Xen project Mailing List

Re: [PATCH] VMX: use a single, global APIC access page

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 11 Feb 2021 12:22:41 +0100

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Thu, 11 Feb 2021 11:22:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11.02.2021 12:16, Roger Pau Monné wrote: > On Thu, Feb 11, 2021 at 11:36:59AM +0100, Jan Beulich wrote: >> On 11.02.2021 09:45, Roger Pau Monné wrote: >>> On Wed, Feb 10, 2021 at 05:48:26PM +0100, Jan Beulich wrote: >>>> --- a/xen/include/asm-x86/p2m.h >>>> +++ b/xen/include/asm-x86/p2m.h >>>> @@ -935,6 +935,9 @@ static inline unsigned int p2m_get_iommu >>>> flags = IOMMUF_readable; >>>> if ( !rangeset_contains_singleton(mmio_ro_ranges, mfn_x(mfn)) ) >>>> flags |= IOMMUF_writable; >>>> + /* VMX'es APIC access page is global and hence has no owner. */ >>>> + if ( mfn_valid(mfn) && !page_get_owner(mfn_to_page(mfn)) ) >>>> + flags = 0; >>> >>> Is it fine to have this page accessible to devices if the page tables >>> are shared between the CPU and the IOMMU? >> >> No, it's not, but what do you do? As said elsewhere, devices >> gaining more access than is helpful is the price we pay for >> being able to share page tables. But ... > > I'm concerned about allowing devices to write to this shared page, as > could be used as an unintended way to exchange information between > domains? Well, such an abuse would be possible, but it wouldn't be part of an ABI and hence could break at any time. Similarly I wouldn't consider it an information leak if a guest abused this. >>> Is it possible for devices to write to it? >> >> ... thinking about it - they would be able to access it only >> when interrupt remapping is off. Otherwise the entire range >> 0xFEExxxxx gets treated differently altogether by the IOMMU, > > Now that I think of it, the range 0xFEExxxxx must always be special > handled for device accesses, regardless of whether interrupt remapping > is enabled or not, or else they won't be capable of delivering MSI > messages? I don't think I know how exactly chipsets handle MSI in this case, but yes, presumably these accesses need to be routed a different path even in that case. > So I assume that whatever gets mapped in the IOMMU pages tables at > 0xFEExxxxx simply gets ignored? This would be the implication, aiui. > Or else mapping the lapic access page when using shared page tables > would have prevented CPU#0 from receiving MSI messages. I guess I don't understand this part. In particular I see nothing CPU#0 specific here. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.