Xen project Mailing List

Re: [Xen-devel] Enabling #VE for a domain from dom0

To: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Sat, 25 Feb 2017 01:45:58 +0000

Cc: Vlad-Ioan TOPAN <itopan@xxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Sat, 25 Feb 2017 01:46:24 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 24/02/2017 23:02, Tamas K Lengyel wrote: > On Fri, Feb 24, 2017 at 8:10 AM, Andrew Cooper > <andrew.cooper3@xxxxxxxxxx> wrote: >> On 24/02/17 14:42, Vlad-Ioan TOPAN wrote: >>>> #VE, by design, raises an exception in non-root context, without >>>> breaking out to the hypervisor. >>>> >>>> The vcpu in question needs to set up a suitable #VE handler, so it is >>>> not safe for an external entity to chose when a vcpu should start >>>> receiving #VE's. >>> The problem is that from a security solution standpoint, it isn't >>> feasible in a Windows guest to use libxc to enable #VE. As it is >>> implemented, libxc is required to allow sharing a structure between the >>> guest and the host; the structure only contains the gfn of the #VE page >>> and the domain id/vcpu id, which are useless since it can only be >>> enabled on the current VCPU. Would a patch providing a simpler VMCALL >>> (without sharing structures, only passing the gfn) to enable #VE be >>> acceptable? >> /sigh >> >> The underlying hypercall is HVMOP_altp2m, which is supposed to have a >> stable ABI, as it is guest visible. >> >> However, it has a HVMOP_ALTP2M_INTERFACE_VERSION wedged in there, which >> is unacceptable, and broken, as it cannot be used correctly from within >> a guest. >> >> The only option we have to is freeze HVMOP_ALTP2M_INTERFACE_VERSION at >> its current value and force it to never change. I am sorry for not >> having picked up on this point during review of the series several >> releases ago. > I'm just curious, why is it broken exactly? All ABI exposed to domUs must be stable (extendibility in a backwards compatible way is of course fine). The conditions that would necessitate changing the interface version will guarantee to break a running in-guest agent of a VM which has migrated in from a different version of Xen. On a lesser point, all the in-guest agent could do with the interface version is work out whether Xen was compiled with the same version or not. If not, all it can do is bail out, and "please recompiled your inguest agent against a different version of the hypervisor" isn't ok. Stable ABIs are not hard. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.