Re: [RFC PATCH 4/4] x86/TSC: Use RDTSCP

From: Andrea Parri
Date: Wed Dec 12 2018 - 07:02:25 EST


On Wed, Dec 12, 2018 at 10:59:12AM +0100, Peter Zijlstra wrote:
> On Tue, Dec 11, 2018 at 06:24:44PM -0800, Andy Lutomirski wrote:
> > > On Dec 11, 2018, at 3:39 PM, Borislav Petkov <bp@xxxxxxxxx> wrote:
> > >
> > >> On Tue, Dec 11, 2018 at 11:12:41PM +0000, Lendacky, Thomas wrote:
> > >> It does seem overloaded in that sense, but the feature means that LFENCE
> > >> is serializing and so can be used in rdtsc_ordered. In the same sense,
> > >> barrier_nospec is looking for whether LFENCE is serializing and preferring
> > >> that over MFENCE since it is lighter weight.
> > >>
> > >> In light of how they're being used now, they could probably stand to be
> > >> renamed in some way.
> > >
> > > Actually, come to think of it, what really matters here is whether
> > > LFENCE is serializing or not. Because if so, you wanna replace with LFENCE
> > > as it is lighter. And in that case a single alternative() - not _2() -
> > > should suffice.
> > >
> > > BUT(!), that still is not good enough if you do some qemu CPU models
> > > like pentium or so which don't even have MFENCE and cause stuff like
> > > this:
> > >
> > > https://lkml.kernel.org/r/20181123200307.GA6223@xxxxxxxxxxxx
> > >
> > > Which means, that you *do* have to alternate between
> > >
> > > * no insn at all
> > > * MFENCE
> > > * LFENCE, if it is serializing
> > >
> > > so barrier_nospec() does the right thing, AFAICS. And this is why we
> > > need an ALTERNATIVE_3() to add RDTSCP into the mix too.
> > >
> > > WRT renaming, I guess we can do something like:
> > >
> > > * X86_FEATURE_MFENCE_RDTSC -> X86_FEATURE_MFENCE - to mean that CPU has
> > > MFENCE support.
> > >
> > > and
> > >
> > > * X86_FEATURE_LFENCE_RDTSC -> X86_FEATURE_LFENCE_SERIALIZING
> > >
> > > Or something to that effect.
> >
> > This makes me nervous, since no one knows what âserializingâ means.
> > IIRC AMD specifically documents that MFENCE is required before RDTSC
> > to get sensible ordering. So itâs entirely plausible to me that
> > LFENCE is okay for Spectre mitigation but MFENCE is needed for RDTSC
> > on some CPU.
>
> What we want is IFENCE, an instruction that flushes the complete
> pipeline. Or alternatively put: holds completion until all prior issued
> instructions complete.
>
> MFENCE always did that (and a ton more), LFENCE seems to have always
> done that on Intel, but AMD at some point actually implemented LFENCE as
> it was specified (only hold completion until all preceding loads are
> complete) and they (now) have this MSR bit to 'fix' that.

For the record, the "Software techniques for managing speculation on AMD
processors" white paper states:

"Instructions that cause the machine to temporarily stop inserting
new instructions into the machine for execution and wait for
execution of older instructions to finish are referred to as
dispatch serializing instructions."

and

"MITIGATION G-2

Description: Set an MSR in the processor so that LFENCE is a
dispatch serializing instruction and then use LFENCE in code
streams to serialize dispatch (LFENCE is faster than RDTSCP which
is also dispatch serializing). This mode of LFENCE may be enabled
by setting MSR C001_1029[1]=1.

Effect: Upon encountering an LFENCE when the MSR bit is set,
dispatch will stop until the LFENCE instruction becomes the oldest
instruction in the machine.

Applicability: All AMD family 10h/12h/14h/15h/16h/17h processors
support this MSR. LFENCE support is indicated by CPUID function1
EDX bit 26, SSE2. AMD family 0Fh/11h processors support LFENCE as
serializing always but do not support this MSR. AMD plans support
for this MSR and access to this bit for all future processors."

I could not find similar information in the AMD APM though; Section 7.6.4
("Serializing Instructions") of this manual describe a different/stronger
notion of "serialization", IIUC.


>
> At some point in the past (when all this spectre LFENCE muck was
> relatively fresh) I suggested we call the thing: instruction_fence() or
> something like that, maybe we ought to still do that now.

FWIW, I do find the name rdtsc_ordered() as somehow too evocative... ;-)
maybe simply rdtsc_nospec() would be a better choice?

Andrea


>
> Re RDTSC, waiting for all preceding instructions to complete is
> 'obviously' sufficient for two RDTSC instructions not to get re-ordered
> either.