[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/6] xen: extend XEN_DOMCTL_memory_mapping to handle cacheability

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
From: Julien Grall <julien.grall@xxxxxxx>
Date: Wed, 27 Feb 2019 21:02:47 +0000
Cc: Stefano Stabellini <stefanos@xxxxxxxxxx>, JBeulich@xxxxxxxx, andrew.cooper3@xxxxxxxxxx
Delivery-date: Wed, 27 Feb 2019 21:03:13 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Stefano,

On 2/26/19 11:07 PM, Stefano Stabellini wrote:

  struct xen_domctl_memory_mapping {
      uint64_aligned_t first_gfn; /* first page (hvm guest phys page) in range 
*/
      uint64_aligned_t first_mfn; /* first page (machine page) in range */
      uint64_aligned_t nr_mfns;   /* number of pages in range (>0) */
      uint32_t add_mapping;       /* add or remove mapping */
-    uint32_t padding;           /* padding for 64-bit aligned structure */
+    uint32_t cache_policy;      /* cacheability of the memory mapping */

Looking at this and the way you use it, the naming "cache" is quiteconfusing. On Arm, they are memory types (see B2.7 "Memory types andattributes" in DDI 0487D.a) and then you may have attribute suchcachability attribute (write-through, write-back...) on top. Thecacheability is also not applicable for "device memory".


"device memory" have other attributes related to gathering, re-ordering...

So a better naming would probably be "memory_policy".

Furthermore, those policies are only for configuring stage-2. Theresulting memory type and attributes will be whatever is the strongestbetween stage-2 and stage-1 attributes. You can see the stage-2attributes as a way to give more or less freedom to the guest forconfigure the attributes.

For instance, by using p2m_mmio_direct_dev, the resulting attributeswill always be Device-nGnRnE whatever how stage-1 has been configured.

In the case of p2m_mmio_direct_c (similar to p2m_ram_rw). The guest willbe free to chose whatever pretty much any attributes (even Device-nGnRnE).

You might wonder why we didn't give more freedom to the guest from thestart. One of the reason is it is quite unclear what are the consequenceif you give that freedom to the guest. Whether there might be issueswith the device when the attributes are not correct.

Furthermore, there are more handling required in the hypervisor as ifthe memory can be cached, you will need to clear the cache in order toprevent leakage to another domain if the mappings get reassigned.

For completeness, I should mention the feature S2FWB present in ARMv8.4and onwards. From my understanding, this could be used to forceresulting memory type. I am not suggesting to implement it now, but weshould keep it in my mind while writing the interface exposed in libxl.

To summarize, if we go ahead, we should try to make the documentationmore clearer on what each policy means and the implications on theguest. I think we should also mark this a not security supported becauseit the unknown interactions with devices.


Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH 0/6] iomem cacheability
  - From: Stefano Stabellini
- [Xen-devel] [PATCH 1/6] xen: extend XEN_DOMCTL_memory_mapping to handle cacheability
  - From: Stefano Stabellini

Prev by Date: [Xen-devel] [libvirt test] 133428: regressions - trouble: blocked/broken/fail/pass
Next by Date: [Xen-devel] [xen-unstable test] 133418: regressions - trouble: blocked/broken/fail/pass
Previous by thread: Re: [Xen-devel] [PATCH 1/6] xen: extend XEN_DOMCTL_memory_mapping to handle cacheability
Next by thread: [Xen-devel] [PATCH 2/6] libxc: xc_domain_memory_mapping, handle cacheability
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.