[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Sharing Memory between userspace of dom0 and userspace of domU

  • To: "Mike Sun" <msun@xxxxxxxxxx>
  • From: "Derek Murray" <Derek.Murray@xxxxxxxxxxxx>
  • Date: Tue, 19 Feb 2008 16:59:16 +0000
  • Cc: Kareem Dana <kareem.dana@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 19 Feb 2008 08:59:45 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=mtvN2uRz3RNrfd7+3bauH5mEC9j1WPt5xqh9XXhj737YwOdh0HerewTZEvF3GClZngPkeEMplT8joajgO8WT4a9TQcepG+TbPJb5f9mNELayXJsCjGsKri1107sk8IeewU0TbpAxdraQFafBIVY/uB+wred7xo1vAdQLsu1GSW4=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Hi Mike,

On Feb 19, 2008 4:16 PM, Mike Sun <msun@xxxxxxxxxx> wrote:
> > > At the moment, yes, the only way to grant access to a page is from the
> > > kernel. This is due to the fact that kernel memory corresponds to
> > > physical memory, and we don't have to worry about interactions with
> > > the swapper, or what happens when the process dies.
> From what I understand of what you've said, are you saying that the
> shared memory pages that granted access must always be in physical
> memory and cannot be swapped out, even if the guest kernel decided to
> for some reason?  Does Xen enforce this in any way, e.g. pinning the
> pages somehow?

A shared (granted) page is shared based on its (G)MFN. There is in
fact no interaction with Xen when granting a page, as this can be done
by simply writing to the grant table.

The granted physical page is pinned when it is mapped, however, this
only means that, if the granting domain dies, the page is not freed

However, as far as I can tell, the granting domain is free to do
whatever it likes with the physical page. Therefore, if the process
containing the granted page dies, you need to keep a reference to the
physical page that was granted, because another domain has mapped it
and can therefore read the contents of the page, or overwrite them.
This could cause a security problem or unexpected behaviour in the
granting domain.

Likewise, if the kernel decided to swap out the page that you granted,
and replace it with another virtual page, you would not  observe the
effect of granting access to a particular virtual address (which is
all you would know about in user-space). Therefore you would have to
pin the page using mlock() or something similar.

I hope this makes things clearer, but let me know if anything I've
said doesn't make sense.


Derek Murray.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.