Xen project Mailing List

[Xen-devel] [PATCH v2] mm/page_alloc: make bootscrub happen in idle-loop

From: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>

Date: Tue, 9 Oct 2018 16:21:19 +0100

Cc: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>

Delivery-date: Tue, 09 Oct 2018 15:21:30 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Scrubbing RAM during boot may take a long time on machines with lots of RAM. Add 'idle' option to bootscrub which marks all pages dirty initially so they will eventually be scrubbed in idle-loop on every online CPU. It's guaranteed that the allocator will return scrubbed pages by doing eager scrubbing during allocation (unless MEMF_no_scrub was provided). Use the new 'idle' option as the default one. Signed-off-by: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx> --- v1 --> v2: - dropped comment about performance - changed default to 'idle' - changed type of opt_bootscrub to enum - restored __initdata for opt_bootscrub - call parse_bool() first during parsing - using switch() in heap_init_late() Note: The message "Scrubbing Free RAM on %d nodes" corresponds to the similar one in scrub_heap_pages() CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> CC: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx> CC: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> CC: Jan Beulich <jbeulich@xxxxxxxx> CC: Julien Grall <julien.grall@xxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> --- docs/misc/xen-command-line.markdown | 9 ++++- xen/common/page_alloc.c | 62 +++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.markdown b/docs/misc/xen-command-line.markdown index 1ffd586224..9c15d52bf7 100644 --- a/docs/misc/xen-command-line.markdown +++ b/docs/misc/xen-command-line.markdown @@ -227,14 +227,19 @@ that byte `0x12345678` is bad, you would place `badpage=0x12345` on Xen's command line. ### bootscrub -> `= <boolean>` +> `= idle | <boolean>` -> Default: `true` +> Default: `idle` Scrub free RAM during boot. This is a safety feature to prevent accidentally leaking sensitive VM data into other VMs if Xen crashes and reboots. +In `idle` mode, RAM is scrubbed in background on all CPUs during idle-loop +with a guarantee that memory allocations always provide scrubbed pages. +This option reduces boot time on machines with a large amount of RAM while +still providing security benefits. + ### bootscrub\_chunk > `= <size>` diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 16e1b0c357..7df5d5c545 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -161,8 +161,42 @@ string_param("badpage", opt_badpage); /* * no-bootscrub -> Free pages are not zeroed during boot. */ -static bool_t opt_bootscrub __initdata = 1; -boolean_param("bootscrub", opt_bootscrub); +enum bootscrub_mode { + BOOTSCRUB_OFF = 0, + BOOTSCRUB_ON, + BOOTSCRUB_IDLE, +}; +static enum bootscrub_mode __initdata opt_bootscrub = BOOTSCRUB_IDLE; +static int __init parse_bootscrub_param(const char *s) +{ + /* Interpret 'bootscrub' alone in its positive boolean form */ + if ( *s == '\0' ) + { + opt_bootscrub = BOOTSCRUB_ON; + return 0; + } + + switch ( parse_bool(s, NULL) ) + { + case 0: + opt_bootscrub = BOOTSCRUB_OFF; + break; + + case 1: + opt_bootscrub = BOOTSCRUB_ON; + break; + + default: + if ( !strcmp(s, "idle") ) + opt_bootscrub = BOOTSCRUB_IDLE; + else + return -EINVAL; + break; + } + + return 0; +} +custom_param("bootscrub", parse_bootscrub_param); /* * bootscrub_chunk -> Amount of bytes to scrub lockstep on non-SMT CPUs @@ -1726,6 +1760,7 @@ static void init_heap_pages( struct page_info *pg, unsigned long nr_pages) { unsigned long i; + bool idle_scrub = false; /* * Some pages may not go through the boot allocator (e.g reserved @@ -1737,6 +1772,9 @@ static void init_heap_pages( first_valid_mfn = mfn_min(page_to_mfn(pg), first_valid_mfn); spin_unlock(&heap_lock); + if ( system_state < SYS_STATE_active && opt_bootscrub == BOOTSCRUB_IDLE ) + idle_scrub = true; + for ( i = 0; i < nr_pages; i++ ) { unsigned int nid = phys_to_nid(page_to_maddr(pg+i)); @@ -1763,7 +1801,7 @@ static void init_heap_pages( nr_pages -= n; } - free_heap_pages(pg + i, 0, scrub_debug); + free_heap_pages(pg + i, 0, scrub_debug || idle_scrub); } } @@ -2039,8 +2077,24 @@ void __init heap_init_late(void) */ setup_low_mem_virq(); - if ( opt_bootscrub ) + switch ( opt_bootscrub ) + { + default: + ASSERT_UNREACHABLE(); + /* Fall through */ + + case BOOTSCRUB_IDLE: + printk("Scrubbing Free RAM on %d nodes in background\n", + num_online_nodes()); + break; + + case BOOTSCRUB_ON: scrub_heap_pages(); + break; + + case BOOTSCRUB_OFF: + break; + } } -- 2.17.1 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.