From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: memaccess: skipping mem_access_send_req
Date: Fri, 17 Apr 2015 11:31:27 +0100
Message-ID: <1429266687.25195.257.camel@citrix.com>
References: <DA845EDCE27355428C520DC5B8DC05CE763FB38550@GEORGE.Emea.Arm.com>
	<1429090012.15516.155.camel@citrix.com>
	<DA845EDCE27355428C520DC5B8DC05CE7C0426CCBA@GEORGE.Emea.Arm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <DA845EDCE27355428C520DC5B8DC05CE7C0426CCBA@GEORGE.Emea.Arm.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Gareth Stockwell <Gareth.Stockwell@arm.com>
Cc: "stefano.stabellini@citrix.com" <stefano.stabellini@citrix.com>, "tklengyel@sec.in.tum.de" <tklengyel@sec.in.tum.de>, "xen-devel (xen-devel@lists.xen.org)" <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

On Fri, 2015-04-17 at 10:35 +0100, Gareth Stockwell wrote:
> On Wed, Apr 15, 2015 at 10:26:52, Ian Campbell wrote:
> > > We would like to use memaccess to perform (1) - but rather than
> > Is the guest expected to be aware of this, i.e. to be somewhat
> > paravirtualised? I suppose it must have to be in order to accept
> > seemingly spurious page faults.
> >
> > Which leads me to wonder whether an extra shared ring between the
> > hypervisor and target VCPU would be desirable, i.e. to allow more fine
> > grained semantics than just "computer says no". Specifically if you
> > need to care about the reason for the fault being the actions of an
> > external arbiter rather than some other guest-internal thing.
> >
> > If your application is just to allow the guest OS to kill a process
> > which has tried to touch memory in a way which the external controller
> > has disallowed then a page fault seems like a simple and effective way though.
> 
> The guest will be aware of the permission changes - in fact in our
> system permission changes are only enacted following a request from
> the guest itself.  So, a data abort is sufficient - the guest should
> then be able to work that this was due to it violating its stage-2
> permissions, and kill the appropriate process.

Great, in which case this does seem to be a good approach.
[...]

> It seems to be the simplest approach, and based on some quick prototyping appears to work - at least on ARM.

Excellent!

Ian