[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] SUPPORT.md: extend security support for hosts to 12 TiB of memory


  • To: Julien Grall <julien@xxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 6 Apr 2022 17:22:29 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mAEZ2ZCi+s/8ZH/zDpYAq42Jpj14SURi5NhZc118tck=; b=FBStutJ1zwHTC1yxzhWpRqdQZR507r0HbSX9ivXQMrcnUbczJEEUsdsG+2bqy6cAAsgyRW3Uz4C+fUcOMicTwL6kKybAQ6JAGNsmCSzjecJAvwmlWDCpnKUIFPzbDXA/Xo6nr812hNKfVhWAfzVPSIZQZvEi6CxAOEXefyPEjvW71Bq4JGha50Ftc1yg9/W93PPLmKk6d4orjMIP6XmlhkyBK+yOyzDPxlPySsuv8MGR7UrZu6fMnB5m4pU9ez5IBXDAa06TFofEL7NQ7oN22aSGSWwz84C7XH0AP83bH4FarkDJV2ORnf+hdTxUzPfAwVeyJBKxnUkhpy+9vZ3CcQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JdXx0PaLduE6TBz2XbgF5JRsD2bQn9dQeabC9Nzzo1G5F6Kyw9tRwHLeJfUMagfP3r5r2l705GqlwZCDRCSXNYzcfIBN2bgvDWFwp6SlmqJ8lpfeRbqGAxZEuGsND4vAzLP2tSM7tk2YF/FjtBQaKykQeyDXa2i3D7o4ffc5mnhGy/Xm8LulxngpjzVrZT5d3vioeIIXpsuhLqikxIYzmZ4Uro7gZ0B+w3QKVcoQc66j4tUiAHCMjNOdznv1tzsfs6HfVWo+DwQ35cFfK0XQrMRv1Lc6oc35jdFrZWFEZtxT9HAsPd6YWioEqE6Txs+N03RqTWGLNC+jpIJMmeGJlQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 06 Apr 2022 15:22:47 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 06.04.2022 17:15, Julien Grall wrote:
> On 06/04/2022 15:44, Jan Beulich wrote:
>> c49ee0329ff3 ("SUPPORT.md: limit security support for hosts with very
>> much memory"), as a result of XSA-385, restricted security support to
>> 8 TiB of host memory. Extend this to 12 TiB, putting in place a guest
>> restriction to 8 TiB in exchange.
> 
> And this is even without CONFIG_BIGMEM?

Yes. BIGMEM only matters when memory extends past the 16 TiB boundary
(i.e. when frame numbers with ore than 32 significant bits appear).

>> --- a/SUPPORT.md
>> +++ b/SUPPORT.md
>> @@ -50,7 +50,7 @@ For the Cortex A57 r0p0 - r1p1, see Erra
>>   
>>   ### Physical Memory
>>   
>> -    Status: Supported up to 8 TiB
>> +    Status: Supported up to 12 TiB
> 
> I am afraid this limit is going to be too high for Arm. Even the 
> previous one was technically incorrect. From [1], it should be:
>    - 5TB for arm64
>    - 16GB for arm32

May I ask that you submit a patch correcting this, and I'll rebase
on top of that? I can't really fit such an adjustment under the
umbrella of the title and purpose of this change.

>> @@ -121,6 +121,14 @@ ARM only has one guest type at the momen
>>   
>>       Status: Supported
>>   
>> +## Guest Limits
>> +
>> +### Memory
>> +
>> +    Status: Supported up to 8 TiB
> 
> For Arm, this should be limited to 1TB for arm64 and 16GB for arm32.

Sure, will do.

>> +
>> +Guests with more memory are supported, but not security supported.
> 
> d->max_pages is a 32-bit value. So Xen can effectively only support up 
> to 16TB of memory. AFAICT, it would require quite a bit rework to lift 
> that limit. So I think it would be better to spell out the upper limit.

Same here.

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.