feat: reset KVM_REG_ARM_PTIMER_CNT on VM boot #4987
Conversation
ShadowCurse
force-pushed
the
aarch64_counter_reset
branch
from
b34d97d to
b459ae3
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4987 +/- ##
==========================================
- Coverage 83.95% 83.95% -0.01%
==========================================
Files 248 248
Lines 27839 27845 +6
==========================================
+ Hits 23371 23376 +5
- Misses 4468 4469 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
ShadowCurse
force-pushed
the
aarch64_counter_reset
branch
2 times, most recently
from
1bd3f94 to
5ea2f4a
Compare
ShadowCurse
changed the title
ShadowCurse
force-pushed
the
aarch64_counter_reset
branch
4 times, most recently
from
75a7ec1 to
053f265
Compare
ShadowCurse
requested review from
xmarcalx,
kalyazin,
pb8o and
Manciukic
as code owners
ShadowCurse
added
Status: Awaiting review
src/vmm/src/arch/aarch64/vcpu.rs
Outdated
| .set_one_reg(KVM_REG_ARM_PTIMER_CNT, &zero.to_le_bytes()) | ||
| .is_err() | ||
| { | ||
| warn!("Unable to reset performance counter. VM will use host value instead."); |
There was a problem hiding this comment.
I really don't think we should have warnings that the user cannot silence. Maybe we can only print this if running on 6.4 or newer? Rest lgtm
There was a problem hiding this comment.
I don't think this is needed to be silenced. 6.4 is not super new and as time goes on, the less users will use kernel which will print the warning. If we add option to silence this, we will have to have it until we deprecate it and this is more work to do.
There was a problem hiding this comment.
I'm not inclined to print a warning either. It is not quite expected that users running Firecracker on a supported kernel get a warning they cannot fix.
There was a problem hiding this comment.
Well, this is a warning and not an error. They are not meant to be "fixed" I think.
I can add a link to the patch series that added the needed fixes to the changelog and tell users to use kernel with this patches if they want to remove the warning.
There was a problem hiding this comment.
feels like we could update https://github.com/firecracker-microvm/firecracker/blob/main/docs/prod-host-setup.md#arm-only-physical-counter-directly-passed-through-to-the-guest in order to explain that
There was a problem hiding this comment.
I am ok with warning, but if that's too unpalatable, can we keep it as info rather than dropping it?
There was a problem hiding this comment.
I was also thinking about making it info, but then only people who enable info log level will see it.
There was a problem hiding this comment.
how about we only warn if the KVM_CAP_COUNTER_OFFSET KVM capability is supported (meaning we are on a kernel where setting the registers should be possible)?
src/vmm/src/arch/aarch64/vcpu.rs
Outdated
| .set_one_reg(KVM_REG_ARM_PTIMER_CNT, &zero.to_le_bytes()) | ||
| .is_err() | ||
| { | ||
| warn!("Unable to reset performance counter. VM will use host value instead."); |
There was a problem hiding this comment.
I'm not inclined to print a warning either. It is not quite expected that users running Firecracker on a supported kernel get a warning they cannot fix.
Reset KVM_REG_ARM_PTIMER_CNT physical counter register on VM boot to avoid passing through host physical counter. Note that resetting the register on VM boot does not guarantee that VM will see the counter value 0 at startup because there is a delta in time between register reset and VM boot during which counter continues to advance. Signed-off-by: Egor Lazarchuk <[email protected]>
ShadowCurse
force-pushed
the
aarch64_counter_reset
branch
from
053f265 to
d3abf67
Compare
Add an entry about physical counter reset to the CHANGELOG. Signed-off-by: Egor Lazarchuk <[email protected]>
ShadowCurse
force-pushed
the
aarch64_counter_reset
branch
from
d3abf67 to
57b458b
Compare
| @@ -238,6 +257,15 @@ mod tests { | |||
| vcpu.vcpu_init(&kvi).unwrap(); | |||
|
|
|||
| setup_boot_regs(&vcpu, 0, 0x0, &mem).unwrap(); | |||
|
|
|||
| // Check that the register is reset on compatible kernels. | |||
There was a problem hiding this comment.
Can we also add an integration test in tests/integration_tests/security?
There was a problem hiding this comment.
Integration test will be quite difficult as we will need kernel access to read the physical counter.
Update a note about physical counter on ARM being reset instead of directly passed through. Signed-off-by: Egor Lazarchuk <[email protected]>
Reset KVM_REG_ARM_PTIMER_CNT physical counter register on VM boot to avoid passing through host physical counter. Note that resetting the register on VM boot does not guarantee that VM will see the counter value 0 at startup because there is a delta in time between register reset and VM boot during which counter continues to advance.
Reason
Prevent guest from reading host performance counter.
License Acceptance
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.PR Checklist
tools/devtool checkstyleto verify that the PR passes theautomated style checks.
how they are solving the problem in a clear and encompassing way.
in the PR.
CHANGELOG.md.Runbook for Firecracker API changes.
integration tests.
TODO.rust-vmm.