On Tue, Oct 12, 2021 at 01:42:22PM -0700, Stefano Stabellini wrote:
> On Tue, 12 Oct 2021, Ian Jackson wrote:
> > Bertrand Marquis writes ("Re: [PATCH v5 01/11] xen/arm:
> > xc_domain_ioport_permission(..) not supported on ARM."):
> > > I can add something in the commit message about the fact that we improve
> > > performance and prevent to do a call that is and will not be supported in
> > > Xen.
> >
> > Thanks but I'm afraid I don't think that is a correct summary of the
> > thread. Nor would it be an adequate justification for the change. At
> > least, not unless you plan to write something considerably longer (and
> > more precise).
> >
> > Firstly, I'm not convinced this change would be justified by the
> > performance impact. This is a small number of hypercalls during
> > domain startup. Usually none, I think ? If someone wants to optimise
> > domain startup speed then I am very open to that but I think this
> > change will make negligible change in practice. Unless someone wants
> > to tell me I'm wrong about that ? And if I am wrong about that then
> > an explanation of why my suppositions are wrong ought to go in the
> > commit message.
> >
> > Secondly, there is no justification there for the change in error
> > status.
> >
> > Why is this change needed ? (What goes wrong if it is omitted ?)
> > That is what the commit message ought to answer.
> >
> > Plus, given that it stubs out a function to make it into a no-op, that
> > itself requires an explanation. Why is it OK for this function which
> > is supposed to do a thing, to in fact not do anything at all and
> > return successfully saying "yes I did that" ?
> >
> > I think (having read the thread) that I know the answers to these
> > questions but it needs to be clearly and explicitly written down.
> >
> > > I saw your change in CODING_STYLE and I understand the request.
> > > I will try to see if we can handle this change before the feature freeze.
> >
> > Thanks. I doubt that this will be hard. I am more worried about the
> > commit message.
> >
> > Indeed, since we haven't had the rationale for this change explicitly
> > written down, there is a risk that when we do so, we will discover
> > some problem with the approach that we had previously overlooked.
> >
> > Discovering that kind of thing is one reason to explicitly write down
> > why we are doing what we are doing, but this situation does mean we
> > shouldn't feel we've yet achieved confidence that this patch is right.
>
>
> I don't think it is about performance. From a performance point of view,
> we could make as many (unneeded) hypercalls as required. It is mostly
> about minimizing unwanted changes to common libxl code. Let me explain.
>
>
> IO ports on ARM don't exist so all IO ports related hypercalls are going
> to fail. This is expected. Today, a failure of
> xc_domain_ioport_permission would turn into a critical failure at domain
> creation. We need to avoid this outcome; instead we want to continue
> with domain creation as normal even if xc_domain_ioport_permission
> fails. (FYI the underlying hypercall XEN_DOMCTL_ioport_permission is not
> implemented on ARM so it would return -ENOSYS.)
>
>
> We have a few options to achieve this goal:
>
>
> 1) No xc_domain_ioport_permission calls on ARM
>
> Use #ifdefs or similar checks in libxl_pci.c to avoid calling
> xc_domain_ioport_permission on ARM. This could be best but it would
> cause some churn in arch-neutral libxl code.
>
>
> 2) Handle xc_domain_ioport_permission errors in libxl
>
> Introduce checks on the return value of xc_domain_ioport_permission
> and ignore specific errors on ARM in libxl_pci.c.
> For instance: if (ARM && rc == -ENOSYS) continue.
>
> This might cause less churn than 1) but still requires a few changes
> in arch-neutral libxl code.
>
>
> 3) Force XEN_DOMCTL_ioport_permission to return zero on ARM
>
> Force the hypercall to return success even if it did nothing.
> Currently it returns -ENOSYS.
>
> This is possible but it wasn't chosen for the implementation as we
> felt that the hypercall should reflect what was actually done
> (nothing) and it should be userspace to handle the error. I guess
> this could be argued either way.
>
>
> 4) Force xc_domain_ioport_permission to return zero on ARM
>
> Force xc_domain_ioport_permission to return success even if the
> hypercall would return -ENOSYS. This way there are no changes to
> libxl.
>
> This is what the patch currently implements by using #ifdef in
> xc_domain_ioport_permission. It could also have achieved the same
> goal by making the implementation of xc_domain_ioport_permission
> arch-specific, and in the ARM implementation returning 0.
>
>
> All options above achieve the goal of a successful domain creation with
> PCI device assigned on ARM. You might be able to think of other options
> as well. I think noone here is really set on using one option over the
> other -- as long as xc_domain_ioport_permission failures don't turn into
> domain creation failures on ARM we are good.
>
I think having a libxl_arch_io_ports_supported helper could be the
cleaner way to do this. For x86 it will unconditionally return true,
while for Arm you could consider poking at
XEN_DOMCTL_ioport_permission and see if it returns ENOSYS or
otherwise.
I guess it's possible that in the future we allow IO ports access on
Arm guests using some kind of emulated mechanism if the need arises,
at which point the hypercall will be implemented.
Thanks, Roger.
