[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] IOREQ server on Arm



> -----Original Message-----
> From: Julien Grall [mailto:julien.grall@xxxxxxx]
> Sent: 26 September 2018 12:01
> To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>; Jan Beulich
> <JBeulich@xxxxxxxx>
> Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>; Roger Pau Monne
> <roger.pau@xxxxxxxxxx>; Stefano Stabellini <sstabellini@xxxxxxxxxx>; xen-
> devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> Subject: Re: IOREQ server on Arm
> 
> Hi Paul,
> 
> On 09/26/2018 11:51 AM, Paul Durrant wrote:
> >> -----Original Message-----
> >> From: Julien Grall [mailto:julien.grall@xxxxxxx]
> >> Sent: 26 September 2018 11:41
> >> To: Jan Beulich <JBeulich@xxxxxxxx>; Paul Durrant
> >> <Paul.Durrant@xxxxxxxxxx>
> >> Cc: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>; Roger Pau Monne
> >> <roger.pau@xxxxxxxxxx>; Stefano Stabellini <sstabellini@xxxxxxxxxx>;
> xen-
> >> devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
> >> Subject: Re: IOREQ server on Arm
> >>
> >> Hi Jan,
> >>
> >> On 09/26/2018 09:08 AM, Jan Beulich wrote:_
> >>>>>> On 26.09.18 at 00:39, <julien.grall@xxxxxxx> wrote:
> >>>> Hi Paul,
> >>>>
> >>>> I am looking at porting the IOREQ server infrastructure on Arm. I
> >> didn't
> >>>> need much modification to make it run for Arm. Although, the
> >>>> implementation could be simplified over the x86 implementation.
> >>>>
> >>>> I noticed some issue while trying to implement the hypercall
> >>>> XENMEM_acquire_resource. Per my understanding, all the page mapped
> via
> >>>> that hypercall will use the type p2m_mapping_foreign.
> >>>>
> >>>> This will result to trigger the ASSERT(fdom != dom) in
> >> get_page_from_gfn
> >>>> (asm-arm/p2m.h) because the IOREQ page has been allocated to the
> >>>> emulator domain and mapped to it. AFAICT x86 has the same assert in
> >>>> p2m_get_page_from_gfn(...).
> >>>>
> >>>> IHMO, the ASSERT makes sense because you are only meant to map page
> >>>> belonging to other domain with that type.
> >>>>
> >>>> So I am wondering whether IOREQ server running in PVH Dom0 has been
> >>>> tested? What would be the best course of action to fix the issue?
> >>>
> >>> I think the p2m type needs to be chosen based on
> >>> XENMEM_rsrc_acq_caller_owned.
> >>
> >> I am thinking to introduce p2m_mapping_owned. Or do we have a p2m_type
> >> that we could re-use?
> >>
> >
> > I think we should be able to just use p2m_ram_rw if it is caller owned.
> 
> I thought about p2m_ram_rw but discarded because of the security
> implications. At least on Arm, this type can be used for foreign
> mapping, guest_copy helpers. This is not the case for p2m_mapping_foreign.
> 

Not sure. The emulator has to have privilege over the target, so any domain 
having privilege over the emulator would have privilege over the target, 
wouldn't it? So I don't think there is any security issue.

> Do we want to allow thoses resources to be used in hypercall buffer
> and/or mapped by other guest via the foreign API? If not, then we want
> to use a different type.
> 

I can't think of a use-case where we would want that, but I'm not sure there is 
any particular problem allowing it. Same goes for the IOMMU mappings that I 
mentioned to Jan though... not really desirable but not necessarily a problem 
(for existing resource types). A new p2m type may well be a better option.

  Paul

> Cheers,
> 
> --
> Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.