From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Tim Deegan <tim@xen.org>, Jan Beulich <JBeulich@suse.com>
Cc: AndrewCooper <andrew.cooper3@citrix.com>,
ian.jackson@eu.citrix.com,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [xen-unstable test] 56456: regressions - FAIL
Date: Wed, 20 May 2015 11:55:11 +0200 [thread overview]
Message-ID: <555C59FF.1090508@citrix.com> (raw)
In-Reply-To: <20150520094312.GA12015@deinos.phlegethon.org>
El 20/05/15 a les 11.43, Tim Deegan ha escrit:
> At 10:12 +0100 on 20 May (1432116766), Jan Beulich wrote:
>>>>> On 20.05.15 at 10:58, <roger.pau@citrix.com> wrote:
>>> After looking into this a little bit more, I'm afraid I don't see a
>>> straight forward way to check for the permissions of all paging levels.
>>> Here are the options I've found in order to deal with this:
>>>
>>> - Use guest_get_eff_l1e and only check for the permissions of the L1
>>> entry. Is it possible that the guest places an invalid entry in the
>>> linear l1 table without Xen realizing?
>>
>> No - all page table changes are being validated by Xen.
>
> Yes, using guest_get_eff_l1e() is safe for Xen. The only concern is
> whether it's safe for the guest -- Xen might not honour an upper-level
> read-only mark (which copy_to_guest() would) or a supervisor-mode-only
> mark (which it wouldn't).
>
>>> - Add a new function hook somewhere (pv_domain maybe?) that can be
>>> used to translate GVA to PFN for PV guests (mimicking what
>>> paging_gva_to_gfn does). This would be implemented using
>>> guest_walk_X_level, where X is the paging levels of the guest.
>>>
>>> - Use some glue to be able to call guest_walk_{3/4}_level from
>>> paging.c directly, and correctly choose which one to use based on
>>> the guest bitness. IMHO this looks quite wacky, and I'm not even
>>> sure if it's possible given the amount of preprocessor foo in
>>> guest_pt.h.
>>>
>>> I have the first option already implemented, but I would appreciate some
>>> advice regarding the security implications of it.
>>
>> I think with all of the options here being unsatisfactory we should
>> reconsider your original option of restoring previous behavior
>> (without any mapping) for the PV case. Tim?
>
> Yeah, I don't think it's worth adding a bunch mode pagetable-walk
> machinery just to keep this function clean. So I suppose we have to
> have two paths. in this code.
FWIW there's also the option of taking the callers p2m lock if it's a
HVM guest:
http://lists.xen.org/archives/html/xen-devel/2014-10/msg01769.html
And avoid doing any modifications of the code paths.
Roger.
prev parent reply other threads:[~2015-05-20 9:55 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-16 8:51 [xen-unstable test] 56456: regressions - FAIL osstest service user
2015-05-16 11:45 ` Roger Pau Monné
2015-05-18 8:34 ` Jan Beulich
2015-05-18 10:17 ` Tim Deegan
2015-05-18 10:36 ` Jan Beulich
2015-05-18 10:50 ` Roger Pau Monné
2015-05-18 11:00 ` Tim Deegan
2015-05-18 11:19 ` Jan Beulich
2015-05-19 10:20 ` Tim Deegan
2015-05-19 10:29 ` Jan Beulich
2015-05-19 15:07 ` Roger Pau Monné
2015-05-20 8:58 ` Roger Pau Monné
2015-05-20 9:12 ` Jan Beulich
2015-05-20 9:43 ` Tim Deegan
2015-05-20 9:55 ` Roger Pau Monné [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555C59FF.1090508@citrix.com \
--to=roger.pau@citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.