[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/6] xen: extend XEN_DOMCTL_memory_mapping to handle cacheability



Hi Stefano,

On 2/26/19 11:07 PM, Stefano Stabellini wrote:
  struct xen_domctl_memory_mapping {
      uint64_aligned_t first_gfn; /* first page (hvm guest phys page) in range 
*/
      uint64_aligned_t first_mfn; /* first page (machine page) in range */
      uint64_aligned_t nr_mfns;   /* number of pages in range (>0) */
      uint32_t add_mapping;       /* add or remove mapping */
-    uint32_t padding;           /* padding for 64-bit aligned structure */
+    uint32_t cache_policy;      /* cacheability of the memory mapping */

Looking at this and the way you use it, the naming "cache" is quite confusing. On Arm, they are memory types (see B2.7 "Memory types and attributes" in DDI 0487D.a) and then you may have attribute such cachability attribute (write-through, write-back...) on top. The cacheability is also not applicable for "device memory".

"device memory" have other attributes related to gathering, re-ordering...

So a better naming would probably be "memory_policy".

Furthermore, those policies are only for configuring stage-2. The resulting memory type and attributes will be whatever is the strongest between stage-2 and stage-1 attributes. You can see the stage-2 attributes as a way to give more or less freedom to the guest for configure the attributes.

For instance, by using p2m_mmio_direct_dev, the resulting attributes will always be Device-nGnRnE whatever how stage-1 has been configured.

In the case of p2m_mmio_direct_c (similar to p2m_ram_rw). The guest will be free to chose whatever pretty much any attributes (even Device-nGnRnE).

You might wonder why we didn't give more freedom to the guest from the start. One of the reason is it is quite unclear what are the consequence if you give that freedom to the guest. Whether there might be issues with the device when the attributes are not correct.

Furthermore, there are more handling required in the hypervisor as if the memory can be cached, you will need to clear the cache in order to prevent leakage to another domain if the mappings get reassigned.

For completeness, I should mention the feature S2FWB present in ARMv8.4 and onwards. From my understanding, this could be used to force resulting memory type. I am not suggesting to implement it now, but we should keep it in my mind while writing the interface exposed in libxl.

To summarize, if we go ahead, we should try to make the documentation more clearer on what each policy means and the implications on the guest. I think we should also mark this a not security supported because it the unknown interactions with devices.

Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.