[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH] xen/memory: Introduce a hypercall to provide unallocated space

On 05.08.21 01:00, Julien Grall wrote:

On 04/08/2021 21:56, Oleksandr wrote:

Hi Julien, Stefano.

Hi Oleksandr,

Hi, Julien

Thank you for the prompt reply and explanations.

On 02.08.21 22:12, Oleksandr wrote:
I have done some experiments with Xen and toolstack according to the discussion above. So, I re-used DTB to pass a safe range to the domain. For the range I borrowed some space from the second RAM bank.

-#define GUEST_RAM1_BASE   xen_mk_ullong(0x0200000000) /* 1016GB of RAM @ 8GB */
-#define GUEST_RAM1_SIZE   xen_mk_ullong(0xfe00000000)
+#define GUEST_RAM1_BASE   xen_mk_ullong(0x0200000000) /* 888GB of RAM @ 8GB */
+#define GUEST_RAM1_SIZE   xen_mk_ullong(0xDE00000000)

I am a bit split with reducing the amount of RAM. On one hand large guest is not unheard on the server side (at least in the x86 world). On the other hand, I am not aware of anyone using Xen on Arm in such setup.

So technically this will be a regression, but it may be OK.

I got it.

Regarding the range, this will be a problem as Xen configure the number of the IPA bits based on the PA bits. The lowest possible address space ize on 64-bit is 4GB.

From my understanding, this is because the number of IPA bits supported is contrained by the PA bits. So the position and the size of the region
would need to depend on the P2M configuration.

Indeed, I missed these bits that IPA bits on Arm64 might be < 40 bit, I remember, we select p2m_ipa_bits in setup_virt_paging() depending on pabits, moreover the p2m_ipa_bits might be even restricted by some external entity (IOMMU, if P2M is shared).

For simplicity, this could be the last few X bytes of the supported address space.
ok, agree. To summarize, so it sounds like we can't use the fixed safe range as in my example, it must be variable. Well, I hope, we will be able to achieve this without reducing the total amount of domain RAM in front (GUEST_RAM1_SIZE). After all, we know the IPA size and the domain RAM in advance, so we certainly can choose the start and size of the range. In case, we won't be able to find a suitable large chunk (for example, when IPA bits = 32, and domain has a lot of RAM assigned and as the result - almost all address space below 4GB is in use), we won't expose a safe range to a domain at all, and domain will just fall back to use real pages instead (actually, how it currently behaves on Arm).

A side note: we would likely need the toolstack (that generates device-tree for guests) to query IPA size, or similar.

For 32-bit domain, we also need to make sure the address is usable for domain short page tables (not too long ago Debian was shipping the kernel with them rather than LPAE). I haven't yet checked what's the limit here.

Hmm, I didn't take this use-case into the account. So, I assume we need the safe range to be located below 4GB if is_32bit_domain() returns true.

+#define GUEST_SAFE_RANGE_BASE xen_mk_ullong(0xDE00000000) /* 128GB */
+#define GUEST_SAFE_RANGE_SIZE   xen_mk_ullong(0x0200000000)

While the possible new DT bindings has not been agreed yet, I re-used existing "reg" property under the hypervisor node to pass safe range as a second region, https://elixir.bootlin.com/linux/v5.14-rc4/source/Documentation/devicetree/bindings/arm/xen.txt#L10:

So a single region works for a guest today, but for dom0 we will need multiple regions because it is may be difficult to find enough contiguous space for a single region.

That said, as dom0 is mapped 1:1 (including some guest mapping), there is also the question where to allocate the safe region. For grant table, we so far re-use the Xen address space because it is assumed it will space will always be bigger than the grant table.

Oh, I see. Indeed, it is unclear at the moment. Agree, the possibility to provide multiple ranges should be envisaged.

I am not sure yet where we could allocate the safe regions. Stefano, do you have any ideas?

--- a/tools/libs/light/libxl_arm.c
+++ b/tools/libs/light/libxl_arm.c
@@ -735,9 +735,11 @@ static int make_hypervisor_node(libxl__gc *gc, void *fdt,
      if (res) return res;

-    /* reg 0 is grant table space */milat
+    /* reg 0 is grant table space, reg 1 is safe range */
      res = fdt_property_regs(gc, fdt, GUEST_ROOT_ADDRESS_CELLS, GUEST_ROOT_SIZE_CELLS,
-                            1,GUEST_GNTTAB_BASE, GUEST_GNTTAB_SIZE);
+                            2,
+                            GUEST_GNTTAB_BASE, GUEST_GNTTAB_SIZE,
+                            GUEST_SAFE_RANGE_BASE, GUEST_SAFE_RANGE_SIZE);
      if (res) return res;


/* Resulting hypervisor node */

  hypervisor {
                 interrupts = <0x01 0x0f 0xf08>;
                 interrupt-parent = <0xfde8>;
                 compatible = "xen,xen-4.16\0xen,xen";
                 reg = <0x00 0x38000000 0x00 0x1000000 0xde 0x00 0x02 0x00>;

Near the same I did for the Xen itself to insert a range for Dom0. The Linux side change is just to retrieve a range from DTB instead of issuing a hypercall.

Sorry, I might miss some important bits here, but from what I wrote about the "reg" purpose, it seems it could be suitable for us, why actually not? Why do we need yet another binding? I noticed, Linux on Arm doesn't use it at all, probably it is used by other OSes, I don't know.

Linux used the range until 4.7. This was dropped by commit 3cf4095d7446efde28b48c26050b9db6f0bcb004 so the same code can be used by ACPI and DT. However, looking at this now, I think this was a bad decision because it means we are shattering superpages.

Yes, the another benefit of this enabling work (besides avoid wasting real domain pages) would be avoid shattering superpages, and as the result the I/O performance for the DMA devices behind the IOMMU would be slightly better, I hope.

So ideally we should switch back the region to use the safe address space once this is in place.


Now, I am wondering, would it be possible to update/clarify the current "reg" purpose and use it to pass a safe unallocated space for any Xen specific mappings (grant, foreign, whatever) instead of just for the grant table region. In case, it is not allowed for any reason (compatibility PoV, etc), would it be possible to extend a property by passing an extra range separately, something similar to how I described above?

I think it should be fine to re-use the same region so long the size of the first bank is at least the size of the original region.


I also think we should be able to add extra regions as OSes are unlikely to enforce that the "reg" contains a single region.

That said, we need to be careful about new guests as the region may be quite small on older Xen.


So we would need some heuristic to decide whether to stole some RAM or use the safe space. Another possibility would be to add a new compatible in the DT that indicates the region is "big" enough.
I like the last idea, did you perhaps mean new property (optional) rather than new compatible? Let's say "xen, safe-range" or "xen, extended-regions"  ... That sign would suggest us how to operate: either pick up safe range(s) or behave as usual (stole real pages) as existing region is indeed small - 16MB (if I am not mistaken), this would work with old and new Xen.



Oleksandr Tyshchenko



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.