From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dario Faggioli Subject: Re: RFC: HVM de-privileged mode scheduling considerations Date: Mon, 3 Aug 2015 17:09:55 +0200 Message-ID: <1438614595.16912.195.camel@citrix.com> References: <55BF6E38.509@citrix.com> <55BF72AB.8070100@citrix.com> <1438612487.31129.9.camel@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2991551227555092936==" Return-path: In-Reply-To: <1438612487.31129.9.camel@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: george.dunlap@eu.citrix.com, Andrew Cooper , xen-devel@lists.xen.org, Ben Catterall List-Id: xen-devel@lists.xenproject.org --===============2991551227555092936== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-CxF//Cb3kjF+TZ+pu9RZ" --=-CxF//Cb3kjF+TZ+pu9RZ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2015-08-03 at 15:34 +0100, Ian Campbell wrote: > On Mon, 2015-08-03 at 14:54 +0100, Andrew Cooper wrote: > > I think it would be entirely reasonable to have a deadline for a single > > execution of depriv mode, after which the domain is declared malicious > > and killed. >=20 > I think this could make sense, it's essentially a harsher variant of Ben'= s > suggestion to abort an attempt to process the MMIO in order to migrate to > another pcpu, but it has the benefit of being easier to implement and > easier to reason about=20 > Indeed. I think it very much depends on what we expect the common/legit case to be, how long it would last, etc. If, as Andrew is saying, and as it seems sane, we expect things to be pretty quick this solution sounds good to me, and we can avoid the complexity of bouncing the operation among pcpus. > > We already have this for host pcpus - the watchdog defaults to 5 > > seconds. Having a similar cutoff for depriv mode should be fine. >=20 > That's a reasonable analogy. >=20 > Perhaps we would want the depriv-watchdog to be some 1/N fraction of the > pcpu -watchdog, for a smallish N, to avoid the risk of any slop in the > timing allowing the pcpu watchdog to fire. N=3D3 for example (on the grou= nds > that N=3D2 is probably sufficient, so N=3D3 must be awesome). >=20 I like this too. Regards, Dario --=20 <> (Raistlin Majere) ----------------------------------------------------------------- Dario Faggioli, Ph.D, http://about.me/dario.faggioli Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) --=-CxF//Cb3kjF+TZ+pu9RZ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEABECAAYFAlW/hEsACgkQk4XaBE3IOsTY6gCgjd+kqVj3D+QPbG/FozIo+yOi rGQAoIu4IL4oyjVIzf1Ig3kH/0AUNQm0 =6HFT -----END PGP SIGNATURE----- --=-CxF//Cb3kjF+TZ+pu9RZ-- --===============2991551227555092936== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============2991551227555092936==--