[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] xen: gic-v3: Introduce CONFIG_GICV3_NR_LRS

To: Julien Grall <julien@xxxxxxx>, Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: "Halder, Ayan Kumar" <ayankuma@xxxxxxx>
Date: Sat, 18 Apr 2026 08:28:23 +0100
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=xen.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SVU1EW8nR4fo4UYfWYf3iKbf5HlwfDbGYK0qu8l56GI=; b=SkR/CqSVsiVjnA9TeDHRr9qFgS+B7qBT8OIqZLIJmrVf8IIvvJt0f309QqDo2/2TSU/I8E+QIt7Ac41GykyZ5EbxUzudA+1sb+iJxfguV3UfZVMTImCZoaYXFAi5dsK6HekC0gkDCo6jyqFjmzoR+ccHjYcmz+iQT+PgRbeprXtVEidvpO/McO3SXemEEfRbN/va1TiROFWNO159XjTdmnItwCsyLeeVrjc7pEdNHm7yfGAgRKQr08gcHeF8P7XdyUg9x8owwNcOmXnFAzvo7MRxd6y6BgVFlvGWDIRi+KLuJxXzJX3LHq2cZGyKbe1aIyAztML2nWklzH7wY4jLlQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZU4TI3Ix3u7+Gp2N7ionZBPyyE0XJDfOMVw8U/nkKGy8sSYXR4pMM1sCcVSDdFsabcO0SKHLZGHXGNv8m6SVXUBN+NpHbUrD37PJZN35LK0cgc0oqrCD5HOlroP/51dNnruMzFyU3jK7R08bAi2rrXiN6fByghSvo9O8bv464q6X2zIGBq0lFksgomT5eidNUsRbklUHGGnPwFG+pX7YniZza4GMYGS4tu+MXVpIDZ7cGmz1zGsOAgvuVKftcWW5I8nHk8Gw0BQLzUhnlhds6JlSRy0X7/+u44gKThGf5b3KwrHHCdhBap7ReZX5ugsf6O2FfX2zfgiXLI2SeQztJg==
Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=amd.com header.i="@amd.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, "Volodymyr Babchuk" <Volodymyr_Babchuk@xxxxxxxx>
Delivery-date: Sat, 18 Apr 2026 07:28:55 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>


On 14/04/2026 03:06, Julien Grall wrote:

Hi Ayan,

Hi Julien,


On 18/03/2026 23:09, Ayan Kumar Halder wrote:

One key requirement of Xen functional safety is to reduce the number
of lines of code to be safety certified. Besides, a safety certified
Xen requires a static hardware configuration to be defined. This static
hardware configuration is described as per the test hardware/emulator
hardware configuration against which Xen is verified.

Introduce GICV3_NR_LRS with the two aims in mind:


Out of interest, why is this limited to GICv3?

This was just my starting point of investigation. My intention is tohave as much as a static defined hardware configuration, so that thecode that cannot be tested on the hardware can be eliminated by one ofthe many ways (DCE, Kconfig or actual code removal).

The advantage of having a static defined configuration is that thesystem integrator will have the full control on how to configure Xen fora specific hardware platform. And we try to reduce as much as possibleany code that cannot be used due to hardware limitations.

1. User should set the number of GICV3 list registers as per the test
hardware so that the unwanted code can be removed using GCC's dead
code elimination or preprocessor's config.
We discussed this offline, I am not fully convinced you can rely ondead code elimination to always remove the BUG() ingicv3_ich_read_lr(). If you want to rely on dead code eliminitation,then you will want to call a function which have a prototype definedbut not implemented (similar to what we do for bitops with__bad_atomic_read()) which would fail a link time if the compilerdidn't remove the code.


If you are ok, we can break this into 2 patches

1. Introduce GICV3_NR_LRS and make sure it is used consistently in thecode. IOW, it should address the comments that Luca and you provided.


2. Implement a way for compiler to do DCE based on GICV3_NR_LRS.

2. By doing #1, one can ensure that there is no untested code due to
unsupported hardware platform and thus there is no safety impact due
to untested code.

However if the user does not set GICV3_NR_LRS, then it is set to 0.
Thus Xen will fallback to the default scenario (i.e. read the hardware
register to determine the number of LRS).

1. In gicv3_save_lrs()/gicv3_restore_lrs(), use the number of list
registers from GICV3_NR_LRS (if defined) instead of gicv3_info.nr_lrs.
This ensures that if the hardware does not support more than 4 LRs
(for example), the code accessing LR 4-15 is never reached. The
compiler can eliminate the unsupported cases as the switch case uses a
constant conditional.

2. RAZ/WI for the unsupported LRs.

Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>
Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
---
Changelog:

v1 - 1. s/lrs/LRS
2. Implement RAZ/WI instead of panic

Few comments which were not addressed
1. Do "gicv3_info.nr_lrs to LRS" in gicv3_hyp_init() and keep the code
unchanged in gicv3_save_lrs()/gicv3_restore_lrs() -- This prevents the
compiler from doing dead code elimination as the switch condition cannot
be evaluated at compile time.
I am not sure how to get around this issue.

  xen/arch/arm/Kconfig  |  9 +++++++++
  xen/arch/arm/gic-v3.c | 14 ++++++++++++--
  2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
index 2f2b501fda..6540013f97 100644
--- a/xen/arch/arm/Kconfig
+++ b/xen/arch/arm/Kconfig
@@ -276,6 +276,15 @@ config PCI_PASSTHROUGH
    endmenu
  +config GICV3_NR_LRS
+    int "Number of GICv3 Link Registers supported" if EXPERT

Supported by who? The hardware? Xen? Asking, because I could forsee anintegrator wanted to limit the number of LRs to something smaller thanwhat the HW supports (in a lot of cases, 2 LRs is sufficient).


Ack

 ... "Number of GICv3 Link Registers used" if EXPERT

So it implies a decision to be taken by the system integrator. Does itsound ok ?

+    depends on GICV3
+    range 0 16
+    default 0
+    help
+      Controls the number of Link registers to be accessed.
+ Keep it set to 0 to use a value obtained from a hardwareregister.
I still strongly think that if GICV3_NR_LRS is set, then it needs tobe checked against the value read by the hardware

Ack.

+
  menu "ARM errata workaround via the alternative framework"
      depends on HAS_ALTERNATIVE
  diff --git a/xen/arch/arm/gic-v3.c b/xen/arch/arm/gic-v3.c
index bc07f97c16..eaae95eb4d 100644
--- a/xen/arch/arm/gic-v3.c
+++ b/xen/arch/arm/gic-v3.c
@@ -51,6 +51,8 @@ static DEFINE_PER_CPU(void __iomem*, rbase);
  #define GICD                   (gicv3.map_dbase)
  #define GICD_RDIST_BASE        (this_cpu(rbase))
  #define GICD_RDIST_SGI_BASE    (GICD_RDIST_BASE + SZ_64K)
+#define LRS                    (CONFIG_GICV3_NR_LRS ?: \
+                                gicv3_info.nr_lrs)


IMHO, LRS is a little bit vague. What about MAX_LRS? Or maybe NR_LRS?

NR_LRS .

    /*
   * Saves all 16(Max) LR registers. Though number of LRs implemented
@@ -59,7 +61,7 @@ static DEFINE_PER_CPU(void __iomem*, rbase);
  static inline void gicv3_save_lrs(struct vcpu *v)
  {
      /* Fall through for all the cases */
-    switch ( gicv3_info.nr_lrs )
+    switch ( LRS )
      {
      case 16:
          v->arch.gic.v3.lr[15] = READ_SYSREG_LR(15);
@@ -121,7 +123,7 @@ static inline void gicv3_save_lrs(struct vcpu *v)
  static inline void gicv3_restore_lrs(const struct vcpu *v)
  {
      /* Fall through for all the cases */
-    switch ( gicv3_info.nr_lrs )
+    switch ( LRS )
      {
      case 16:
          WRITE_SYSREG_LR(v->arch.gic.v3.lr[15], 15);

@@ -178,6 +180,10 @@ static inline void gicv3_restore_lrs(conststruct vcpu *v)

    static uint64_t gicv3_ich_read_lr(int lr)
  {
+    /* RAZ for unsupported LR */
+    if ( lr >= LRS )
+        return 0;
+
      switch ( lr )
      {
      case 0: return READ_SYSREG_LR(0);
@@ -203,6 +209,10 @@ static uint64_t gicv3_ich_read_lr(int lr)
    static void gicv3_ich_write_lr(int lr, uint64_t val)
  {
+    /* WI for unsupported LR */

AFAIU, this path is really not meant to happen. So I don't think wewant to silently ignore the write as it would mean an interrupt ismissing. I think in debug build, we probably want to useASSERT_UNREACHABLE(). If we want something for production as well,then we could instead use WARN().


Ack. I will use WARN().

- Ayan


Cheers,

References:
- Re: [PATCH v2] xen: gic-v3: Introduce CONFIG_GICV3_NR_LRS
  - From: Julien Grall

Prev by Date: Re: [PATCH v2] xen: gic-v3: Introduce CONFIG_GICV3_NR_LRS
Next by Date: RE: [PATCH 1/4] tools/tests/alloc: Unit and Integration Test Framework for page_alloc.c
Previous by thread: Re: [PATCH v2] xen: gic-v3: Introduce CONFIG_GICV3_NR_LRS
Next by thread: Re: [PATCH v5 1/5] x86: Reject CPU policies with vendors other than the host's
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.