[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: HVM de-privileged mode scheduling considerations

On Mon, 2015-08-03 at 15:34 +0100, Ian Campbell wrote:
> On Mon, 2015-08-03 at 14:54 +0100, Andrew Cooper wrote:

> > I think it would be entirely reasonable to have a deadline for a single
> > execution of depriv mode, after which the domain is declared malicious
> > and killed.
> I think this could make sense, it's essentially a harsher variant of Ben's
> suggestion to abort an attempt to process the MMIO in order to migrate to
> another pcpu, but it has the benefit of being easier to implement and
> easier to reason about 

I think it very much depends on what we expect the common/legit case to
be, how long it would last, etc. If, as Andrew is saying, and as it
seems sane, we expect things to be pretty quick this solution sounds
good to me, and we can avoid the complexity of bouncing the operation
among pcpus.

> > We already have this for host pcpus - the watchdog defaults to 5
> > seconds.  Having a similar cutoff for depriv mode should be fine.
> That's a reasonable analogy.
> Perhaps we would want the depriv-watchdog to be some 1/N fraction of the
> pcpu -watchdog, for a smallish N, to avoid the risk of any slop in the
> timing allowing the pcpu watchdog to fire. N=3 for example (on the grounds
> that N=2 is probably sufficient, so N=3 must be awesome).
I like this too.

<<This happens because I choose it to happen!>> (Raistlin Majere)
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

Attachment: signature.asc
Description: This is a digitally signed message part

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.