[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/include/public: add macro for invalid grant reference

  • To: Juergen Gross <jgross@xxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 22 Feb 2022 09:55:07 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VeimnAO2B+gBAQzv4gm6HY1fwYl8qIvfS9Wk3eT4Zv4=; b=jcUzxJ8R8z1hJQ3nWHy8rzt4aPKOVv8+MK8L4zX8zye1Wu+eU5VPh0Cg69KMp+3F2QlEgWzhh6wKb+JKnQQRSmtOCdw7ANXbeyLA60wmJ160P73fDHOqqoCNTfzMkxNhEmGRjYaCXc3sJ/qJn26knOoD0+LGLvj/G6EENCIfW2VAVChzQ/d5cidjZ9e8njV6vETZxW6xKxnivcW/5XYCSrNhVZqEnxAD/oIi3KGho3eKsMxkLpui/56gNaatQgvMcy1Ivv5572dBrphc16Fu7dn404tQPqIBm7nGgAWVCFDVkclRvA3mBW8/LJz76rjrlsKHNJtpqQdV3aCK/YnKdA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YXQiZZuSuW/gDRiC67hgNIcqZE3vG4M9KTOXrwei0hkAgTBd0risZwz/BMkc24foK4Ucaw+fkmgykoQCzRZFcDK5SRnwwnRGunwc9YE+XBWYooEqEOhtZL37zNd1Y3NPI5Cok3klp2xcaATOKpUJxQrtJKDrYUYZlKq1tEvbx6eyNzDUJvZZAV396tp9AxCd7wqqPiFiFCBbNIV5GmOPugCffSROaAN3Z7sKT0zn011fucUIAc3rroxsW1t8udXCSbRurrEfTLRrgKkPTgQq4zQn06Ehk5TKkBVxxso4AJdeHTB+xJXf4pBwsa7LMzxoqw4l9mq3jv13oL7cQyUebg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Tue, 22 Feb 2022 08:55:19 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 21.02.2022 16:57, Juergen Gross wrote:
> On 21.02.22 16:31, Jan Beulich wrote:
>> On 21.02.2022 16:05, Juergen Gross wrote:
>>> On 21.02.22 15:31, Jan Beulich wrote:
>>>> On 21.02.2022 15:27, Juergen Gross wrote:
>>>>> On 21.02.22 15:18, Jan Beulich wrote:
>>>>>> On 21.02.2022 13:42, Juergen Gross wrote:
>>>>>>> Providing a macro for an invalid grant reference would be beneficial
>>>>>>> for users, especially as some are using the wrong value "0" for that
>>>>>>> purpose.
>>>>>>>
>>>>>>> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
>>>>>>
>>>>>> Over the years I've been considering to add such to the public
>>>>>> interface, perhaps even more than once. But I'm afraid it's not that
>>>>>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
>>>>>
>>>>> I can change that to use 0xffffffff explicitly.
>>>>>
>>>>>> be a valid ref. It is really internal agreement by users of the
>>>>>> interface to set for themselves that they're not ever going to make
>>>>>> a valid grant behind that reference.
>>>>>
>>>>> As the grant reference is an index into the grant table this would
>>>>> limit the size of the grant table to "only" UINT_MAX - 1. I don't
>>>>> think this will be ever a concern (other than an academical one).
>>>>
>>>> That wasn't my point. Limiting the table to one less entry is not a
>>>> big deal indeed. But we have no reason to mandate which gref(s) to
>>>> consider invalid. A guest could consider gref 0 the invalid one.
>>>
>>> With the gref being an index starting with 0 (gref 0 is valid, as it is
>>> used for the console ring page), the natural choice for an invalid
>>> value is the highest one being representable. A gref is of type uint32_t
>>> resulting in this value being 0xffffffff.
>>>
>>> While in theory a grant table could be that large, in practice this
>>> will never happen.
>>>
>>>> The hypervisor doesn't care. Imo this simply is an aspect which is
>>>
>>> This isn't true. The hypervisor needs to allocate resources for being
>>> able to handle the highest possible gref value for a guest. For a v1
>>> grant table this would mean 32GB of grant table size. Are you really
>>> concerned we will ever hit this limit? This isn't at the guest's
>>> choice, after all, as the max grant table size is limited by Xen.
>>
>> If we're not going to hit that limit, what's wrong with declaring the
>> entire upper half of uint32_t space "invalid" for use a gref? If we
>> won't ever go up to 32Gb, we quite certainly also won't ever reach
>> 16Gb. Yes, you probably already guessed it, we can then repeat this
>> process iteratively until we reach 4kb.
> 
> This reasoning is nonsense, and you know it.

Interesting. The underlying "where to draw a boundary" is far from
nonsense, I think. The only way to escape this question is to avoid
introduction of artificial boundaries. While it was me to submit
"SUPPORT.md: limit security support for hosts with very much memory",
I didn't do so because I thought it was a good thing to establish
such a boundary. Nor was I convinced in any way of the precise
value chosen. I merely took on carrying out what was discussed
with the security team in the context of XSA-385, when even that
discussion left it very much to me to pick an arbitrary value.

>>>> not in need of pinning down in the ABI. Yet if it was pinned down
>>>> like you do, then the hypervisor would need to make sure it refuses
>>>> to act on this mandated invalid gref.
>>>
>>> This is an easy one. We could just refuse to have a grant table of
>>> that size. I can add this to the patch if you really think it is
>>> necessary.
>>
>> Since grant table size is measured in pages, you'd then have to
>> refuse use of more than just that single gref. This would still not
>> be an immediate problem, but demonstrates again that it's unclear
>> where to draw such a boundary, if one is to be artificially drawn.
> 
> It should be as high as possible. I wouldn't mind just refusing the
> last possible gref, but I don't think this is necessary.
> 
>>> TBH, I think such completely theoretical concerns should not stand
>>> in the way of additions to the ABI making life easier for consumers.
>>
>> In case it wasn't clear - my concern isn't that sacrificing this one
>> entry may cause a problem, or that we'd ever see grant tables grow
>> this big (albeit for the latter: you never really know). Instead my
>> concern is that it is conceptually wrong for us to (now) introduce
>> such a value.
> 
> I have understood that this is your concern.
> 
> I continue to think that this concern is of purely academical nature.

Well, I'm not going to NAK the change if others agree with your view.
But I'm not going to put my name under it in any form. Academical or
not, it sets a(nother) wrong precedent.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.