[PATCH] xen/arm: Scrub heap pages during boot

[PATCH] xen/arm: Scrub heap pages during boot

[Julien Grall]

Scrub heap pages was disabled because it was slow on the models. Now that Xen
supports real hardware, it's possible to enable by default scrubbing.

Signed-off-by: Julien Grall <julien.grall@linaro.org>

---
    This patch should go to Xen 4.4. It avoid to give non-cleared page to
    a domain.

    The downside is it's now slow on models.

    The current implementation of scrub_heap_pages loop on every page in the
    frametable. On ARM, there is only which can contains MMIO. We are safe
    because when frametable is initialized, page are marked inuse. So the
    function won't clear theses pages.
---
 xen/arch/arm/setup.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
index 9fc40c8..d7c7f4d 100644
--- a/xen/arch/arm/setup.c
+++ b/xen/arch/arm/setup.c
@@ -764,10 +764,8 @@ void __init start_xen(unsigned long boot_phys_offset,
     if ( construct_dom0(dom0) != 0)
             panic("Could not set up DOM0 guest OS");
 
-    /* Scrub RAM that is still free and so may go to an unprivileged domain.
-       XXX too slow in simulator
-       scrub_heap_pages();
-    */
+    /* Scrub RAM that is still free and so may go to an unprivileged domain. */
+    scrub_heap_pages();
 
     init_constructors();
 
-- 
1.7.10.4

Re: [PATCH] xen/arm: Scrub heap pages during boot

[Ian Campbell]

On Fri, 2014-01-10 at 03:27 +0000, Julien Grall wrote:
> Scrub heap pages was disabled because it was slow on the models. Now that Xen
> supports real hardware, it's possible to enable by default scrubbing.
> 
> Signed-off-by: Julien Grall <julien.grall@linaro.org>

Acked-by: Ian Campbell <ian.campbell@citrix.com>

> ---
>     This patch should go to Xen 4.4. It avoid to give non-cleared page to
>     a domain.
> 
>     The downside is it's now slow on models.

There is a no-bootscrub command-line option which can be used in that
case. Could you update the relevant model wiki pages to mention it
please?

>     The current implementation of scrub_heap_pages loop on every page in the
>     frametable. On ARM, there is only which can contains MMIO. We are safe
>     because when frametable is initialized, page are marked inuse. So the
>     function won't clear theses pages.

I don't think this behaviour is specific to ARM, x86 has MMIO regions
mixed in with RAM as well.

>From an RM PoV I think this is a necessary fix since it can otherwise
potentially leak information from a previous boot. I also think it is
low risk, nothing should have been relying on non-zero content of any
page.

> ---
>  xen/arch/arm/setup.c |    6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c
> index 9fc40c8..d7c7f4d 100644
> --- a/xen/arch/arm/setup.c
> +++ b/xen/arch/arm/setup.c
> @@ -764,10 +764,8 @@ void __init start_xen(unsigned long boot_phys_offset,
>      if ( construct_dom0(dom0) != 0)
>              panic("Could not set up DOM0 guest OS");
>  
> -    /* Scrub RAM that is still free and so may go to an unprivileged domain.
> -       XXX too slow in simulator
> -       scrub_heap_pages();
> -    */
> +    /* Scrub RAM that is still free and so may go to an unprivileged domain. */
> +    scrub_heap_pages();
>  
>      init_constructors();
>  

Re: [PATCH] xen/arm: Scrub heap pages during boot

[Julien Grall]

On 01/10/2014 09:52 AM, Ian Campbell wrote:
> On Fri, 2014-01-10 at 03:27 +0000, Julien Grall wrote:
>> Scrub heap pages was disabled because it was slow on the models. Now that Xen
>> supports real hardware, it's possible to enable by default scrubbing.
>>
>> Signed-off-by: Julien Grall <julien.grall@linaro.org>
>
> Acked-by: Ian Campbell <ian.campbell@citrix.com>

Thanks.


>> ---
>>      This patch should go to Xen 4.4. It avoid to give non-cleared page to
>>      a domain.
>>
>>      The downside is it's now slow on models.
>
> There is a no-bootscrub command-line option which can be used in that
> case. Could you update the relevant model wiki pages to mention it
> please?

I have updated the wiki page.

>
>>      The current implementation of scrub_heap_pages loop on every page in the
>>      frametable. On ARM, there is only which can contains MMIO. We are safe
>>      because when frametable is initialized, page are marked inuse. So the
>>      function won't clear theses pages.
>
> I don't think this behaviour is specific to ARM, x86 has MMIO regions
> mixed in with RAM as well.

I was not sure, so I prefered to explain why it's ok.

-- 
Julien Grall

Re: [PATCH] xen/arm: Scrub heap pages during boot

[Ian Campbell]

On Fri, 2014-01-10 at 13:48 +0000, Julien Grall wrote:
> 
> On 01/10/2014 09:52 AM, Ian Campbell wrote:
> > On Fri, 2014-01-10 at 03:27 +0000, Julien Grall wrote:
> >> Scrub heap pages was disabled because it was slow on the models. Now that Xen
> >> supports real hardware, it's possible to enable by default scrubbing.
> >>
> >> Signed-off-by: Julien Grall <julien.grall@linaro.org>
> >
> > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> 
> Thanks.

Applied.

> >> ---
> >>      This patch should go to Xen 4.4. It avoid to give non-cleared page to
> >>      a domain.
> >>
> >>      The downside is it's now slow on models.
> >
> > There is a no-bootscrub command-line option which can be used in that
> > case. Could you update the relevant model wiki pages to mention it
> > please?
> 
> I have updated the wiki page.

Thanks.

Re: [PATCH] xen/arm: Scrub heap pages during boot

[Ian Campbell]

On Fri, 2014-01-10 at 17:09 +0000, Ian Campbell wrote:
> On Fri, 2014-01-10 at 13:48 +0000, Julien Grall wrote:
> > 
> > On 01/10/2014 09:52 AM, Ian Campbell wrote:
> > > On Fri, 2014-01-10 at 03:27 +0000, Julien Grall wrote:
> > >> Scrub heap pages was disabled because it was slow on the models. Now that Xen
> > >> supports real hardware, it's possible to enable by default scrubbing.
> > >>
> > >> Signed-off-by: Julien Grall <julien.grall@linaro.org>
> > >
> > > Acked-by: Ian Campbell <ian.campbell@citrix.com>
> > 
> > Thanks.
> 
> Applied.
> 
> > >> ---
> > >>      This patch should go to Xen 4.4. It avoid to give non-cleared page to
> > >>      a domain.
> > >>
> > >>      The downside is it's now slow on models.
> > >
> > > There is a no-bootscrub command-line option which can be used in that
> > > case. Could you update the relevant model wiki pages to mention it
> > > please?
> > 
> > I have updated the wiki page.
> 
> Thanks.

You made it say "comment out the code" rather than advising to use the
command line option like I suggested -- was that on purpose?

Is something broken with the command line option?

Ian

Re: [PATCH] xen/arm: Scrub heap pages during boot

[Julien Grall]

On 01/10/2014 05:51 PM, Ian Campbell wrote:
> On Fri, 2014-01-10 at 17:09 +0000, Ian Campbell wrote:
>> On Fri, 2014-01-10 at 13:48 +0000, Julien Grall wrote:
>>>
>>> On 01/10/2014 09:52 AM, Ian Campbell wrote:
>>>> On Fri, 2014-01-10 at 03:27 +0000, Julien Grall wrote:
>>>>> Scrub heap pages was disabled because it was slow on the models. Now that Xen
>>>>> supports real hardware, it's possible to enable by default scrubbing.
>>>>>
>>>>> Signed-off-by: Julien Grall <julien.grall@linaro.org>
>>>>
>>>> Acked-by: Ian Campbell <ian.campbell@citrix.com>
>>>
>>> Thanks.
>>
>> Applied.
>>
>>>>> ---
>>>>>      This patch should go to Xen 4.4. It avoid to give non-cleared page to
>>>>>      a domain.
>>>>>
>>>>>      The downside is it's now slow on models.
>>>>
>>>> There is a no-bootscrub command-line option which can be used in that
>>>> case. Could you update the relevant model wiki pages to mention it
>>>> please?
>>>
>>> I have updated the wiki page.
>>
>> Thanks.
> 
> You made it say "comment out the code" rather than advising to use the
> command line option like I suggested -- was that on purpose?
> 
> Is something broken with the command line option?

No, I thought we will need to create a command line. I will update the
wiki page.

-- 
Julien Grall