From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Vrabel Subject: Re: [PATCH v2 3/4] xen/arm: introduce GNTTABOP_cache_flush Date: Wed, 8 Oct 2014 13:06:25 +0100 Message-ID: <543528C1.9090901@citrix.com> References: <1412347845-27755-3-git-send-email-stefano.stabellini@eu.citrix.com> <5432B382.3040000@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Stefano Stabellini Cc: julien.grall@citrix.com, xen-devel@lists.xensource.com, Ian.Campbell@citrix.com List-Id: xen-devel@lists.xenproject.org On 08/10/14 12:54, Stefano Stabellini wrote: > On Mon, 6 Oct 2014, David Vrabel wrote: >> On 03/10/14 15:50, Stefano Stabellini wrote: >>> Introduce a new hypercall to perform cache maintenance operation on >>> behalf of the guest. The argument is a machine address and a size. The >>> implementation checks that the memory range is owned by the guest or the >>> guest has been granted access to it by another domain. >>> >>> Signed-off-by: Stefano Stabellini >> [...] >>> --- a/xen/common/grant_table.c >>> +++ b/xen/common/grant_table.c [...] >>> @@ -2641,6 +2641,79 @@ do_grant_table_op( >>> + >>> + if ( !grant_map_exists(d, owner->grant_table, mfn) ) >> >> Looping over all grant table entries or all maptrack entries looks >> expensive to me. >> >> Perhaps consider allowing suitably privileged domains to >> clean/invalidate any address without having to check if it's been granted. > > I think that would weaken our security guarantees. If the domain can map the foreign domain's frames by other means (e.g., dom0 or a qemu stubdom) then it already has the ability to to clean/invalidate the cache for arbitrary foreign frames. David