[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [ARM] gvirt_to_maddr fails when DomU is created

To: Juergen Gross <jgross@xxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxx>
Date: Thu, 29 Nov 2018 11:22:14 +0000
Cc: vlad.babchuk@xxxxxxxxx, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
Delivery-date: Thu, 29 Nov 2018 11:22:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Juergen,

I have noticed on the last few threads that your e-mails don't get threaded

correctly. Looking at the source, I can't find the In-Reply-To tag. Do you haveany issue with your e-mail?


On 29/11/2018 09:51, Juergen Gross wrote:

On 29/11/2018 10:39, Jan Beulich wrote:

On 28.11.18 at 01:05, <andrew.cooper3@xxxxxxxxxx> wrote:

update_runstate_area() using a virtual address is a complete misfeature,
and the sooner we can replace it, the better.  It's history is with x86
PV guests, where the early ABIs were designed in terms of Linux's
copy_{to,from}_user().

It is similarly broken in x86 with meltdown mitigations, as well as SMAP
considerations (PAN in ARM, iirc).

We've got two options.  Invent a new API which takes a gfn/gaddr, or
retrofit the API to be "you pass a virtual address, we translate to
gfn/gaddr, then update that".  Perhaps both.

When this was last discussed, I think the "onetime translate to
gfn/gaddr" was a good enough compatibility to cope with existing guests,
but that we should have a more clean way for modern guests.


I don't think a one-time translate can be a replacement without
the guest giving its consent, at which point the guest could as
well be switched to whatever the replacement interface is going
to be. Aiui (the introduction of the functionality predating my
involvement with Xen) the original idea was that guests would
specifically be allowed to context switch the mapping of the
involved linear address.

Furthermore for x86-64 guests we already have logic to deal
with the case where there is no present mapping at the time
the write is to occur, as that's a common situation with x86-64
guest user mode running with kernel page tables removed.
For x86-32 guests with Meltdown mitigation in place something
similar might indeed be needed. Whether something like this is
doable on ARM depends on whether Xen has a way to know
at which point missing mappings re-appear.


In any case we want some interface using gfn/gaddr for performance
reasons: Always having to do a vaddr->gaddr translation is expensive
(especially for HVM/PVH and probably on ARM, too), so we should try to
avoid that.

On Arm, performance is one of the reason, but not the main one. Using VirtualAddress is by default unreliable as you have no way to prevent the guest to playwith its page-tables. For instance, Arm requires to go through an invalid statewhen updating the page-tables entry under certain condition (e.g superpage <->small mapping).

The long-term goal is to use guest physical address for all hypercalls ratherthan guest virtual address.


Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Prev by Date: Re: [Xen-devel] [PATCH 1/3] xen: Introduce shared buffer helpers for page directory...
Next by Date: Re: [Xen-devel] [PATCH] tools/firmware: update OVMF Makefile
Previous by thread: Re: [Xen-devel] [ARM] gvirt_to_maddr fails when DomU is created
Next by thread: [Xen-devel] [PATCH 0/3] Remove tmem
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.