[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: XSM and the idle domain
On 26/10/2020 13:37, Jason Andryuk wrote: > On Thu, Oct 22, 2020 at 1:01 PM Hongyan Xia <hx242@xxxxxxx> wrote: >> On Thu, 2020-10-22 at 13:51 +0100, Andrew Cooper wrote: >>> On 21/10/2020 15:34, Hongyan Xia wrote: >>>> The first question came up during ongoing work in LiveUpdate. After >>>> an >>>> LU, the next Xen needs to restore all domains. To do that, some >>>> hypercalls need to be issued from the idle domain context and >>>> apparently XSM does not like it. >>> There is no such thing as issuing hypercalls from the idle domain >>> (context or otherwise), because the idle domain does not have enough >>> associated guest state for anything to make the requisite >>> SYSCALL/INT80/VMCALL/VMMCALL invocation. >>> >>> I presume from this comment that what you mean is that you're calling >>> the plain hypercall functions, context checks and everything, from >>> the >>> idle context? >> Yep, the restore code just calls the hypercall functions from idle >> context. >> >>> If so, this is buggy for more reasons than just XSM objecting to its >>> calling context, and that XSM is merely the first thing to explode. >>> Therefore, I don't think modifications to XSM are applicable to >>> solving >>> the problem. >>> >>> (Of course, this is all speculation because there's no concrete >>> implementation to look at.) >> Another explosion is the inability to create hypercall preemption, >> which for now is disabled when the calling context is the idle domain. >> Apart from XSM and preemption, the LU prototype works fine. We only >> reuse a limited number of hypercall functions and are not trying to be >> able to call all possible hypercalls from idle. > I wonder if for domain_create, it wouldn't be better to move > xsm_domain_create() out to the domctl (hypercall entry) and check it > there. That would side-step xsm in domain_create. Flask would need > to be modified for that. I've an untested patch doing the > rearranging, which I'll send as a follow up. > > What other hypercalls are you having issues with? Those could also be > refactored so the hypercall entry checks permissions, and the actual > work is done in a directly callable function. > >> Having a dedicated domLU just like domB (or reusing domB) sounds like a >> viable option. If the overhead can be made low enough then we won't >> need to work around XSM and hypercall preemption. >> >> Although the question was whether XSM should interact with the idle >> domain. With a good design LU should be able to sidestep this though. > Circling back to the main topic, is the idle domain Xen, or is it > distinct? It "is" Xen, IMO. > It runs in the context of Xen, so Xen isn't really in a > place to enforce policy on itself. Hongyan, as you said earlier, > applying XSM is more of a debugging feature at that point than a > security feature. And as Jan pointed out, you can have problems if > XSM prevents the hypervisor from performing an action it doesn't > expect to fail. We have several system DOMID's which are SELF, IO, XEN, COW, INVALID and IDLE. SELF is a magic constant expected to be used in most hypercalls on oneself, to simplify callers. INVALID is also a magic constant. The others all have struct domain's allocated for them, and are concrete objects as far as Xen is concerned. IO/XEN/COW all exist for the purpose of fitting into the memory/device ownership models, while IDLE exists for the purpose of encapsulating the idle vcpus in the scheduling model. None of them have any kind of outside-Xen state associated with them. "scheduling" an idle vCPU runs the idle loop, but it is all code within the hypervisor. The problem here is that idle context is also used in certain "normal" cases in Xen (startup, shutdown, possibly also for softirq/tasklet context), all of which we (currently) expect not to be making hypercalls from. ~Andrew
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |