[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] xen/grants: repurpose command line max options

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Thu, 16 Mar 2023 09:25:30 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Owxe1oMilNs25RrdMGTZ/EyqJtyt34d2tICWpI/7uj0=; b=UCZfb+jbkuvBuqzbjNVT0ttmoFib+PWI3haMtiera5iblE4DxRDkY3do1aiY42WncRWo5BOFfilKDUVqiST7TsDDbsjbK3UYSaxYARBVt4yO5Lw1+PB0hV5c3z+ThNfk6DgRZNfMqu61kkXPlbayuAp0B9hHEB+GF7HZpFEACxDMqXwlTizOI5ichMwICWDU6ISWCiZcli+4KAmoXiW4Bp02jXDosDi0WEwHNrfbuutp7Nt0/2ZcagOwJMyX4Zs11in4xPZ8y06NjW7EwW8drabNd18uDerhHv7bWq6lWyba5zMg0W9hE+09icFfbK1vRXTe3UNGZXXkdQhZyLvAwQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tyk92O1DG4D9hPgQV9toVREOLuczWhfC1gZ0/zgWwvFN+RnPGO9eYpdnQBeR9mDXn+QM/sTuFWwltI0R0vsFinz1+buFs3nn150fnQo+S7vII5dm/5Rszul5Y/jnRtDYGrf0Y+TbCf98PzjMnjEq+DcTrKH8+Rm361q/jBl+FZ/chA+HAxAz826st08Zc+Uao1gnQIn/QuHProDPQBhGYyjG1WpkzJJBY0/R8zOwlRMsztNiNYKnstKH747Nh+JOltdsgfhWuyOyfiK3useQ6WnV1W0HFf1RAgZNlTamPFdgbpktb9Xr3a4ykYESd7Y2nrhhMJtdlcujoyNfRhSkRw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Jan Beulich <jbeulich@xxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 16 Mar 2023 08:25:57 +0000
  • Ironport-data: A9a23:+KvLZKKhzhhNrEUnFE+RH5QlxSXFcZb7ZxGr2PjKsXjdYENShmBRz WAZXTuHPayOYTfzKotybYm09E0F6sDcn9M2SlZlqX01Q3x08seUXt7xwmUcnc+xBpaaEB84t ZV2hv3odp1coqr0/0/1WlTZhSAgk/rOHvykU7Ss1hlZHWdMUD0mhQ9oh9k3i4tphcnRKw6Ws Jb5rta31GWNglaYCUpJrfPTwP9TlK6q4mhA5QVgPa4jUGL2zBH5MrpOfcldEFOgKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIAHOgdcS9qZwChxLid/ jnvWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I+QrvBIAzt03ZHzaM7H09c4mOkVi8 /07awkRVTGmhMmu/LGESsxV05FLwMnDZOvzu1lG5BSAVbMKZM6GRK/Ho9hFwD03m8ZCW+7EY NYUYiZuaxKGZABTPlAQC9Q1m+LAanvXKmUE7g7K4/dnpTGLnGSd05C0WDbRUsaNSshP2F6Ru 0rN/njjAwFcP9uaodaA2iv037OfzX+hCer+EpWf0fpDh1u1xlYdGUdHEmCjuv+HoUGxDoc3x 0s8v3BGQbIJ3E6hQ8T5Xha4iGWZpRNaUN1Ve8U49QWMx6z88wufQG8eQVZpc8c6vcU7QTgr0 F6hnN7zAzFr9rqPRhq16bO8vT60fy8PIgcqdSICCAcI/dTniIUylQ7UCMZuFravid/4Ei22x CqFxBXSnJ0WhM8Pkqm+o1bOhmv0ooCTF1ZloALKQmii8wV1Ipa/YJCl4kTa6vAGK5uFSl6Gv z4PnM32AP0yMKxhXRelGI0ldIxFLd7fWNEAqTaDx6Ucygk=
  • Ironport-hdrordr: A9a23:MK12sKponEeWe/p7O7cgMu8aV5o6eYIsimQD101hICG9E/b0qy nKpp9w6faaskdzZJheo6HjBEDtex3hHP1OjbX5X43DYOCOggLBEGgI1+TfKlPbehEW/9QtsJ tdTw==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Wed, Mar 15, 2023 at 06:40:57PM +0000, Andrew Cooper wrote:
> On 14/03/2023 3:42 pm, Roger Pau Monné wrote:
> > On Tue, Mar 14, 2023 at 03:59:22PM +0100, Jan Beulich wrote:
> >> On 14.03.2023 15:45, Roger Pau Monne wrote:
> >>> Slightly change the meaning of the command line
> >>> gnttab_max_{maptrack_,}frames: do not use them as upper bounds for the
> >>> passed values at domain creation, instead just use them as defaults
> >>> in the absence of any provided value.
> >>>
> >>> It's not very useful for the options to be used both as defaults and
> >>> as capping values for domain creation inputs.  The defaults passed on
> >>> the command line are used by dom0 which has a very different grant
> >>> requirements than a regular domU.  dom0 usually needs a bigger
> >>> maptrack array, while domU usually require a bigger number of grant
> >>> frames.
> >>>
> >>> The relaxation in the logic for the maximum size of the grant and
> >>> maptrack table sizes doesn't change the fact that domain creation
> >>> hypercall can cause resource exhausting, so disaggregated setups
> >>> should take it into account.
> >>>
> >>> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> >> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
> >> albeit perhaps with yet one more wording change (which I'd be happy to
> >> make while committing, provided you agree):
> >>
> >>> --- a/docs/misc/xen-command-line.pandoc
> >>> +++ b/docs/misc/xen-command-line.pandoc
> >>> @@ -1232,11 +1232,11 @@ The usage of gnttab v2 is not security supported 
> >>> on ARM platforms.
> >>>  
> >>>  > Can be modified at runtime
> >>>  
> >>> -Specify the maximum number of frames which any domain may use as part
> >>> -of its grant table. This value is an upper boundary of the per-domain
> >>> -value settable via Xen tools.
> >>> +Specify the default upper bound on the number of frames which any domain 
> >>> may
> >>> +use as part of its grant table unless a different value is specified at 
> >>> domain
> >>> +creation.
> >>>  
> >>> -Dom0 is using this value for sizing its grant table.
> >>> +Note this value is the effective upper bound for dom0.
> >> DomU-s created during Xen boot are equally taking this as their effective
> >> value, aiui. So I'd be inclined to amend this: "... for dom0, and for
> >> any domU created in the course of Xen booting".
> > Not really for domUs, as there's a way to pass a different value for
> > both options in the dt, see create_domUs().
> 
> Correct.  On the ARM side, this is configurable in the for all dom0less
> VMs in the device tree.
> 
> I've committed the patch as is, seeing as it's fixing a real bug we
> currently have.
> 
> 
> But, I'd like to point out that there are still some issues which want
> fixing.
> 
> The /* Apply defaults if no value was specified */ section is pointless
> complication.  All callers pass a real number of frames, except for the
> dom0 construction paths which pass in -1.

I'm afraid that's not accurate, xl still passes -1 if no value has been
provided in the guest config file.  And the python bindings
(pyxc_domain_create()) do seem to also hardcode -1.

Which is not to say it can't be done, but we would need to move the
default from being a command line option to a toolstack option (an
additional patch).

> The logic gets smaller and easier to follow if each of the dom0's
> dom_cfg's default to the appropriate opt_* value.  Userspace which
> really asks for -1 gets a large domain that actually honours the
> uint32_t ABI presented.
> 
> With that, the writeable hypfs nodes become useless, and can be dropped,
> and the opt_* variables become __initdata.
> 
> 
> Next, we need to do something about the fact that the number of maptrack
> frames has no relationship to the number of entries.  I don't know what,
> but the status quo needs changing.
> 
> Next we need to confirm that running guests with no maptrack is safe and
> security supportable option.  XSM_SILO + 0 maptrack blocks most of the
> grant related XSAs we've had.

I've given this a quick try and it seemed to at least boot fine, but
haven't done any in depth audit.

> And in some copious free time, we still need to get to a point where we
> can construct a VM without a grant table at all (but this still looks
> like a lot of work).

Yes, that's likely more work.  I did an attempt in the past by
allowing to set grant table version = 0 (patch on the list somewhere).

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.