0XHrJvHhnlZhowvScA+MiKXi259JyaDxd8BKu/ebaEZ?=
	=?utf-8?q?EF75TCUdGIR/6YFekyMNRMniCWq0JOEku5TTbzYvnmU8H1+GidpEacAwyKpvELILQ?=
	=?utf-8?q?WUH2nYCW8jN66gmSYw0s7dn9zwHl1tMSC3BcefNFqpkvqOmBY0uXEWzCXqxjA27sl?=
	=?utf-8?q?t7mOhgVKnAwISUH0U6NSMEmqUPE0Zvz5OGR4i4t4AEV8wuaUzadH5bzkZzL2HEzgh?=
	=?utf-8?q?UO39wNfyLleWIlzWMnH35gqCSxK4wfcYeT+cM38zwWRJZiockSc20A1mLOnVCVEDg?=
	=?utf-8?q?3aH964QtZUEyiPw1Gluq7Wl35IXoNUfEILACKZNj2UnAxjc1BmrOh3oHq5sjk4+tT?=
	=?utf-8?q?8/XI341WorQQFK61/DvF+EnWB950JCMTG8dnjP2gy6mAnZbBEgHENfhIDCi3DH+mG?=
	=?utf-8?q?SdsFkTBkSL8uQnkih5a63hQqyjPxBgOjJ3Kf0HI8E+yuYQWlsvED5bBdSgz6Ok/JF?=
	=?utf-8?q?mqHM8dvB8siTUAJs6CQbHVBF5IXpUDqK0h1bRbFx1psHEDevxqmQ4vf99IrRXV89O?=
	=?utf-8?q?wtS0WZvOV9Gnhdk7xsTtIOPV9FqiTnG9520EfYwn5f8dPzosMnkmlE55rVpkALpVs?=
	=?utf-8?q?sdLtGR1rhqMXRuimrG7B279Py2DY3QbOFbfzYjmMDebVs478m2gl4ndSNUMKv33hj?=
	=?utf-8?q?/lkrMitfmVwyP+z9VibH3DFfB39jCISZaFslsL4D+SLFn1F4saUE1fVAa2zNErTAU?=
	=?utf-8?q?BrKhL+4HJyUkRq+gd9Y74egawwEkTEB1L3e79RBbDacnqmZiimWdtjkHLKQF+oI3b?=
	=?utf-8?q?8YPPEYbbSWQUcNcSsGZ6wqUcUanB1yKmjY05mWfyOqIc4yRgoGqSVYnbTCjM5ObYr?=
	=?utf-8?q?RFx/JO3is8/YiDUya5FTUvhlp3OYvO6uGlWWmFv57HNsQAyG+RJ2Vbf3fzJUs532i?=
	=?utf-8?q?AJPaUsPAVrTBtwO/turmKOhqr5SeER2L5Qxv38KaNtQuWk839hj9gKtr8SyJg5W67?=
	=?utf-8?q?5LWB04p3hUmP2XANaypUhEhH42ZFY5d0JfLnd/yDlAS2mKsCEBWImU6bQUeYPGBrW?=
	=?utf-8?q?/+jY098B5YkrqpJWih6BIZ6iNfYv/+PiY57b2KsxBAXlSqMkYnUOHpx/yIseIw6F6?=
	=?utf-8?q?15yEOQ5YxbxtXijBSec7ApCSmYbBByx7JaV0hXmfLdI9YhHxFlGzIlYqGrFcUNjyT?=
	=?utf-8?q?2vKnsYTUvO3TnVc/V2tch35jaebzvdu8LAd2ln25TqwDifQ/fpsIDzBWBjP/UlLki?=
	=?utf-8?q?Ns/30DWQVKpjeZAs122O8qrRujAZxyOO2I0/Aa2jZfw0ZHGdoulp3Nr04aSiZVmOa?=
	=?utf-8?q?0FFlXn8p/7P/?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 441e74e2-b448-4ad6-f2ec-08db0ea62913
X-MS-Exchange-CrossTenant-AuthSource: VE1PR04MB6560.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Feb 2023 16:11:42.1465
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 Alwjud9TwSgKoWatYLAs8MvH7BA1JUpP2babXVA/uSwGYMzvwgRUKF0Nr2dRxt7ZgBPlyW6vseW8J4KT1dI8Ow==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB6884

Series

x86/spec-ctrl: IBPB improvements | expand

Commit Message

Jan Beulich Feb. 14, 2023, 4:11 p.m. UTC

When the outgoing vCPU had IBPB issued and RSB overwritten upon entering
Xen, then there's no need for a 2nd barrier during context switch.

Note that SCF_entry_ibpb is always clear for the idle domain, so no
explicit idle domain check is needed to augment the feature check
(which is simply inapplicable to "idle").

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v4: Tighten the condition.
v3: Fold into series.
---
I think in principle we could limit the impact from finding the idle
domain as "prevd", by having __context_switch() tell us what kind
domain's vCPU was switched out (it could still be "idle", but in fewer
cases).

Comments

Roger Pau Monné Dec. 18, 2023, 3:19 p.m. UTC | #1

On Tue, Feb 14, 2023 at 05:11:40PM +0100, Jan Beulich wrote:
> When the outgoing vCPU had IBPB issued and RSB overwritten upon entering
> Xen, then there's no need for a 2nd barrier during context switch.
> 
> Note that SCF_entry_ibpb is always clear for the idle domain, so no
> explicit idle domain check is needed to augment the feature check
> (which is simply inapplicable to "idle").
> 
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Acked-by: Roger Pau Monné <roger.pau@citrix.com>

> ---
> v4: Tighten the condition.
> v3: Fold into series.
> ---
> I think in principle we could limit the impact from finding the idle
> domain as "prevd", by having __context_switch() tell us what kind
> domain's vCPU was switched out (it could still be "idle", but in fewer
> cases).
> 
> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -2005,17 +2005,26 @@ void context_switch(struct vcpu *prev, s
>      }
>      else
>      {
> +        unsigned int feat_sc_rsb = X86_FEATURE_SC_RSB_HVM;
> +
>          __context_switch();
>  
>          /* Re-enable interrupts before restoring state which may fault. */
>          local_irq_enable();
>  
>          if ( is_pv_domain(nextd) )
> +        {
>              load_segments(next);
>  
> +            feat_sc_rsb = X86_FEATURE_SC_RSB_PV;
> +        }
> +
>          ctxt_switch_levelling(next);
>  
> -        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) )
> +        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) &&
> +             (!(prevd->arch.spec_ctrl_flags & SCF_entry_ibpb) ||
> +              /* is_idle_domain(prevd) || */

I would rather add a comment to note that the idle domain always has
SCF_entry_ibpb clear, rather than leaving this commented check in the
condition.

> +              !boot_cpu_has(feat_sc_rsb)) )

I do wonder if it would be more fail safe (and easier to expand going
forward) if we introduce a new cpu_info field to track the CPU state:
relevant here would be whether RSB has been overwritten and IBPB
executed.  Such state would be cleared on each return from guest path.

Thanks, Roger.

Jan Beulich Dec. 18, 2023, 4:09 p.m. UTC | #2

On 18.12.2023 16:19, Roger Pau Monné wrote:
> On Tue, Feb 14, 2023 at 05:11:40PM +0100, Jan Beulich wrote:
>> When the outgoing vCPU had IBPB issued and RSB overwritten upon entering
>> Xen, then there's no need for a 2nd barrier during context switch.
>>
>> Note that SCF_entry_ibpb is always clear for the idle domain, so no
>> explicit idle domain check is needed to augment the feature check
>> (which is simply inapplicable to "idle").
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> Acked-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks. However, aiui the plan still is for Andrew to pick up this series
and integrate it with other work he has in progress (or he is planning to
do).

>> --- a/xen/arch/x86/domain.c
>> +++ b/xen/arch/x86/domain.c
>> @@ -2005,17 +2005,26 @@ void context_switch(struct vcpu *prev, s
>>      }
>>      else
>>      {
>> +        unsigned int feat_sc_rsb = X86_FEATURE_SC_RSB_HVM;
>> +
>>          __context_switch();
>>  
>>          /* Re-enable interrupts before restoring state which may fault. */
>>          local_irq_enable();
>>  
>>          if ( is_pv_domain(nextd) )
>> +        {
>>              load_segments(next);
>>  
>> +            feat_sc_rsb = X86_FEATURE_SC_RSB_PV;
>> +        }
>> +
>>          ctxt_switch_levelling(next);
>>  
>> -        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) )
>> +        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) &&
>> +             (!(prevd->arch.spec_ctrl_flags & SCF_entry_ibpb) ||
>> +              /* is_idle_domain(prevd) || */
> 
> I would rather add a comment to note that the idle domain always has
> SCF_entry_ibpb clear, rather than leaving this commented check in the
> condition.

While I think I can see your point, I like it this way to match the
other !is_idle_domain() that's here.

>> +              !boot_cpu_has(feat_sc_rsb)) )
> 
> I do wonder if it would be more fail safe (and easier to expand going
> forward) if we introduce a new cpu_info field to track the CPU state:
> relevant here would be whether RSB has been overwritten and IBPB
> executed.  Such state would be cleared on each return from guest path.

To be honest - I'm not sure whether that would help or make things more
fragile. More state also means more things which can become incorrect /
inconsistent.

Jan

Jan Beulich Dec. 18, 2023, 4:11 p.m. UTC | #3

On 18.12.2023 16:19, Roger Pau Monné wrote:
> On Tue, Feb 14, 2023 at 05:11:40PM +0100, Jan Beulich wrote:
>> --- a/xen/arch/x86/domain.c
>> +++ b/xen/arch/x86/domain.c
>> @@ -2005,17 +2005,26 @@ void context_switch(struct vcpu *prev, s
>>      }
>>      else
>>      {
>> +        unsigned int feat_sc_rsb = X86_FEATURE_SC_RSB_HVM;
>> +
>>          __context_switch();
>>  
>>          /* Re-enable interrupts before restoring state which may fault. */
>>          local_irq_enable();
>>  
>>          if ( is_pv_domain(nextd) )
>> +        {
>>              load_segments(next);
>>  
>> +            feat_sc_rsb = X86_FEATURE_SC_RSB_PV;
>> +        }
>> +
>>          ctxt_switch_levelling(next);
>>  
>> -        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) )
>> +        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) &&
>> +             (!(prevd->arch.spec_ctrl_flags & SCF_entry_ibpb) ||
>> +              /* is_idle_domain(prevd) || */
> 
> I would rather add a comment to note that the idle domain always has
> SCF_entry_ibpb clear, rather than leaving this commented check in the
> condition.
> 
>> +              !boot_cpu_has(feat_sc_rsb)) )

Oh, for completeness: For v5 I have this

@@ -2092,17 +2092,26 @@ void context_switch(struct vcpu *prev, s
     }
     else
     {
+        unsigned int feat_sc_rsb = X86_FEATURE_SC_RSB_HVM;
+
         __context_switch();
 
         /* Re-enable interrupts before restoring state which may fault. */
         local_irq_enable();
 
         if ( is_pv_domain(nextd) )
+        {
             load_segments(next);
 
+            feat_sc_rsb = X86_FEATURE_SC_RSB_PV;
+        }
+
         ctxt_switch_levelling(next);
 
-        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) )
+        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) &&
+             (!(prevd->arch.spec_ctrl_flags & SCF_entry_ibpb) ||
+              /* is_idle_domain(prevd) || */
+              (!cpu_has_auto_ibrs && !boot_cpu_has(feat_sc_rsb))) )
         {
             static DEFINE_PER_CPU(unsigned int, last);
             unsigned int *last_id = &this_cpu(last);

i.e. with the cpu_has_auto_ibrs check added.

Jan

--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -2005,17 +2005,26 @@  void context_switch(struct vcpu *prev, s
     }
     else
     {
+        unsigned int feat_sc_rsb = X86_FEATURE_SC_RSB_HVM;
+
         __context_switch();
 
         /* Re-enable interrupts before restoring state which may fault. */
         local_irq_enable();
 
         if ( is_pv_domain(nextd) )
+        {
             load_segments(next);
 
+            feat_sc_rsb = X86_FEATURE_SC_RSB_PV;
+        }
+
         ctxt_switch_levelling(next);
 
-        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) )
+        if ( opt_ibpb_ctxt_switch && !is_idle_domain(nextd) &&
+             (!(prevd->arch.spec_ctrl_flags & SCF_entry_ibpb) ||
+              /* is_idle_domain(prevd) || */
+              !boot_cpu_has(feat_sc_rsb)) )
         {
             static DEFINE_PER_CPU(unsigned int, last);
             unsigned int *last_id = &this_cpu(last);

[v4,3/4] x86: limit issuing of IBPB during context switch

Commit Message

Comments

Patch