[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 3/5] xen/domain: Stricter configuration checking

>>> On 12.11.18 at 17:16, <andrew.cooper3@xxxxxxxxxx> wrote:
> Currently, a number of options passed for domain creation are ignored, or have
> implicit fallback behaviour.  This is bad for forwards compatibility, and for
> end users to be certain that they got the configuration they asked for.
> 
> With this change:
>  * ARM now strictly requires that XEN_DOMCTL_CDF_hap is passed.  Previously,
>    only XEN_DOMCTL_CDF_hvm_guest was checked.
>  * For x86, requesting HAP without HVM is now prohibited, as the combination
>    makes no sense.
>  * For x86, requesting HAP on a non-HAP capable system will fail, rather than
>    silently fall back to Shadow.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> ---
> CC: Jan Beulich <JBeulich@xxxxxxxx>
> CC: Wei Liu <wei.liu2@xxxxxxxxxx>
> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
> CC: Julien Grall <julien.grall@xxxxxxx>
> CC: Ian Jackson <Ian.Jackson@xxxxxxxxxx>
> CC: Wei Liu <wei.liu2@xxxxxxxxxx>
> 
> Semi RFC because this may cause a user-visible change in behaviour.  However,
> if the user has gone to the effort of specifying hap=1, silently falling back
> to shadow is unexpected, and IMO, a bug.

My view on this to a fair part depends on whether the tool stack
would guard us from actually getting into such a situation in the
hypervisor. Getting an unspecific -EINVAL back without further
help towards diagnosis by the tool stack would make such a
change undesirable imo. This also extends to other checks you
appear to tighten - for example I wouldn't want to see a PV
guest config with "hap=1" in it to no longer work if currently it
happens to work, at least not without a clear hint towards the
issue.

> --- a/xen/arch/x86/domain.c
> +++ b/xen/arch/x86/domain.c
> @@ -420,6 +420,46 @@ void arch_vcpu_destroy(struct vcpu *v)
>  
>  int arch_sanitise_domain_config(struct xen_domctl_createdomain *config)
>  {
> +    bool hvm;
> +
> +    if ( !IS_ENABLED(CONFIG_PV) && !(config->flags & 
> XEN_DOMCTL_CDF_hvm_guest) )
> +    {
> +        dprintk(XENLOG_INFO, "PV support not available\n");
> +        return -EINVAL;
> +    }
> +
> +    if ( !hvm_enabled && (config->flags & XEN_DOMCTL_CDF_hvm_guest) )
> +    {
> +        dprintk(XENLOG_INFO, "HVM support not available\n");
> +        return -EINVAL;
> +    }
> +
> +    hvm = config->flags & XEN_DOMCTL_CDF_hvm_guest;

Would you mind making this the initializer of the variable and using
the variable in the two if()-s above? Personally I also think the two
if()-s would better be folded, using a conditional expression as its
condition.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.