[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 02/13] xen/arm: introduce a special domain DOMID_SHARED

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Date: Fri, 18 Mar 2022 14:50:30 -0700 (PDT)
Cc: Penny Zheng <Penny.Zheng@xxxxxxx>, nd@xxxxxxx, Penny Zheng <penzhe01@xxxxxxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 18 Mar 2022 21:50:37 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, 18 Mar 2022, Jan Beulich wrote:
> On 11.03.2022 07:11, Penny Zheng wrote:
> > In case to own statically shared pages when owner domain is not
> > explicitly defined, this commits propose a special domain DOMID_SHARED,
> > and we assign it 0x7FF5, as one of the system domains.
> > 
> > Statically shared memory reuses the same way of initialization with static
> > memory, hence this commits proposes a new Kconfig CONFIG_STATIC_SHM to wrap
> > related codes, and this option depends on static 
> > memory(CONFIG_STATIC_MEMORY).
> > 
> > We intends to do shared domain creation after setup_virt_paging so shared
> > domain could successfully do p2m initialization.
> 
> There's nothing said here, in the earlier patch, or in the cover letter
> about the security aspects of this. There is a reason we haven't been
> allowing arbitrary, un-supervised sharing of memory between domains. It
> wants clarifying why e.g. grants aren't an option to achieve what you
> need, and how you mean to establish which domains are / aren't permitted
> to access any individual page owned by this domain.

I'll let Penny write a full reply but I'll chime in to try to help with
the explanation.

This is not arbitrary un-supervised sharing of memory between domains,
which indeed is concerning.

This is statically-configured, supervised by the system configurator,
sharing of memory between domains.

And in fact safety (which is just a different aspect of security) is one
of the primary goals for this work.

In safety-critical environments, it is not considered safe to
dynamically change important configurations at runtime. Everything
should be statically defined and statically verified.

In this case, if the system configuration knows a priori that there are
only 2 VM and they need to communication over shared memory, it is safer
to pre-configure the shared memory at build time rather than let the VMs
attempt to share memory at runtime. It is faster too.

The only way to trigger this static shared memory configuration should
be via device tree, which is at the same level as the XSM rules
themselves.

Hopefully I made things clearer and not murkier :-)

Follow-Ups:
- Re: [PATCH v1 02/13] xen/arm: introduce a special domain DOMID_SHARED
  - From: Jan Beulich

References:
- [PATCH v1 00/13] Static shared memory on dom0less system
  - From: Penny Zheng
- [PATCH v1 02/13] xen/arm: introduce a special domain DOMID_SHARED
  - From: Penny Zheng
- Re: [PATCH v1 02/13] xen/arm: introduce a special domain DOMID_SHARED
  - From: Jan Beulich

Prev by Date: [linux-linus test] 168681: tolerable FAIL - PUSHED
Next by Date: [ovmf test] 168690: regressions - FAIL
Previous by thread: Re: [PATCH v1 02/13] xen/arm: introduce a special domain DOMID_SHARED
Next by thread: Re: [PATCH v1 02/13] xen/arm: introduce a special domain DOMID_SHARED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.