[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Hackathon minutes] PV network improvements

On Tue, May 21, 2013 at 10:26:00AM +0100, Tim Deegan wrote:
> At 19:31 +0100 on 20 May (1369078279), Wei Liu wrote:
> > On Mon, May 20, 2013 at 03:08:05PM +0100, Stefano Stabellini wrote:
> > > J) Map the whole physical memory of the machine in dom0
> > > If mapping/unmapping or copying slows us down, could we just keep the
> > > whole physical memory of the machine mapped in dom0 (with corresponding
> > > IOMMU entries)?
> > > At that point the frontend could just pass mfn numbers to the backend,
> > > and the backend would already have them mapped.
> > > >From a security perspective it doesn't change anything when running
> > > the backend in dom0, because dom0 is already capable of mapping random
> > > pages of any guests. QEMU instances do that all the time.
> > > But it would take away one of the benefits of deploying driver domains:
> > > we wouldn't be able to run the backends at a lower privilege level.
> > > However it might still be worth considering as an option? The backend is
> > > still trusted and protected from the frontend, but the frontend wouldn't
> > > be protected from the backend.
> > > 
> > 
> > I think Dom0 mapping all machine memory is a good starting point.
> I _strongly_ disagree.  The opportunity for disaggregation and reduction
> of privilege in backends is probably Xen's biggest techical advantage
> and we should not be taking any backward steps there.

I agree with you that disaggregation and reduction of privilege is Xen's
biggest technical advantage.

Just to make clear, this idea was summerized from a discussion among
George, Stefano and I on the way back from hackathon. We want to see if
things like mapping / unmapping incur heavy performance penalty. As now
it is really hard to identify the real performance bottleneck we would
like to have some quick hack to see how things work.

> > As for the driver domain, can we not have a driver domain mapped all
> > of its target's machine memory? What's the security implication here?
> If, say, a network driver domain is compromised it's the difference
> between intercepting network traffic and total control of the OS.
> It's probably worth reading some of the Xen papers about this stuff,
> if you haven't already:
> http://citeseerx.ist.psu.edu/viewdoc/summary?doi=
> http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

Thanks Tim. I read them before. :-)

We're just talking about some experimental things here, not something
that set in stone and must be done in the future.


> Tim.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.