[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] 64bit processors and TLS warning message

> > It's just not an issue like it is on 32-bit - the TLS implementation
> > doesn't conflict with the way Xen enforces protection.
>
> Uhm.  Doh.
> Why doesn't the documentation mention this?

I guess nobody thought of it before: the documentation is i386 oriented 
because that's what we've had for longest.  The information in there is 
common to x86_64, but doesn't go into the differences.

> I would've gone a very different route with a Xen system I've spent a
> lot of time on had I known this.  *sigh*.

Oops.  Sorry.

> Could you elaborate a bit on the above?

Xen protects itself using x86 segmentation.  This is because the page-tables 
alone only make a distinction between user / supervisor level, and we have 
three privilege levels to maintain: user / supervisor / hypervisor.  The 
default TLS implementation in glibc does something *very strange* with 
segments, that one wouldn't expect to be possible at all, as a performance 
optimisation. (side note: I recently talked this over with people locally, 
trying to get this straight once and for all - my mind boggled, it's such a 
weird trick!!!)

Unfortunately, this performance optimisation cannot be allowed to be used 
directly under Xen, since it would violate security properties of the system.  
Xen *can* emulate the correct behaviour but this is pretty slow; hence the 
suggestion that people disable the TLS library.  Lots of distros are now 
including a libc that is (one way or another) friendly towards Xen (by having 
an option not to use the negative segment offset tricks on Xen, or just not 
including them at all).

On x86_64 (and other architectures) it's not necessary to protect Xen using 
segmentation, so we don't really need to care what the OS actually does with 
segmentation - even if the OS does setup weird and wonderful segments, they 
can't violate our security properties.  Hence the segmentation tricks will 
work fine on your 64-bit box, without the slowdown incurred by emulation.

> Is the situation the same for all 64bit CPUs?

I doubt anything but x86 abuses segments in such interesting / disturbing 
ways ;-)  So yes, they should be OK.

> Could you please update:
> http://wiki.xensource.com/xenwiki/XenSpecificGlibc
> to mention that this hack is not necessary if you're running
> this-and-that CPU (the page is protected)?

Do you have an account?  The vast majority of pages are editable by all, but 
they do require sign-up - anonymous editting easily results in an 
unmanageable amount of spam, unless you're big enough (like Wikipedia) to 
clean up quickly.

Cheers,
Mark

-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.