[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] RE: [RFC] transcendent memory for Linux



> From: Jeremy Fitzhardinge [mailto:jeremy@xxxxxxxx]
> 
> On 06/29/09 14:13, Dan Magenheimer wrote:
> > The uuid is only used for shared pools.  If two different
> > "tmem clients" (guests) agree on a 128-bit "shared secret",
> > they can share a tmem pool.  For ocfs2, the 128-bit uuid in
> > the on-disk superblock is used for this purpose to implement
> > shared precache.  (Pages evicted by one cluster node
> > can be used by another cluster node that co-resides on
> > the same physical system.) 
> 
> What are the implications of some third party VM guessing the 
> "uuid" of
> a shared pool?  Presumably they could view and modify the contents of
> the pool.  Is there any security model beyond making UUIDs 
> unguessable?

Interesting question.  But, more than the 128-bit UUID must
be guessed... a valid 64-bit object id and a valid 32-bit
page index must also be guessed (though most instances of
the page index are small numbers so easy to guess).  Once
192 bits are guessed though, yes, the pages could be viewed
and modified.  I suspect there are much more easily targeted
security holes in most data centers than guessing 192 (or
even 128) bits.

Now this only affects shared pools, and shared-precache is still
experimental and not really part of this patchset.  Does "mount"
of an accessible disk/filesystem have a better security model?
Perhaps there are opportunities to leverage that?

> > The (page)size argument is always fixed (at PAGE_SIZE) for
> > any given kernel.  The underlying implementation can
> > be capable of supporting multiple pagesizes.
>
> Pavel's other point was that merging the size field into the 
> flags is a
> bit unusual/ugly.  But you can workaround that by just defining the
> "flag" values for each plausible page size, since there's a 
> pretty small
> bound: TMEM_PAGESZ_4K, 8K, etc.

OK I see.  Yes the point (and the workaround) are valid.
 
> Also, having an "API version number" is a very bad idea.  Such version
> numbers are very inflexible and basically don't work (esp if you're
> expecting to have multiple independent implementations of this API). 
> Much better is to have feature flags; the caller asks for features on
> the new pool, and pool creation either succeeds or doesn't (a call to
> return the set of supported features is a good compliment).

Yes.  Perhaps all the non-flag bits should just be reserved for
future use.  Today, the implementation just checks for (and implements)
only zero anyway and nothing is defined anywhere except the 4K
pagesize at the lowest levels of the (currently xen-only) API.

Thanks,
Dan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.