Re: [PATCH 6/13] KVM: memory slot management

Re: [PATCH 6/13] KVM: memory slot management

[Avi Kivity]

Arnd Bergmann wrote:
>> It can shoot not only its foot, but anything the monitor's uid has 
>> access to.  Host files, the host network, other guests belonging to the 
>> user, etc.
>>     
>
> Yes, that's what I meant. It's obviously nicer if the guest can't do that,
> but it's a tradeoff of the potential security impact against on how hard
> it is to implement hiding the addresses you don't want your guest to see.
> To put it into other words, do you want the optimal performance, or the
> optimal security?
>
>   

Well, isolation is one of the most significant features of full 
virtualization, both for security and reliability.  I don't think we can 
compromise that.


>> It's worse than I thouht: tlb entries generated by guest accesses are 
>> tagged with the guest virtual address, to if you remove a guest 
>> physical/host virtual page you need to invalidate the entire guest tlb.
>>     
>
> Ok, so it's the HW's fault. They either copied bad or decided doing the
> s390 approach was too expensive.
>   

x86 tradition is to make all possible mistakes before getting a working 
solution.

-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Re: [PATCH 6/13] KVM: memory slot management

[Avi Kivity]

Anthony Liguori wrote:
>>
>> It's not about tlb entries.  The shadow page tables collaples a GV -> 
>> HV -> HP  double translation into a GV -> HP page table.  When the 
>> Linux vm goes around evicting pages, it invalidates those mappings.
>>
>> There are two solutions possible: lock pages which participate in 
>> these translations (and their number can be large) or modify the 
>> Linux vm to consult a reverse mapping and remove the translations (in 
>> which case TLB entries need to be removed).
>>   
>
> If you locked pages that have active shadow mappings, you could then 
> use a secondary mechanism to invalidate existing mappings when necessary.
>

Yes.

There are two needs: to propagate virtual machine activity to the host 
(by folding dirty and accessed bits from multiple shadow ptes into a 
single struct page), and to apply pressure from the vm to the guest (by 
invalidating all mappings of a given page).

-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642