[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH DNA 5/6] tools/xenstored: restore support for mapping ring as foreign memory


  • To: Juergen Gross <jgross@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Mon, 20 Sep 2021 12:42:06 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HREBB8T+nUmy+x6pP6ZXUpeHUyTGeO6nLNdZ6ilPr0w=; b=OBNF/HaCghDtYdwqTH/h3i/0yXQ6NtU6zi0U3J3AoHi6ODN2JR80rIZD1vE23qAXaCC5IkCbYfJcNjb2W2Q+Lu9jdfSut09BNoD+BYSYA228L6Ax57eEr/5VuB3wKauWtxkqsVNOHd6DX46eX2POcFYZTqsvCTDeLjphyKqybGPTT+zoWMhhiWO7S77XNQo8iXcJ4lw8elJzFoi0v4S3zrGXIgHujJB7Pspn+E9SN01yIvA2I1ncHoF9iAS+0EnBxzA0XrwTQfikPRvrK5swAa79mgPMwIGxLuJgstIo49AbisVajX6Hp+CHVNjcQ7ikaUWAaH46g0wg6qwtRXBd/Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pb0NNroX+5SGXbUyspNLTbnhOUeVScw39LwqvtEGtLmdtU5bdU8c3nCEulVYM+QVEeHy/DBi7QVY31R0Y2OWXOvy8+YOVa33su3yxmL+OfiK3PcLPAW/ei/n+ey57u6zhUxia7KQ6ciq05wC3MPLFRBxrpOFs/JnDTi5OLgDv39//nrvm+WXzTa/Dg1MXBTZnUyGUeIIJZFBZikl3moOevVklBt1UGJNRtNgltd+8zfgpGrkBCnu9A/GrRXGD/3tnFjuhuCTCeBQvz5u0hNhHzqtpCfT5GHYvIzL1tcu7Ni+KUrz+P+YZxymqqA0NEdqojI1RwaN0x4CFG7s4XAIog==
  • Authentication-results: esa2.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Julien Grall <julien@xxxxxxx>
  • Delivery-date: Mon, 20 Sep 2021 10:42:24 +0000
  • Ironport-data: A9a23:h8T7nKnOH15zjQxOZycp2Wno5gxVIURdPkR7XQ2eYbSJt1+Wr1Gzt xIfCzqEPf/bYGKnKdEnbom/pBwGu8LUzYA1SwJp+y82ECMWpZLJC+rCIxarNUt+DCFioGGLT Sk6QoOdRCzhZiaE/n9BClVlxJVF/fngqoDUUYYoAQgsA185IMsdoUg7wbdh09Qw2YLR7z6l4 rseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3fMldG0DQUIhMdtNWc s6YpF2PEsE1yD92Yj+tuu6TnkTn2dc+NyDW4pZdc/DKbhSvOkXee0v0XRYRQR4/ttmHozx+4 PlfuMaIYDxwB4/rx94mVR8HAgZQZIQTrdcrIVDn2SCS50jPcn+qyPRyFkAme4Yf/46bA0kXq 6ZecmpUKEne2aTmm9pXScE17ignBNPsM44F/Glp0BnSDOo8QICFSKLPjTNd9Gpr3pEQRKuAD yYfQWBkZkz6fTdvBgZULJAis8OsnVn6ciIN/Tp5ooJoujOOnWSdyoPFL979atGMA8JPkS6wp H/C/mn/KgEXMpqY0zXt2nOzhMffkCXjQoUQGbaksPlwjzW7xGMJDwYNfUCmuvT/gUm7M/pPJ kpR9icwoKwa8E2wUsK7TxC+uGSDvBMXR5xXCeJS1e2W4vOKuUDDXDFCF2MfLox93CMredA0/ nObkonRLAc2iZ+yFkim8LHLvBScYAFAeAfuehQ4oRs5D8jL+d9o10KUH4c7SsZZnfWuRmqhm GniQDwWwuxJ1J9Vjf3TEUXv3mr0zqUlWDLZ8ek+soiN1Qp/eIftTIih81GzAR1ofdvBEwXpU JTpnaGjAAEy4XOlz3flrAYlRujBCxO53Nr02wUHInXZ327xk0NPhKgJiN2EGKuMDirjUWSzC HI/RCsLvMMDVJdURfYvPupd9PjGPYC/TI+4B5g4n/JlY4RrdR/vwc2dTRfLhAjQfLwXufhnY /+zKJ/0ZV5DUPgP5GfmFo81jO5wrghjlDy7eHwO50n+uVZoTCXOEult3ZrnRr1R0Z5oVy2Po o4DaJPVm0sAOAA8CwGOmbMuwZkxBSFTLbj9qtBNd/7FJQxjGWo7DOTWz69ncItg95m5XM+Rl p1kckMHmlf5m1PdLgCGNiJqZL/1BM4tpnMnJy08e12v3iF7M4qo6a4ecboxfKUmq7M/naIlE aFddpXSGOlLRxTG5y8ZMcv3ort9eUn5ngmJJSekPmQyJsYyWwzT99b4VQLz7y1SXDGvvM4zr uT4hAPWSJYOXSp4C8PSZK79xl+9pyFFyulzQ1HJMp9Yf0C1qNpmLCn4j/kWJcAQKEqcmmvGh ljOWRpB/LvDuY449tXNlJuolYbxHrssBFdeEkna8a2yaXvQ8F28zNISS+2PZz3cCj/5of3we eVPwvjgG/Qbh1IW4ZFkGrNmwK9itdvio7hWklZtEHnRNgn5D7phJj+N3NVVt70Lzbhc4FPkV kWK89hcGLOIJMK6TwJBeFt7NryOhaMOhz3fzfUpO0GrtiZ48Y2OXVhWIxTR2jdWK6F4Md99z Oos0CLMB9dTVvb+3g66sx1p
  • Ironport-hdrordr: A9a23:3YPw1quPZsaslin1oN4xD2Ib7skCkoMji2hC6mlwRA09TyXGra +TdaUguSMc1gx9ZJhBo7G90KnpewK6yXdQ2/hqAV7CZnichILMFu9fBOTZsl/d8kHFh4tgPO JbAtVD4b7LfCZHZKTBkXCF+r8bqbHtmsDY5pau854ud3ATV0gJ1XYHNu/xKDwReOApP+tcKH LKjfA32wZINE5nJfiTNz0gZazuttfLnJXpbVovAAMm0hCHiXeN5KThGxaV8x8CW3cXqI1SvF Ttokjc3OGOovu7whjT2yv66IlXosLozp9mCNaXgsYYBz3wgkKDZZhnWZeFoDcpydvfomoCoZ 3pmVMNLs5z43TeciWcpgbs4RDp1HIU53rr2Taj8A3eiP28YAh/J9tKhIpffBecwVEnpstA3K VC2H/cn4ZLDDvb9R6NqeTgZlVPrA6ZsHAimekcgzh0So0FcoJcqoQZ4Qd8DIoAJiTn84oqed MeQ/003MwmMW9yUkqp/VWGmLeXLzYO91a9MwQ/U/WuonlrdCsT9Tpc+CQd9k1wg67VBaM0o9 gsCZ4Y542mePVmGZ6VNN1xMfdfNVa9My4kEFjiaGgPR5t3c04klfbMkcAIDaeRCds18Kc=
  • Ironport-sdr: 4ey2PRfT1v/83B8s0szqxgn4fA+KHflC2asy9EYXjHgCxZpgQzXRsXWi3W+jFnZsVR5KIXM9rf LY/V+CFKO5yAlaoxDnHJo4Hro+/B3YnvIRup5v3Lh5GaMzb2I03i/MHBUOk8bND+36lztV2usV SEk1ZeI62em9lQk4PC1bXGJTsT1ZtGGrLLwC/P5d9RlihJM69yTbSQ0lnfQzvMmtDAZmtccjid XloV3DyUMa9V/gp3tnmdxeIwWuPR3fNQtCj31cI7KgYFOKTLNQlQxhxX9c27A6IH27Oof65exX F9YOOwVvEwXRcFsnPFQZyu9n
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Sep 20, 2021 at 10:24:45AM +0200, Juergen Gross wrote:
> On 17.09.21 17:46, Roger Pau Monne wrote:
> > Restore the previous way of mapping the xenstore ring using foreign
> > memory. Use xenforeignmemory instead of libxc in order to avoid adding
> > another dependency on a unstable interface.
> 
> Mapping a guest page via xenforeignmemory is no good move IMO. A guest
> not supporting a grant table for security reasons is a rather strange
> idea, as it needs to trade that for a general memory access by any
> backend without a way to restrict such accesses. This contradicts one
> of the main concepts of the Xen security architecture.

I've done this in order to be able to assert that the switch to
disable grant tables was working correctly, I don't intended this
specific mode to be something that is desirable or that should be used
in production, but I do think it's useful to be able to create such
guests in order to assert that the option is taking effect.

The main problem of xenstore not being correctly initialized on a
domain is that the "@introduceDomain" watch doesn't fire, and thus
other components don't get notified of the newly created domain.

This seems to be a limitation of the current design, where the only
way to get notifications of new domain creation is using
"@introduceDomain", even when the caller doesn't care of whether the
created domain as a working xenstore connection.

Maybe I can workaround this differently in xenstore, so that the watch
fires even when the shared xenstore ring cannot be initialized.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.