|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH 5/5] xen/xsm: Address hypercall ABI problems
On 05.11.2021 14:55, Andrew Cooper wrote:
> Currently, __HYPERVISOR_xsm_op enters xsm_ops.do_{xsm,compat}_op() which means
> that if any other XSM module registers a handler, we'll break the hypercall
> ABI totally by having the behaviour depend on the selected XSM module.
>
> There are 2 options:
> 1) Rename __HYPERVISOR_xsm_op to __HYPERVISOR_flask_op. If another XSM
> module wants hypercalls, they'll have to introduce a new top-level
> hypercall.
> 2) Make the current flask_op() be common, and require new hypercalls to fit
> compatibly with xen_flask_op_t. This can be done fairly easily by
> subdividing the .cmd space.
>
> In this patch, we implement option 2.
>
> Move the stub {do,compat}_xsm_op() implementation into a new xsm_op.c so we
> can more easily do multi-inclusion compat magic. Also add a new private.h,
> because flask/hook.c's local declaration of {do,compat}_flask_op() wasn't
> remotely safe.
>
> The top level now dispatches into {do,compat}_flask_op() based on op.cmd, and
> handles the primary copy in/out.
I'm not convinced this is the only reasonable way of implementing 2).
I could also see number space to be separated in different ways, ...
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> CC: Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
>
> Only lightly tested. Slightly RFC. There are several things which aren't
> great, but probably want addressing in due course.
>
> 1) The public headers probably want to lose the flask name (in a compatible
> way), now that the hypercall is common. This probably wants to be
> combined with no longer taking a void handle.
... leaving per-module public headers and perhaps merely adding an
abstracting
struct xen_xsm_op_t {
uint32_t op;
... /* placeholder */
};
or (making explicit one possible variant of number space splitting)
union xen_xsm_op_t {
uint32_t op;
struct {
uint16_t cmd;
uint16_t mod;
} u;
... /* placeholder */
};
in, say, a new public/xsm.h.
As a result I consider this change either going too far (because of
not knowing future needs) or not far enough (by e.g. leaving
do_xsm_op() to use xen_flask_op_t.
> 2) {do,compat}_xsm_op() are currently identical other than the dispatched-to
> functions because the size of xsm_flask_op_t is invariant with
> COMPAT-ness. We could simplfy things by only having one, and dispatching
> to {do,compat}_*_op() directly, but I'm not sure whether the complexity is
> worth it.
Perhaps not, I would say, not the least because (as said above) I
think we shouldn't put in place restrictions which may get in the
way of adding some future module.
Extending struct xen_flask_op to become a generic XSM interface
structure (or even just for Flask's own purposes) also is not as
straightforward as it might seem: There's currently no provision
for sub-structs which would grow the overall size of the structure:
The copy_{to,from}_guest() invocations for existing sub-ops may not
copy more that the present worth of sizeof(struct xen_flask_op).
Yet your implementation of do_xsm_op() moves this deficiency from
Flask to XSM.
> 3) Bloat-o-meter says these changes add 16 extra bytes to dm_op() and I can't
> figure out what could possibly be causing this.
Without comparing the object files in closer detail it's guesswork,
but might this be register scheduling differences resulting from
the changed sizeof(struct xsm_ops)? I've been observing similar
seemingly unmotivated changes to generated code ...
> --- a/xen/xsm/flask/flask_op.c
> +++ b/xen/xsm/flask/flask_op.c
> @@ -22,6 +22,8 @@
> #include <objsec.h>
> #include <conditional.h>
>
> +#include "../private.h"
Kind of odd: I'd expect a file named such to not get included
across directory levels, unless a single component was split in
such a way (to me Flask and XSM core are separate, yet still
related components).
Jan
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |