[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH 1/1] xen: Use a global mapping for runstate

On 29/05/2020 15:02, Bertrand Marquis wrote:

On 29 May 2020, at 10:43, Julien Grall <julien@xxxxxxx> wrote:

Hi Bertrand,

On 29/05/2020 09:13, Bertrand Marquis wrote:
Hi Julien,
On 28 May 2020, at 19:54, Julien Grall <julien@xxxxxxx> wrote:

Hi Bertrand,

Thank you for the patch.

On 28/05/2020 16:25, Bertrand Marquis wrote:
At the moment on Arm, a Linux guest running with KTPI enabled will
cause the following error when a context switch happens in user mode:
(XEN) p2m.c:1890: d1v0: Failed to walk page-table va 0xffffff837ebe0cd0
This patch is modifying runstate handling to map the area given by the
guest inside Xen during the hypercall.
This is removing the guest virtual to physical conversion during context
switches which removes the bug

It would be good to spell out that a virtual address is not stable. So relying 
on it is wrong.

and improve performance by preventing to
walk page tables during context switches.

With Secret free hypervisor in mind, I would like to suggest to map/unmap the 
runstate during context switch.

The cost should be minimal when there is a direct map (i.e on Arm64 and x86) 
and still provide better performance on Arm32.
Even with a minimal cost this is still adding some non real-time behaviour to 
the context switch.

Just to be clear, by minimal I meant the mapping part is just a virt_to_mfn() 
call and the unmapping is a NOP.

IHMO, if virt_to_mfn() ends up to add non-RT behavior then you have much bigger 
problem than just this call.

But definitely from the security point of view as we have to map a page from 
the guest, we could have accessible in Xen some data that should not be there.
There is a trade here where:
- xen can protect by map/unmapping
- a guest which wants to secure his data should either not use it or make sure 
there is nothing else in the page

Both are valid and depends on your setup. One may want to protect all the 
existing guests, so modifying a guest may not be a solution.

The fact to map/unmap is increasing the protection but not removing the problem 

I would be curious to understand why the problem is not completely removed.

From my perspective, this covers the case where Xen could leak the information of one domain to another domain. When there is no direct mapping, temporary mappings via domain_map_page() will be either per-pCPU (or per-vCPU). So the content should never be (easily) accessible by another running domain while it is mapped.

If the guest is concerned about exposing the data to Xen, then it is a completely different issue and should be taken care by the guest iself.


Julien Grall



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.