RAR (Remote Action Request)
Spec: 341431-remote-action-request-white-paper.pdf
Remote Action Request (RAR) is introduced in Intel Architecture as a model-specific feature to speed up inter-processor operations by moving parts of those operations from software (OS, App) to hardware (the IA core).
RAR is used for speeding up remote TLB shootdowns and allowing them to be serviced while a long instruction is executing on the remote processor or when interrupts are disabled on that processor.
When the target pCPU receive RAR, if it is in non-root mode, it won't VMExit!
Concretely, it can replace the IPI with the remote action request. so its use case is not limited to TLB shootdown.
Benefits:
- Fewer context switches: RAR needn't to be handled by software, so we will have fewer context switches caused by interrupts.
-
Lower latency: If a long instruction is executing on the remote processor or when interrupts are disabled on that processor, TLB flush using IPI will have long latency, but RAR
- doesn't need interrupts and,
- can be handled during a long instruction is executing,
so it will have lower latency.
ๆณจๆ PVRAR ๅ RAR ็ๅบๅซ๏ผRAR ๆฌ่บซๆฏไธไธช bare-metal ็ featureใๆฏๅฏไปฅ็จๆฅๅ ้ baremetal ไธ็ TLB invalidation ็ใ
ๅจ bare-metal ไธๅผๅ ฅ RAR ็ๅๅ ๆฏๅฏไปฅ้ฟๅ ๅ้ IPI ็ป RLPใไนๅฐฑๆฏ RLP ็ซฏ็ software ไธ้่ฆๅไธ๏ผhardware ๅฐฑ็ดๆฅๅไบ๏ผๆๅๆ็ใ่ๅๅบไบ็็่ฎบๆฏ๏ผIPI ๅฏไปฅ็ไฝๆฏไธไธชๆดๅ general ็ๆบๅถ๏ผ็จๆฅ้็ฅ RLP ๅไปปไฝไบ๏ผ่ฟๅๅณไบ RLP ่ฟ่พน็ hanlder๏ผไฝๆฏๅ ไธบๅคงๅคๆฐๆ ๅตไธ workload ๅฐฑ้ฃไนๅ ็ง๏ผๆฏๅฆ TLB shootdownใEPT invalidation ็ญ็ญใๆไปฅๆไปฌๅฏไปฅๆ่ฟไบ workload ็ๆต็จๅฎ็ฐๅจ hardware ไธญไป่่ฎฉๆง่ก็้ๅบฆๆดๅฟซ๏ผไนๅฐฑๆฏ RAR ็ๆฌ่ดจๆฏ็บ็ฒ็ตๆดปๆงๆฅๆๅๆ็ใ
-
RAR_INFOread-only: Report capabilities. -
RAR_CONTROL: enable the feature.
How to perform a RAR?
Signaling a RAR is done similar to sending an INTR, by writing to the Interrupt Command Register (ICR).^
There is a new Delivery Mode^ added: RAR.
RAR Physical Memory Regions
ๆไธค็ๅ ๅญๅบๅ้่ฆๅจ MSR ไธญๆๅ๏ผ
- Payload table;
- Action vector.
Payload Table
ๆฏไธไธช 4K ๅบๅ๏ผๆ 64 ไธช 64 bytes ็ entryใPayload table ๅๅซๅ RAR islandใ
The payload table contains RAR payloads. It is allocated by the OS in contiguous physical memory and pointed by each LPโs RAR_PAYLOAD_TABLE_BASE MSR. Each entry defines the payload for a single action.
This architecture doesnโt preclude the option for the OS to allocate multiple Payload Tables, one per a subset of LPs and set the RAR_PAYLOAD_TABLE_BASE Logical Processor MSRs accordingly.
ไนๅฐฑๆฏไธๅ LP ็ MSR ้ฝๅฏไปฅ share ๅไธไธช payload table ็ๅบๅใๅฝ็ถไนๅฏไปฅไธ share๏ผไปฃ็ ้็ฎๅ็ๅฎ็ฐๆฏ share ็๏ผ๏ผ
In a PCID enabled system where software threads are allocated each with a different PCID, the OS may choose to allocate a separate Payload Table for each RLP, i.e., each RLP is its own โRAR Islandโ.
่ฟ็งๆถๆๅนถๆฒก้ๅถ็จๅคไธช Payload table๏ผๆ็ซฏไธ็น๏ผ็่ณ OS ๅฏไปฅไธบๆฏไธไธช LP ๅ้ ไธไธช Payload tableใ
The payload table is fixed size at 4KB, contains 64 entries of 64 bytes (512 bits).
RAR Payload Type / Subtype
ๆฏไธไธช payload ้ฝๆ Type ๅ Subtype ไธคไธชๅใType ๅ๏ผ
- Type 0 = Page invalidation; invalidate one or more pages.
- Type 1 = Page invalidation; invalidate one or more pages, ignore CR3 match.
- Type 2 = PCID invalidation; invalidate pages associated with a specific PCID.
- Type 3 = EPT invalidate; invalidate pages associated with a specific EPTP.
- Type 4 = VPID invalidation; invalidate pages associated with a specific VPID.
- Type 5 = MSR write; write value to specified MSR.
- Other types reserved for future usages.
For RAR-based PV TLB flush, Type 4 (VPID invalidation) is used.
Subtype ๅ็จๆฅๅณๅฎ่ฟไธช type ็ปๅ็ๅจไฝ๏ผๆฏๅฆ Type 0 ๆฏ page invalidation๏ผsubtype ๅฐฑ็จๆฅๅณๅฎๅ address specific ็ invalidation ่ฟๆฏ่ฏดๆง่ก all-context ็ invalidationใ
Action Vector
The action vector is a per-RLP 64 Byte aligned vector of actions, contains 64 entries of 8 bits. It is pointed to by the RAR Action Vector MSR. ๆฏไธไธช entry ๅฏนๅบ็ๆฏๅฏนๅบ request action ็ statusใ
ไธบไปไน่ฆๆ 64 ไธช entries ๅข๏ผๆฏไธบไบๅ payload^ ็ๆฐ้ๅฏนๅบใEach 8-bit entry j (0 <= j < N) defines the per-RLP status of the jth action request;
- 0x00 = RAR_SUCCESS.
- 0x01 = RAR_PENDING.
- 0x02 = RAR_ACKNOWLEDGED.
- 0x80 = RAR_FAILURE.
RAR TLB Flush Design
Shoot4U
Shoot4U is the paper's name, it is the same as PV_SEND_IPI in KVM.
It is different than KVM PV-based TLB flush mechanism because when the target vCPU is online and NOT preempted, Guest still need to send vIPI to the target vCPU, but in Shoot4U, all vIPIs are translated to physical IPIs and the polling is also done by the VMM not the guest. So we don't need to inject the interrupt back to the vCPUs to perform TLB flush.
Traditional vIPI (note: not equals to IPIv) based TLB flush / PV-based flush when vCPU is NOT preempted:
- Prepare payload in memory
- vCPU0โs sending vIPI is trapped to VMM
- The VMM sends IPI to pCPU1
- pCPU1 injects interrupt to vCPU1
- vCPU1 reads payload from memory and invalidate TLBs with INVLPG
- notify vCPU0 that invalidation is completed
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Guest VM โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ โ
โ โ โโโโโโโโโโโโโ โ โ
โ โ โ โ โ โ
โ โ Memory โ Payload โ โ โ
โ โ โ โ โ โ
โ โ โโโโโบโโโโโโโฒโโโฌโโโ โ โ
โ โ 1 โ 6 โ โ 5 โ โ
โ โโโโโโโโผโโโโโโโโโโโผโโโผโโโโโโ โ
โ โ โ โ โ
โ โโโโโโโโดโโโโโ โโโโดโโโผโโโโโโ โ
โ โ vCPU0 โ โ vCPU1 โ โ
โ โโโโโโฌโโโโโโโ โโโโโโโโฒโโโโโ โ
โ โ โ โ
โโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโ
2 โ 4 โ
โโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโ
โ โ โ โ
โ โโโโโโผโโโโโ โโโโโโดโโโโโ โ
โ โ pCPU0 โโโโโโโโบ pCPU1 โ โ
โ โโโโโโโโโโโ 3 โโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Notes: with IPIv, unicast vIPI won't VMexit. IPIv is a feature supported by hardware.
Shoot4U:
- Guest invokes a hypercall to flush TLBs
- VMM converts the hypercall into multiple remote INVVPID to the payload
- VMM sends IPIs to target pCPUs
- pCPU1 reads payload from memory and invalidate TLBs with INVVPID
- notify that invalidation is completed
Can eliminates the problems which KVM PV-based approach has:
- Overheads of IPI routing between vCPUs
- It is possible that the preemption state of a vCPU can change after its state has been checked by the invoking CPU but before the IPI is actually delivered (TOCTOU problem)
Shortcomings:
- External interrupt VM exits on host in Step 3๏ผๅฝ target pCPU ๅคไบ non-root ๆจกๅผไธๆถ๏ผไป็ถ้่ฆ VMExit ๅบๆฅ๏ผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Guest VM โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โ vCPU0 โ โ vCPU1 โ โ
โ โโโโโโฌโโโโโโโ โโโโโโโโโโโโโ โ
โ โ โ
โโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโ
1 Hypercall
โโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ โ
โ โโโโโโผโโโโโ โโโโโโโโโโโ โ
โ โ pCPU0 โโโโโโโโบ pCPU1 โ โ
โ โโโโโโโโโโฌโ 3 โโโฌโโโโฒโโโโ โ
โ 2โ โ5 โ4 โ
โ โโโโโโโโโโโผโโโโโโโโโโผโโโโผโโโโโ โ
โ โ โ โ โ โ โ
โ โ โโโบโโโโโโโโผโโโโดโโ โ โ
โ โ Memory โ Payload โ โ โ
โ โ โโโโโโโโโโโโโโ โ โ
โ โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Shoot4U + RAR
Just replace the above 2,3,4,5 steps to RAR rather than Physical IPIs. Because RAR can be performed while the target CPU is running in non-root mode, so we can avoid the VM exits introduced by IPIs.
ไฝๆฏ source hypercall ็ VMExit ๅบ่ฏฅ่ฟๆฏๆฒกๆๅๆณ้ฟๅ ็ๅงใ
RAR TLB Flush in KVM
native_send_rar_ipi() Kernel
void native_send_rar_ipi(const struct cpumask *mask)
{
cpumask_var_t allbutself;
if (!alloc_cpumask_var(&allbutself, GFP_ATOMIC)) {
// allocate false
apic->send_IPI_mask(mask, RAR_VECTOR);
return;
}
// allbufself ๆฏไธไธชๅธธ้๏ผ่กจ็คบ้คไบ่ชๅทฑๆๆ online ็ CPU
cpumask_copy(allbutself, cpu_online_mask);
cpumask_clear_cpu(smp_processor_id(), allbutself);
// ๅฆๆๆไปฌ่ฆๅ้็ mask ๅ albutself ๆฏไธๆ ท็๏ผ้ฃไนๆไปฌ็ดๆฅ่ฐ็จ send_IPI_allbutself๏ผ
// ๅฏ่ฝไผๆไธไบไผๅใ
if (cpumask_equal(mask, allbutself) && cpumask_equal(cpu_online_mask, cpu_callout_mask))
apic->send_IPI_allbutself(RAR_VECTOR);
else
apic->send_IPI_mask(mask, RAR_VECTOR);
//...
}
RAR TLB Flush Exposion and Detection
Guest enumerates this PV feature by CPUID in KVM_CPUID_FEATURES, and KVM will expose this feature as possible:
#define KVM_FEATURE_RAR_TLBFLUSH 18
__do_cpuid_func
case KVM_CPUID_FEATURES:
//...
if (rar_invvpid_supported())
entry->eax |= (1 << KVM_FEATURE_RAR_TLBFLUSH);
//...
How does guest kernel use RAR TLB Flush?
There is a new hypercall is defined:
#define KVM_HC_FLUSH_TLB 13
If guest want to use this feature, it should first use KVM based TLB flush PV feature, which means KVM_FEATURE_PV_TLB_FLUSH and KVM_FEATURE_STEAL_TIME PV features must be used as dependencies:
// If KVM_FEATURE_PV_TLB_FLUSH and KVM_FEATURE_STEAL_TIME are used,
// this function is added as the handler function of pv_ops.mmu.flush_tlb_others
//
static void kvm_flush_tlb_multi(const struct cpumask *cpumask,
const struct flush_tlb_info *info)
{
//...
// first use PV Flush TLB if possible, i.e., the VCPU is not preempted
for_each_cpu(cpu, flushmask) {
src = &per_cpu(steal_time, cpu);
state = READ_ONCE(src->preempted);
if ((state & KVM_VCPU_PREEMPTED)) {
if (try_cmpxchg(&src->preempted, &state,
state | KVM_VCPU_FLUSH_TLB))
__cpumask_clear_cpu(cpu, flushmask);
}
}
// nopvrar will be true if "nopvrar" is added to guest kernel cmdline
// Here, some vCPUs are now preempted and we need to send IPI to them
// to flush their TLBs, with RAR PV featrue, we can replace this step with
// RAR to avoid IPI as possible
if (!nopvrar && kvm_para_has_feature(KVM_FEATURE_RAR_TLBFLUSH)) {
// A successful execution
if (!pv_rar_flush_tlb_others(flushmask, info)) {
CNT_STOP(kvm_flush_tlb, cyc);
return;
}
}
// If RAR PV is not used, use traditional non-pv method to flush TLB
native_flush_tlb_multi(flushmask, info);
}
static long pv_rar_flush_tlb_others(const struct cpumask *cpumask,
const struct flush_tlb_info *info)
{
u64 flags = 0, start = 0, end = 0, mask=0;
long ret;
int cpu, apic_id;
if (!info->mm || (info->end == TLB_FLUSH_ALL))
flags |= PV_TLB_FLUSH_ALL;
else {
start = info->start;
end = info->end;
}
for_each_cpu(cpu, cpumask) {
// apic_id may not equal to cpu_id, so first map the cpu id to apic_id
apic_id = per_cpu(x86_cpu_to_apicid, cpu);
// set all the apic_id bits in "mask"
__set_bit(apic_id, (unsigned long *)&mask);
}
// invoke a hypercall "KVM_HC_FLUSH_TLB"
ret = kvm_hypercall4(KVM_HC_FLUSH_TLB, mask, flags, start, end);
//...
}
kvm_pv_rar_flush_tlb() / How KVM Handle the hypercall KVM_HC_FLUSH_TLB:
[EXIT_REASON_VMCALL] = kvm_emulate_hypercall
__kvm_emulate_hypercall
case KVM_HC_FLUSH_TLB:
kvm_pv_rar_flush_tlb(vcpu, a0, a1, a2, a3);
static long kvm_pv_rar_flush_tlb(struct kvm_vcpu *vcpu, unsigned long mask, unsigned long flags,
unsigned long start, unsigned long end)
{
//...
map = rcu_dereference(vcpu->kvm->arch.apic_map);
if (likely(map)) {
//...
// map from apic_id to physical cpu id
for_each_set_bit(i, &mask, min) {
if (map->phys_map[i]) {
lvcpu = map->phys_map[i]->vcpu;
// get all vpid
lvpid[pcpus] = to_vmx(lvcpu)->vpid;
// get all physical cpu id mapped from apic_id
phys_cpu[pcpus] = lvcpu->cpu;
pcpus++;
}
}
}
//...
// lvpid: vpid list maybe used for the RAR_ACTION_INVVPID
rar_invalidate_vpid_others_batch(lvpid, phys_cpu, pcpus, &info);
//...
}
static long kvm_pv_rar_flush_tlb(struct kvm_vcpu *vcpu,
unsigned long mask, unsigned long flags,
unsigned long start, unsigned long end)
{
struct flush_tlb_info info;
int *lvpid;
int *phys_cpu;
int pcpus = 0;
struct kvm_apic_map *map;
int i;
unsigned long long __maybe_unused cyc;
// Assume INVVPID type is supported if RAR is present
if (!rar_invvpid_supported())
return 1;
map = rcu_dereference(vcpu->kvm->arch.apic_map);
if (likely(map)) {
u32 min;
struct kvm_vcpu *lvcpu;
min = min((u32)BITS_PER_LONG, (map->max_apic_id + 1));
printk_once("min: %d\n", min);
lvpid = kmalloc(min * sizeof(int), GFP_KERNEL);
phys_cpu = kmalloc(min * sizeof(int), GFP_KERNEL);
for_each_set_bit(i, &mask, min) {
if (map->phys_map[i]) {
lvcpu = map->phys_map[i]->vcpu;
lvpid[pcpus] = to_vmx(lvcpu)->vpid;
phys_cpu[pcpus] = lvcpu->cpu;
pcpus++;
}
}
}
if (pcpus <= 0)
return 0;
if (flags == TLB_FLUSH_ALL)
end = TLB_FLUSH_ALL;
info.start = start;
info.end = end;
info.stride_shift = PAGE_SHIFT; /* need guest to provide */
rar_invalidate_vpid_others_batch(lvpid, phys_cpu, pcpus, &info);
kfree(lvpid);
kfree(phys_cpu);
return 0;
}
ๆฑ็ฉไนๅฆ๏ผๅฆ็ณป้ฃๆๆฏ๏ผ่ฝไฝฟๆฏ็ฉไบ็ถไบๅฟ่ ๏ผๅไธไบบ่ไธไธ้ไนใ