Xen project Mailing List

Re: [PATCH v2 0/6] gnttab: add per-domain controls

To: Julien Grall <julien.grall.oss@xxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Fri, 24 Sep 2021 09:46:44 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dDWIilNdVyaucOEu4Us4hr6C1PWIhQ6ULkkUa/Vip1U=; b=R6KU7tE+kR7HuPFpejSRxJMuw2qRpIeEuY4BXNitVO+xC8n2kot9I3eX4t1oi4VZJUtEGXlLLFKz1/ZeOsXvb0q1/kN9kDO9Q44X/UgVocKSieYBcN1mg5q33wJ9CwW2lz1Gzcw2e7J/bogTQdJbQlcq57ivqYXlGg10jnB6ErRMHJeEGq/CsfeaoaYw3IsJ3EBkGw7vdcZfwzvizixRyIJCrnUsfiX5HebM9SXIDQkNuausBrWIS1viWr1WR3FWvhOszpMJ/9vDWoaHUnTuDem9HkLzN6sVCDLnawvoBoral8Wvm1EHKkLnPBWUU3EuC0F6/jn12TPQS9Uc4B6Izg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EL0WcxrfLJRmJPDoxpX6GwHnKYX8Lyf7EgkRNb0OhrpubbRyfLLXDLkMkXcwH/tU9PuzdoFmQ2KQy1FxFTu3RO5CQ2szhd08olKCfslk9OVcNdFXNJmWG6ielfRCzaWWRaMeUfqexE+67o/pgbEw89HlBcKIzPIK+nIWZwXZjbSS31wKVuBaeqYX5cK/kuLuv4iVZhMSA3fyQOL1f1yLRgz5n5dET7+BSvNd+63pkEoe0cR5+MxgHUqhg89JPr8ctZGA5D9JNnJgpT2l5N7juWNzreJhAj8lAYmwVQvOX/9lPS3sYOmpgReSR7gU6XYDyscpXKDdX/khz9uWfKxngQ==

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Delivery-date: Fri, 24 Sep 2021 07:47:04 +0000

Ironport-data: A9a23:dBBWY63s8t9I7YHPMPbD5bd3kn2cJEfYwER7XKvMYLTBsI5bpzZWy WUcCGuCPfiLN2v0fdB+O46ypEkCscXUyN5hHVc+pC1hF35El5HIVI+TRqvS04J+DSFhoGZPt Zh2hgzodZhsJpPkS5PE3oHJ9RGQ74nRLlbHILOCan0ZqTNMEn970EoywbJh2+aEvPDia++zk YKqyyHgEAfNNw5cagr4PIra9XuDFNyr0N8plgRWicJj5TcypFFMZH4rHomjLmOQf2VhNrXSq 9Avbl2O1jixEx8FUrtJm1tgG6EAaua60QOm0hK6V0U+6/TrS+NbPqsTbZIhhUlrZzqhlI972 uRSst+McjgWAYKVmqMmeiRUHHQrVUFG0OevzXmXtMWSywvNcmf2wuUoB0YzVWEa0r8pWycUr 6VecW1TKEDY7w616OvTpu1EnMMsIdOtJIoCknph0SvYHbAtRpWrr6DiuIQFh2lv3J4m8fD2f pI/OSQ+VQT5YTZqOG80OMsFkd/xmSyqG9FfgA3M/vdmi4TJ9yRz36LqK8H9YcGRSINemUPwj nnd423zDxUeNdqe4TmI6HShgqnIhyyTcLwVELq05/t7mmq5z2YYCAAVfVajqPz/gUm7M/pTI lIZ0jAjpq8z8AqsVNaVdx+yrWOAvxUcc8FNCOB84waIooLE7gDcCmUaQzppbN09qNRwVTEsz kWOnd7iGXpoqrL9YXCA8raZq3W9IyERKSkFfjQsQg4M4t2lq4Y25jrQSv5zHajzicf6cRnx3 DKivCU4n68Uj8MAy+O851+vvt63jsGXFEhvvFyRBz/7qFMiDGK4W2C2wVOE5+RxM4HacmK+g 0crwsrZ18kzAZ7YwURhX94xNL2u4v+ENhjVjlhuA4Qt+lyRxpKzQWxDyGohfxozbK7obResO RWK6F4Nvfe/KVP3NfcfXm6nNyg9IUEM//zeX/bIZ5JlZpFrfWdrFwk/OBbNhwgBfKUq+JzT2 Kt3k+7wUR726ow9lVJaotvxN5dxnUjSIkuJGfjGI+yPi+b2WZJsYe5t3KGyRu449riYhw7e7 sxSMcCHoz0GDrakPnONrNFOcQxQRZTeOXwQg5YMHgJkClA6cFzN9teLme9xE2Cbt/49ehj0E oGVBRYDlQuXaYzvIgSWcHFzAI4Drr4lxU/XyRcEZA7ys1B6ON7HxP5GK/MfIOl2nMQ+nKUcZ 6RUJK297gFnF22vF8I1NsKm8uSPtX2D2GqzAsZSSGJkIsE8F1CXoI+Mk8mG3HBmMxdbfPAW+ tWI/gjaXYACV0JlCsPXY+io1FS/oT4Wn+caYqcCCoA7lJzE/Nc4JirvoOUwJs1QexzPyiHDj 1SdAAsCpPmLqIgwqYGbiaeBpoavMu1/AksFQDWLsefobXHXrji53ItNcOeUZjSBBmn6z7qvO LdOxPbmPfxZwFsT69hgE6xmxL4V7sf0o+MI1RxtGXjGNgz5Cr5pLnSc89NIs6lBmu1QtQesA xrd8dhGI7SZfsjiFQdJdgYia+2C09ASmyXTsqtpcBmruncv8ePeA0tIPhSKhChMF5dPMdsok bU7pcobyw2jkR52YNyIuT9ZqjaXJXsaXqR56pxDWN33ihAmw01paIDHDnOk+4mGbthBPxV4I jKQg6ae1b1QylCbLig2HHnJm+FcmY4PqFZBy1pbfwaFnd/Mh/kW2hxN8GtoElQJn0sfi+8ja HJ2M0BVJLmV+2Y6jcdOaGmgBgVdCUDL4Uf20VYIyDXUQkTAurYh94Hh1TJhJHwkzl8=

Ironport-hdrordr: A9a23:9v97I6wZYCRX5RNPHYDuKrPxveskLtp133Aq2lEZdPULSKOlfp GV8MjziyWYtN9wYhAdcdDpAtjmfZr5z+8O3WB3B8beYOCGghrSEGgG1+XfKlLbak/DH4JmpM Jdmu1FeaHN5DtB/LfHCWuDYq8dKbC8mcjC74eurAYccegpUdAZ0+4QMHfkLqQcfnghOXNWLu v52iIRzADQBkj/I/7LS0UtbqzmnZnmhZjmaRkJC1oO7xSPtyqh7PrfHwKD1hkTfjtTyfN6mF K13DDR1+GGibWW2xXc32jc49B/n8bg8MJKAIiphtIOIjvhpw60bMBKWqGEvhoyvOazgWxa3O XkklMFBYBe+nnRdma6rV/E3BTh6i8n7zvYxVqRkRLY0ITEbQN/L/AEqZNScxPf5UZllsp7yr h302WQsIcSJQ/cnQzmjuK4Fy1Cpw6Rmz4PgOQTh3tQXc81c7lKt7ES+0tTDdMpAD/60oY6C+ NjZfuspcq+SWnqLUwxg1MfheBFBh8Ib1O7qwk5y4KoOgFt7TNEJxBy/r1Zop8CnKhNAqWsqd 60dJiBOdl1P7srhJlGdZU8qP2MexrwqCL3QRGvyGvcZdQ60lL22tXKCeYOlauXkKJh9upEpH 2GaiIAiVIP

Ironport-sdr: ysZPMm5LZL8YMZSypebsTMT5tLJt2ekAXAsbGEqn96Av9Sa+Tr48HiUyjlYWcQlYNogK/2Fd3d /zrIWYv2HBEs/GDG9jJ7kvuPPVCHRDVLAPYm27x1igt28jPAgOlm/mM567WN0ZV7+k6fcWIskR BG6txSQLeoM3yxdgpaTvXjhYMz3tJUmBU6GNKPSCedro4kpekTH5B7hg/dFqRWYAfFzaWdJJ0K F6VcALjVHm/hfPJ2jkMhDdQfg7r/mltGH3bQVIEeO5fzDNl4oJmI6Y8E4YazCO++90AFtuK9hu AllwU+X7f21sPz4Uk5HNSirc

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Sep 24, 2021 at 07:30:51AM +0500, Julien Grall wrote: > Hi Roger, > > On Thu, 23 Sep 2021, 16:20 Roger Pau Monné, <roger.pau@xxxxxxxxxx> wrote: > > > On Thu, Sep 23, 2021 at 01:47:37PM +0500, Julien Grall wrote: > > > Hi Roger, > > > > > > On 22/09/2021 14:39, Roger Pau Monné wrote: > > > > On Wed, Sep 22, 2021 at 01:57:02PM +0500, Julien Grall wrote: > > > > > > > > > > > > > > > On 22/09/2021 13:21, Roger Pau Monne wrote: > > > > > > Hello, > > > > > > > > > > Hi Roger, > > > > > > > > > > > First patch on the series is a trivial change to xenconsoled in > > order to > > > > > > use xenforeignmemory stable library in order to map the shared > > console > > > > > > ring instead of the unstable libxc interface. It's reviewed and > > ready to > > > > > > go in. > > > > > > > > > > > > Patches 2 and 3 allow setting the host wide command line `gnttab` > > option > > > > > > on a per domain basis. That means selecting the max allowed grant > > table > > > > > > version and whether transitive grants are allowed. > > > > > > > > > > > > The last 3 patches attempt to implement support for creating guests > > > > > > without a grant table. This requires some changes to xenstored in > > order > > > > > > to partially support guests without a valid ring interface, as the > > lack > > > > > > of grant table will prevent C xenstored from mapping the shared > > ring. > > > > > > Note this is not an issue for Ocaml xenstored, as it still uses the > > > > > > foreign memory interface to map the shared ring, and thus won't > > notice > > > > > > the lack of grant table support on the domain. > > > > > > > > > > I find a bit odd that the Xenstore support is conditional to whether > > grant > > > > > table is available. Are you expecting domains with no grant table to > > have no > > > > > PV drivers (including PV shutdown)? > > > > > > > > I don't really expect much, as having guests without grant table is a > > > > developer option right now, if someone wants to make use of them for > > > > any reason it would need some thought. > > > > > > > > The other option would be my first proposal to restore foreign mapping > > > > of the xenstore ring on that case: > > > > > > > > > > https://lore.kernel.org/xen-devel/20210917154625.89315-6-roger.pau@xxxxxxxxxx/ > > > > > > > > But it's also arguable that a guest not having a grant table should > > > > also likely prevent foreign mapping attempts. Plus such foreign > > > > mapping won't work from stubdomains. > > > > > > There is another option: extend the acquire hypercall to allow xenstored > > > domain to map the xenstore interface. This would require more work, but > > at > > > least it would avoid the interesting dependency on the grant table. > > > > Xen isn't aware of the shared xenstore ring page currently, so that > > would mean introducing more knowledge to the hypervisor that what's > > strictly required IMO, as Xen has no business in knowing such details. > > > > Well Xen already knows the page for HVM/PVH because the guest retrieve it > through an HMV param. HVM params has always been a bit weird IMO, as some are known and used by Xen (like the identity page tables) while others (like the xenstore or console ones) are merely used as a way to pass information from the toolstack into the domain. > We only miss (?) the PV part. Right - ideally we should use the same mechanism for PV and HVM, which would rule out he piggyback on HVM params. > > > The grant table slot used by the xenstore shared page is just an > > agreement at the toolstack level, but not known to the hypervisor so > > far. > > > > Right, we need to find a different way to provide/map the shared page if > the grant table is not present. > > To me the acquire hypercall is the best way to resolve it as Xen knows > whether the domain will run Xenstored (at least we used to have a flag) and > we can do the permission control easily. > > Do you have another alternative? As said before, I didn't give much through about a practical use case for this. My main focus where patches 1 and 2 (which sadly seem to be shadowed by this no grant-table option) in order to have more fine grained control over the grant table support on a per-domain basis. The no grant-table mode was mostly the cherry on the cake. I could see people using no grant-table also likely wanting no-xenstore and no-console as to prevent mappings from other domains into it's private memory altogether. Then using Argo or a similar no memory sharing mechanism in order to interact with other entities. So I think we shouldn't over engineer this xenstore usage without grant tables, as it might not even be relevant as a use-case itself. Using the acquire hypercall could be a solution, but I think we would also need to introduce a new hypercall then in order for user space to be able to tell Xen about resource areas, so that the xenstore address can be provided to Xen without (ab)using HVM params. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.