From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1KIOdX-0000zj-Fz
	for qemu-devel@nongnu.org; Mon, 14 Jul 2008 10:02:43 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1KIOdV-0000wQ-K7
	for qemu-devel@nongnu.org; Mon, 14 Jul 2008 10:02:42 -0400
Received: from [199.232.76.173] (port=44398 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1KIOdV-0000wG-Dd
	for qemu-devel@nongnu.org; Mon, 14 Jul 2008 10:02:41 -0400
Received: from mail2.shareable.org ([80.68.89.115]:36420)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <jamie@shareable.org>) id 1KIOdV-0003UT-0N
	for qemu-devel@nongnu.org; Mon, 14 Jul 2008 10:02:41 -0400
Date: Mon, 14 Jul 2008 15:02:38 +0100
From: Jamie Lokier <jamie@shareable.org>
Subject: Re: [Qemu-devel] [RFC][PATCH] x86: Optional segment type and limit
	checks - v2
Message-ID: <20080714140238.GA5496@shareable.org>
References: <4874AB47.9090208@siemens.com> <487B2BC8.9050804@siemens.com>
	<20080714105531.GB2381@shareable.org>
	<200807141211.49825.paul@codesourcery.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200807141211.49825.paul@codesourcery.com>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Brook <paul@codesourcery.com>
Cc: qemu-devel@nongnu.org

Paul Brook wrote:
> > For guests like older Linux, with zero base and non-maximum limit in
> > user mode, could limit checking be done by the MMU TLB instead?
> 
> Not really. The only resonable way to do this would be to use a very
> large virtual address space, with the high bits being the segment
> descriptor.  This might work for 32-bit targets on 64-bit hosts, but
> even then it's liable to be more pain than it's worth.

I was thinking more like this, on any host:

   - All segment bases are zero, and all limits are LIMIT
     (3GiB for old Linux in user mode).
   - When filling the MMU TLB, if it's for an address >= LIMIT,
     treat as MMU exception.
   - Flush MMU TLB on any interesting segment change (limit gets
     smaller, etc.).
   - Count rate of interesting segment changes.  When it's high,
     switch to including segment checks in translated code (same as
     non-zero bases) and not flushing TLB.  When it's low, don't put
     segment checks into translated code, and use TLB flushes on
     segment changes.
   - Keep separate count for ring 0 and ring 3, or for
     "code which uses segment prefixes" vs "code which doesn't".

     This would suit old Linux, as kernel code uses segment to limit
     copy-from/to-user range, but user code has no segment changes
     normally, and the user limit check is equivalent to forcing all
     MMU pages above that virtual address to be supervisor-only.

-- Jamie