[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] SUPPORT.md: extend security support for hosts to 12 TiB of memory



Hi,

On 06/04/2022 15:44, Jan Beulich wrote:
c49ee0329ff3 ("SUPPORT.md: limit security support for hosts with very
much memory"), as a result of XSA-385, restricted security support to
8 TiB of host memory. Extend this to 12 TiB, putting in place a guest
restriction to 8 TiB in exchange.

And this is even without CONFIG_BIGMEM?


A 12 TiB host was certified successfully for use with Xen 4.14 as per
https://www.suse.com/nbswebapp/yesBulletin.jsp?bulletinNumber=150753.
This in particular included running as many guests (2 TiB each) as
possible in parallel, to actually prove that all the memory can be used
like this. It may be relevant to note that the Optane memory there was
used in memory-only mode, with DRAM acting as cache.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -50,7 +50,7 @@ For the Cortex A57 r0p0 - r1p1, see Erra
### Physical Memory - Status: Supported up to 8 TiB
+    Status: Supported up to 12 TiB

I am afraid this limit is going to be too high for Arm. Even the previous one was technically incorrect. From [1], it should be:
  - 5TB for arm64
  - 16GB for arm32

Hosts with more memory are supported, but not security supported. @@ -121,6 +121,14 @@ ARM only has one guest type at the momen Status: Supported +## Guest Limits
+
+### Memory
+
+    Status: Supported up to 8 TiB

For Arm, this should be limited to 1TB for arm64 and 16GB for arm32.

+
+Guests with more memory are supported, but not security supported.

d->max_pages is a 32-bit value. So Xen can effectively only support up to 16TB of memory. AFAICT, it would require quite a bit rework to lift that limit. So I think it would be better to spell out the upper limit.

Cheers,

[1] https://wiki.xenproject.org/wiki/Xen_Project_Release_Features

--
Julien Grall



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.