[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] evtchn/Flask: pre-allocate node on send path



On Wed, Sep 30, 2020 at 2:20 AM Jan Beulich <jbeulich@xxxxxxxx> wrote:
>
> On 29.09.2020 19:20, Jason Andryuk wrote:
> > On Mon, Sep 28, 2020 at 3:49 AM Jan Beulich <jbeulich@xxxxxxxx> wrote:
> >> On 25.09.2020 20:08, Jason Andryuk wrote:
> >>>  Also, a domain label can transition (change) at runtime.
> >>> Dropping the send check would latch the permission at bind time which
> >>> would not necessarily be valid for the security policy.
> >>
> >> I did realize this as a possibility too, but there the immediate
> >> question is: Why for interdomain channels, but then not also for
> >> vIRQ-s, for example? In fact, unless I'm overlooking something,
> >> for this specific case there's not even any check in the binding
> >> logic, not even for global vIRQ-s. (After all there are two
> >> aspects in the permissions here: One is to be eligible to send,
> >> which ought to not matter when the sender is Xen, while the
> >> other is permission to learn / know of certain events, i.e. in
> >> particular global vIRQ-s.)
> >
> > I'm not familiar with vIRQ-s, but I did a little bit of review.  A
> > vIRQ source is always Xen and its destination is a domain, correct?
> > They don't allow a data flow between domains,
>
> Yes and yes.
>
> > so maybe that is why they weren't hooked originally?
>
> Not so much, I assume. Looking a little more closely I find that ...
>
> > Hmmm, even for non-XSM, there is no restriction on binding the "dom0"
> > vIRQ-s?
>
> ... while binding is allowed, an event would never be received unless
> the domain was designated as the receiver via
> XEN_DOMCTL_set_virq_handler.

And all of those default to the hardware_domain.  This permission
isn't granted in the default policy, so I was initially confused as to
how it worked.

> >> The fundamental issue here is that the sending path should be
> >> fast and hence lightweight. This means (to me) that in
> >> particular no memory allocations should occur, and (more
> >> generally) no global or domain wide locks should be taken (for
> >> rw ones: no write locks).
> >
> > Yes, that all seems good and reasonable.  With XSM/Flask you also need
> > the AVC entry for send to be lightweight.
> >
> > It wouldn't help with the domain transition case, but you could run
> > the xsm send hooks at bind time to pre-populate the cache.
>
> Question is for how long such an entry would remain in the cache,
> i.e. whether pre-filling is useful at all. After all pre-filling
> has the downside of potentially masking real issues when testing
> (as opposed to running in the wild).

Yes, good point.

> >  That would
> > still require avc code to bypass the memory allocation when holding a
> > lock in case the entry isn't found.  Your preallocation idea could be
> > generalized to have avc maintain a reserve of nodes for use when it
> > cannot allocate.  When it can allocate, it would refill the reserve in
> > addition to whatever regular allocation it would perform.  But if it's
> > only evtchn_send that needs special handling, then the complexity may
> > not be worth adding.
>
> It was this last aspect which made me not introduce a general
> mechanism.

I think we go with this patch since it doesn't restrict the use of XSM
and tries to populate the avc.

Tested-by: Jason Andryuk <jandryuk@xxxxxxxxx>

Thanks,
Jason



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.