[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] PV drivers and zero copying



On 07/31/2017 12:31 PM, Andrew Cooper wrote:
On 31/07/17 10:03, Paul Durrant wrote:
-----Original Message-----
[snip]
Comparison for display use-case
===============================

1 Number of grant references used
1-1 grant references: nr_pages
1-2 GNTTABOP_transfer: nr_pages
1-3 XENMEM_exchange: not an option

2 Effect of DomU crash on Dom0 (its mapped pages)
2-1 grant references: pages can be unmapped by Dom0, Dom0 is fully
recovered
2-2 GNTTABOP_transfer: pages will be returned to the Hypervisor, lost
for Dom0
2-3 XENMEM_exchange: not an option

3 Security issues from sharing Dom0 pages to DomU
1-1 grant references: none
1-2 GNTTABOP_transfer: none
1-3 XENMEM_exchange: not an option

At the moment approach 1 with granted references seems to be a winner for
sharing buffers both ways, e.g. Dom0 -> DomU and DomU -> Dom0.

Conclusion
==========

I would like to get some feedback from the community on which approach
is more
suitable for sharing large buffers and to have a clear vision on cons
and pros
of each one: please feel free to add other metrics I missed and correct
the ones
I commented on.  I would appreciate help on comparing approaches 2 and 3
as I
have little knowledge of these APIs (2 seems to be addressed by
Christopher, and
3 seems to be relevant to what Konrad/Stefano do WRT SWIOTLB).

Hi,

   I once implemented a scheme where network frontends used memory granted from 
backends and this hit quite a few problems:

- If domU is allowed to grant map memory from dom0, there is not currently a 
way to forcibly take it back (so I don't think you're quite correct in 2-1 
above... but I may have missed something). Hence the domU can hold dom0's 
memory to ransom. (In the network case this was avoided by using grant table v2 
'copy-only' grants).
- If you end up having to grant buffers which do not originate in dom0 (i.e. they were 
grant mapped from another domU) then this creates similar problems with one domU 
holding another domU's memory to ransom, even when using copy-only grants. I 
don’t think this would be an issue in your use-case.
- Currently the default grant table size is 32 pages and it may not take that 
many guests using a protocol where dom0 grants memory to domU to exhaust dom0's 
grant table (depending on how many grants-per-domU the protocol allows). If 
you're intending to grant large buffers then you may need quite a few grants 
(since they are per-4k-chunk) to do this, so you might run into this limit.
To follow up on what Paul said, google for XenServer Receive Side Copy.
I will, thank you
The issue is that it looks very attractive (from an offloading things
out of dom0 perspective), and does work at small scale, but the failure
cases are far more tricky than we imagined, and you run dom0 out of
grants very quickly, which puts a hard upper bound on scalability.  It
is high on the list of "worst mistakes we put into production".

It is not safe at all for dom0 to grant frames to domU without dom0
having a mechanism to revoke the grant.
Other than that, are there any other concerns, e.g. from
security POV?
  (There was work looking into
this in the past, but it suffered from a lack of free time.)

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel
Thank you,
Oleksandr

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.