[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v1 1/1] Invalidate cache for cpus affinitized to the domain

To: "Shamsundara Havanur, Harsha" <havanur@xxxxxxxxxx>, "jbeulich@xxxxxxxx" <jbeulich@xxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Mon, 14 Dec 2020 10:56:45 +0000
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, "Wieczorkiewicz, Pawel" <wipawel@xxxxxxxxx>
Delivery-date: Mon, 14 Dec 2020 10:56:54 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Harsha,

On 14/12/2020 09:26, Shamsundara Havanur, Harsha wrote:

On Mon, 2020-12-14 at 09:52 +0100, Jan Beulich wrote:

CAUTION: This email originated from outside of the organization. Do
not click links or open attachments unless you can confirm the sender
and know the content is safe.



On 11.12.2020 12:44, Harsha Shamsundara Havanur wrote:

A HVM domain flushes cache on all the cpus using
`flush_all` macro which uses cpu_online_map, during
i) creation of a new domain
ii) when device-model op is performed
iii) when domain is destructed.

This triggers IPI on all the cpus, thus affecting other
domains that are pinned to different pcpus. This patch
restricts cache flush to the set of cpus affinitized to
the current domain using `domain->dirty_cpumask`.


But then you need to effect cache flushing when a CPU gets
taken out of domain->dirty_cpumask. I don't think you/we want
to do that.

If we do not restrict, it could lead to DoS attack, where a malicious
guest could keep writing to MTRR registers or do a cache flush through
DM Op and keep sending IPIs to other neighboring guests.

I saw Jan already answered about the alleged DoS, so I will just focuson the resolution.

I agree that in the ideal situation we want to limit the impact on theother vCPUs. However, we also need to make sure the cure is not worsethan the symptoms.

The cache flush cannot be restricted in all the pinning situationbecause pinning doesn't imply the pCPU will be dedicated to a given vCPUor even the vCPU will stick on pCPU (we may allow floating on a NUMAsocket). Although your setup may offer this guarantee.

My knowledge in this area is quite limited. But below a few questionthat hopefully will help to make a decision.

The first question to answer is: can the flush can be restricted in asetup where each vCPUs are running on a decicated pCPU (i.e partionnedsystem)?

If the answer is yes, then we should figure out whether usingdomain->dirty_cpumask would always be correct? For instance, a vCPU maynot have yet run, so can we consider the associated pCPU cache would beconsistent?

Another line of question is what can we do on system supportingself-snooping? IOW, would it be possible to restrict the flush for allthe setup?


Cheers,

--
Julien Grall

Follow-Ups:
- Re: [XEN PATCH v1 1/1] Invalidate cache for cpus affinitized to the domain
  - From: Andrew Cooper

References:
- [XEN PATCH v1 1/1] Invalidate cache for cpus affinitized to the domain
  - From: Harsha Shamsundara Havanur
- Re: [XEN PATCH v1 1/1] Invalidate cache for cpus affinitized to the domain
  - From: Jan Beulich
- Re: [XEN PATCH v1 1/1] Invalidate cache for cpus affinitized to the domain
  - From: Shamsundara Havanur, Harsha

Prev by Date: Re: [PATCH v4 1/3] xen/arm: add support for run_in_exception_handler()
Next by Date: Re: [PATCH v4 30/32] qdev: Rename qdev_get_prop_ptr() to object_field_prop_ptr()
Previous by thread: Re: [XEN PATCH v1 1/1] Invalidate cache for cpus affinitized to the domain
Next by thread: Re: [XEN PATCH v1 1/1] Invalidate cache for cpus affinitized to the domain
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.