From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: "Zhang, Yang Z" <yang.z.zhang@intel.com>, donald.d.dugger@intel.com
Cc: "Tian, Kevin" <kevin.tian@intel.com>,
"keir@xen.org" <keir@xen.org>,
"ian.campbell@citrix.com" <ian.campbell@citrix.com>,
"stefano.stabellini@eu.citrix.com"
<stefano.stabellini@eu.citrix.com>,
"ian.jackson@eu.citrix.com" <ian.jackson@eu.citrix.com>,
"tim@xen.org" <tim@xen.org>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
"Paul.Durrant@citrix.com" <Paul.Durrant@citrix.com>,
"Lv, Zhiyuan" <zhiyuan.lv@intel.com>,
Jan Beulich <JBeulich@suse.com>, "Ye, Wei" <wei.ye@intel.com>
Subject: Re: [PATCH v1 0/2] Extend ioreq-server to support page write protection
Date: Wed, 6 Aug 2014 11:00:37 -0400 [thread overview]
Message-ID: <20140806150037.GA14744@laptop.dumpdata.com> (raw)
In-Reply-To: <A9667DDFB95DB7438FA9D7D576C3D87E0AB5153F@SHSMSX104.ccr.corp.intel.com>
On Wed, Aug 06, 2014 at 03:04:31AM +0000, Zhang, Yang Z wrote:
> Tian, Kevin wrote on 2014-08-06:
> >> From: Tian, Kevin
> >> Sent: Tuesday, August 05, 2014 7:49 PM
> >>
> >>> From: Zhang, Yang Z
> >>> Sent: Tuesday, August 05, 2014 7:40 PM
> >>>
> >>> Tian, Kevin wrote on 2014-08-06:
> >>>>> From: Zhang, Yang Z
> >>>>> Sent: Tuesday, August 05, 2014 7:11 PM
> >>>>>
> >>>>> Tian, Kevin wrote on 2014-08-05:
> >>>>>>> From: Jan Beulich [mailto:JBeulich@suse.com]
> >>>>>>> Sent: Tuesday, August 05, 2014 12:52 AM
> >>>>>>>
> >>>>>>>>>> On 05.08.14 at 09:35, <yang.z.zhang@intel.com> wrote:
> >>>>>>>>>> Tian, Kevin wrote on 2014-08-05: From: Jan Beulich
> >>>>>>>>>> [mailto:JBeulich@suse.com]
> >>>>>>>>>> Sent: Monday, August 04, 2014 12:35 AM
> >>>>>>>>>>
> >>>>>>>>>>>>> On 04.08.14 at 07:05, <wei.ye@intel.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Jan Beulich wrote on 2014-07-28:
> >>>>>>>>>>>> devel@lists.xen.org; keir@xen.org
> >>>>>>>>>>>> Subject: Re: [PATCH v1 0/2] Extend ioreq-server to
> >>>>>>>>>>>> support page write protection
> >>>>>>>>>>>>
> >>>>>>>>>>>>>>> On 28.07.14 at 19:55, <wei.ye@intel.com> wrote:
> >>>>>>>>>>>>> ioreq-server is proposed to forward PIO and MMIO request to
> >>>>>>>>>>>>> multiple device models according to the io range. XenGT
> >>>>>>>>>>>>> (Intel Graphics Virtualization technology, please refer to
> >>>>>>>>>>>>> https://01.org/xen/blogs/srclarkx/2013/graphics-virtual iz
> >>>>>>>>>>>>> at io n- xengt) driver reside in Dom0 as a virtual graphics
> >>>>>>>>>>>>> device model also need to trap and emulate the guest's write
> >>>>>>>>>>>>> operation to some specific memory pages, like the memory
> >>>>>>>>>>>>> pages used by guest graphics driver as PPGTT(per-process
> >>>>>>>>>>>>> graphics translation table). We add an new p2m type
> >>>>>>>>>>>>> "p2m_ram_wp" to trap the page write operation. Page of this
> >>>>>>>>>>>>> new p2m type is read only and for write, the request will go
> >>>>>>>>>>>>> to device model via
> > ioreq-server.
> >>>>>>>>>>>>
> >>>>>>>>>>>> So how is this write-protection supposed to work on the
> >>>>>>>>>>>> IOMMU side when sharing page tables?
> >>>>>>>>>>>
> >>>>>>>>>>> Thanks for pointing out this question. Write-protection is not
> >>>>>>>>>>> supposed to work when sharing page tables between EPT and
> >>>>>>>>>>> vt-d. An explicit command line "iommu=no-sharept" should be
> >>>>>>>>>>> setted for avoiding undesirable iommu fault.
> >>>>>>>>>>
> >>>>>>>>>> Requiring the unconditional use of a specific command line
> >>>>>>>>>> option is certainly fine for experimental code, but not beyond that.
> >>>>>>>>>> Behavior should be correct by default in production code.
> >>>>>>>>>>
> >>>>>>>>>> But what's worse here: The option _allows_ device side
> >>>>>>>>>> writes from the guest. Why would device side writes be
> >>>>>>>>>> okay, but CPU side ones not?
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> right, whether ept is shared or not doesn't address the concern
> >>>>>>>>> here. In both cases we need maintain the same p2m view between
> >>>>>>>>> CPU and device side, otherwise it's broken...
> >>>>>>>>>
> >>>>>>>>> One option is to treat wp similar to logdirty, i.e.
> >>>>>>>>> exclusive to VT-d device assignment, until in the future
> >>>>>>>>> VT-d supports page fault. We can provide a boot option to
> >>>>>>>>> override the default policy if user thinks OK.
> >>>>>>>>>
> >>>>>>>>> 2nd option, like Wei mentioned in another mail, is to treat
> >>>>>>>>> such write protected PPGTT page tables as MMIO. new
> >>>>>>>>> hypercall is required to change the p2m type between p2m_io
> >>>>>>>>> and p2m_ram, based on allocation/free of guest page table.
> >>>>>>>>> This way may impact performance on read though.
> >>>>>>>>>
> >>>>>>>>> Comments?
> >>>>>>>>
> >>>>>>>> Another solution is using the EPT misconfiguration mechanism
> >>>>>>>> like what Xen does for MTRR emulation currently.
> >>>>>>>
> >>>>>>> That would cause faults on reads as well, making it necessary
> >>>>>>> to emulate them.
> >>>>>>>
> >>>>>>
> >>>>>> Then it's same effect of p2m_mmio_dm.
> >>>>>
> >>>>> p2m_mmio_dm will break VT-d but EPT misconfiguration doesn't.
> >>>>>
> >>>>
> >>>> I don't understand. Treating it as emulated io just means no
> >>>> valid p2m entry in EPT/VT-d. Note XenGT itself doesn't require
> >>>> VT-d, while you can still assign other devices this way.
> >>>
> >>> From guest's view, it doesn't know the page is not valid in EPT/VT-d
> >>> table. So if guest CPU touch this page, then hypervisor will intercept
> >>> the access from EPT violation and handle it. But if guest uses that
> >>> page as DMA buffer (a malicious guest may do it), then VT-d fault
> >>> happens. Since DMA is not restartable, guest will never receive the
> >>> right data.
> >>>
> >>
> >> as you said, it's malicious guest, that's why we need zap the VT-d
>
> Malicious guest is just an example. We can assume a normal guest never does it.
What!? No you can't. That is thundering towards an XSA! The normal
guest can become compromised.
>
> >> entries to avoid mallicous DMA to GPU page tables. In sane case the
> >> page is allocated by gfx driver so other device drivers with VT-d
> >> assigned devices shouldn't use it as DMA target.
>
> What about a guest really does it?
Oh, here you say it can do it. A bit confusing.
>
> >> There is no 'right data' to be ensured in such case. :-)
> >>
> >
> > Think about a malicious guest may DMA to any holes...
>
> Other hole is not a RAM, so a VT-d fault is acceptable.
I feel that we talking about the same issue that had been raised before
about EPT and VT-d sharing a page and having issues with DMAing
in RAM regions (like into the framebuffer).
And my understanding is that Intel is going to fix it, except that
it is on the 'low-priority'. It sounds to me that it should be
raised to a higher priority and be taken care of.
>
> >
> > Thanks
> > Kevin
>
>
> Best regards,
> Yang
>
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2014-08-06 15:00 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-28 17:55 [PATCH v1 0/2] Extend ioreq-server to support page write protection Wei Ye
2014-07-28 8:24 ` Jan Beulich
2014-08-04 5:05 ` Ye, Wei
2014-08-04 7:35 ` Jan Beulich
2014-08-04 21:34 ` Tian, Kevin
2014-08-05 6:35 ` Jan Beulich
2014-08-05 6:46 ` Ye, Wei
2014-08-05 7:51 ` Jan Beulich
2014-08-05 7:35 ` Zhang, Yang Z
2014-08-05 7:51 ` Jan Beulich
2014-08-05 8:20 ` Ye, Wei
2014-08-05 15:41 ` Tian, Kevin
2014-08-06 2:11 ` Zhang, Yang Z
2014-08-06 2:33 ` Tian, Kevin
2014-08-06 2:40 ` Zhang, Yang Z
2014-08-06 2:49 ` Tian, Kevin
2014-08-06 2:50 ` Tian, Kevin
2014-08-06 3:04 ` Zhang, Yang Z
2014-08-06 15:00 ` Konrad Rzeszutek Wilk [this message]
2014-08-06 16:08 ` Tian, Kevin
2014-08-07 6:45 ` Jan Beulich
2014-08-07 16:28 ` Tian, Kevin
2014-08-08 6:32 ` Jan Beulich
2014-08-08 16:02 ` Tian, Kevin
2014-08-08 16:04 ` Tian, Kevin
2014-08-12 23:15 ` Ye, Wei
2014-08-13 8:38 ` Tim Deegan
2014-08-13 16:14 ` Tian, Kevin
2014-08-14 8:08 ` Tim Deegan
2014-08-14 17:49 ` Tian, Kevin
2014-08-14 20:25 ` Tim Deegan
2014-08-14 22:53 ` Tian, Kevin
2014-08-14 23:12 ` Jan Beulich
2014-08-14 23:33 ` Tian, Kevin
2014-08-06 17:38 ` Tian, Kevin
2014-07-28 17:55 ` [PATCH v1 1/2] x86: add p2m_ram_wp Wei Ye
2014-07-28 8:31 ` Jan Beulich
2014-08-04 5:10 ` Ye, Wei
2014-08-04 7:37 ` Jan Beulich
2014-08-05 7:09 ` Ye, Wei
2014-07-28 17:55 ` [PATCH v1 2/2] ioreq-server: Support scatter page forwarding Wei Ye
2014-07-28 8:57 ` Jan Beulich
2014-08-04 5:41 ` Ye, Wei
2014-08-04 7:47 ` Jan Beulich
2014-08-04 21:39 ` Tian, Kevin
2014-08-05 6:38 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140806150037.GA14744@laptop.dumpdata.com \
--to=konrad.wilk@oracle.com \
--cc=JBeulich@suse.com \
--cc=Paul.Durrant@citrix.com \
--cc=donald.d.dugger@intel.com \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=keir@xen.org \
--cc=kevin.tian@intel.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tim@xen.org \
--cc=wei.ye@intel.com \
--cc=xen-devel@lists.xen.org \
--cc=yang.z.zhang@intel.com \
--cc=zhiyuan.lv@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.