[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [RFC PATCH 1/1] xen: Use a global mapping for runstate
On 29/05/2020 15:02, Bertrand Marquis wrote: On 29 May 2020, at 10:43, Julien Grall <julien@xxxxxxx> wrote: Hi Bertrand, On 29/05/2020 09:13, Bertrand Marquis wrote:Hi Julien,On 28 May 2020, at 19:54, Julien Grall <julien@xxxxxxx> wrote: Hi Bertrand, Thank you for the patch. On 28/05/2020 16:25, Bertrand Marquis wrote:At the moment on Arm, a Linux guest running with KTPI enabled will cause the following error when a context switch happens in user mode: (XEN) p2m.c:1890: d1v0: Failed to walk page-table va 0xffffff837ebe0cd0 This patch is modifying runstate handling to map the area given by the guest inside Xen during the hypercall. This is removing the guest virtual to physical conversion during context switches which removes the bugIt would be good to spell out that a virtual address is not stable. So relying on it is wrong.and improve performance by preventing to walk page tables during context switches.With Secret free hypervisor in mind, I would like to suggest to map/unmap the runstate during context switch. The cost should be minimal when there is a direct map (i.e on Arm64 and x86) and still provide better performance on Arm32.Even with a minimal cost this is still adding some non real-time behaviour to the context switch.Just to be clear, by minimal I meant the mapping part is just a virt_to_mfn() call and the unmapping is a NOP. IHMO, if virt_to_mfn() ends up to add non-RT behavior then you have much bigger problem than just this call.But definitely from the security point of view as we have to map a page from the guest, we could have accessible in Xen some data that should not be there. There is a trade here where: - xen can protect by map/unmapping - a guest which wants to secure his data should either not use it or make sure there is nothing else in the pageBoth are valid and depends on your setup. One may want to protect all the existing guests, so modifying a guest may not be a solution.The fact to map/unmap is increasing the protection but not removing the problem completely. I would be curious to understand why the problem is not completely removed.From my perspective, this covers the case where Xen could leak the information of one domain to another domain. When there is no direct mapping, temporary mappings via domain_map_page() will be either per-pCPU (or per-vCPU). So the content should never be (easily) accessible by another running domain while it is mapped. If the guest is concerned about exposing the data to Xen, then it is a completely different issue and should be taken care by the guest iself. Cheers, -- Julien Grall
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |