From: Ben Catterall <Ben.Catterall@citrix.com>
To: xen-devel@lists.xensource.com
Cc: keir@xen.org, ian.campbell@citrix.com,
george.dunlap@eu.citrix.com, andrew.cooper3@citrix.com,
tim@xen.org, jbeulich@suse.com,
Ben Catterall <Ben.Catterall@citrix.com>
Subject: [RFC 0/4] HVM x86 enhancements to run Xen deprivileged mode operations
Date: Thu, 6 Aug 2015 17:45:15 +0100 [thread overview]
Message-ID: <1438879519-564-1-git-send-email-Ben.Catterall@citrix.com> (raw)
Hi all,
I have a working base for this and would appreciate feedback at this point to
evaluate if it is moving in the right direction.
Many thanks in advance,
Ben
The aim of this work is to create a proof-of-concept to establish if it is
feasible to move certain Xen operations into a deprivileged context to mitigate
the impact of a bug or compromise in such areas. An example would be x86_emulate
or virtual device emulation which is not done in QEMU for performance reasons.
This patch series contains the underlying support mechanisms for this mode,
which include:
- Setting up the necessary monitor page table entries for the deprivileged
code, data and stack regions.
- Moving into and out of this mode
- Handle system calls from this mode
- Trapping exceptions taken whilst in this mode
Performance testing
-------------------
Performance testing indicates that the overhead for this deprivileged mode is
approximately 25%. This overhead is the cost of moving into deprivileged mode
and then fully back out of deprivileged mode.
I performed 100000 writes to a single I/O port on an Intel 2.2GHz Xeon
E5-2407 0 processor. This was done from a python script within the HVM guest
using time.time() and running Debian Jessie. Each write was trapped to cause a
vmexit and the time for each write was calculated. These experiments were
repeated. Note that only the host and this HVM guest were running (both Debian
Jessie) during the experiments.
20e-6 seconds was the average time for performing the write without the
deprivileged code running.
25e-6 seconds was the average time for performing the write with an entry and
exit from deprvileged mode.
Further Work
------------
- Support migration of vcpus between pcpus. This will likely be done by using
a hard affinity to a pcpu and setting a 'migration pending' flag so that
once we return from deprivileged mode and the stack has unwound, we can then
migrate the vcpu.
- Prevent DoS attacks on migration: A counter is needed to prevent
a spinning deprivileged mode from preventing migration. We could count
the number of quanta which have passed since we failed to migrate, then
migrate when it becomes too high.
- Add support for SVM and test on AMD processors.
- We need to get the host MSRs for AMD SVM mode.
Signed-off-by: Ben Catterall <Ben.Catterall@citrix.com>
next reply other threads:[~2015-08-06 16:45 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-06 16:45 Ben Catterall [this message]
2015-08-06 16:45 ` [RFC 1/4] HVM x86 deprivileged mode: Page allocation helper Ben Catterall
2015-08-06 19:22 ` Andrew Cooper
2015-08-07 9:57 ` Ben Catterall
2015-08-07 13:14 ` Andrew Cooper
2015-08-10 8:50 ` Tim Deegan
2015-08-10 8:52 ` Tim Deegan
2015-08-10 8:55 ` Andrew Cooper
2015-08-10 10:08 ` Tim Deegan
2015-08-06 16:45 ` [RFC 2/4] HVM x86 deprivileged mode: Create deprivileged page tables Ben Catterall
2015-08-06 19:52 ` Andrew Cooper
2015-08-07 13:19 ` Ben Catterall
2015-08-07 15:20 ` Andrew Cooper
2015-08-06 16:45 ` [RFC 3/4] HVM x86 deprivileged mode: Code for switching into/out of deprivileged mode Ben Catterall
2015-08-06 20:55 ` Andrew Cooper
2015-08-07 12:51 ` Ben Catterall
2015-08-07 13:08 ` David Vrabel
2015-08-07 14:24 ` Andrew Cooper
2015-08-11 9:45 ` Ian Campbell
2015-08-10 9:49 ` Tim Deegan
2015-08-10 10:14 ` Andrew Cooper
2015-08-11 9:55 ` Tim Deegan
2015-08-11 16:51 ` Ben Catterall
2015-08-11 17:05 ` Tim Deegan
2015-08-11 17:19 ` Andrew Cooper
2015-08-11 18:29 ` Boris Ostrovsky
2015-08-12 13:29 ` Andrew Cooper
2015-08-12 13:33 ` Andrew Cooper
2015-08-17 13:53 ` Ben Catterall
2015-08-17 15:07 ` Tim Deegan
2015-08-17 15:17 ` Jan Beulich
2015-08-18 10:25 ` Ben Catterall
2015-08-18 10:26 ` Ben Catterall
2015-08-18 14:22 ` Jan Beulich
2015-08-18 16:55 ` Andrew Cooper
2015-08-19 10:36 ` Ben Catterall
2015-08-12 10:10 ` Jan Beulich
2015-08-12 13:22 ` Ben Catterall
2015-08-12 13:26 ` Tim Deegan
2015-08-20 14:42 ` Ben Catterall
2015-08-11 10:35 ` Ben Catterall
2015-08-06 16:45 ` [RFC 4/4] HVM x86 deprivileged mode: Trap handlers for " Ben Catterall
2015-08-06 21:24 ` Andrew Cooper
2015-08-07 12:32 ` Ben Catterall
2015-08-07 13:19 ` Andrew Cooper
2015-08-07 13:26 ` Ben Catterall
2015-08-10 10:07 ` Tim Deegan
2015-08-11 10:33 ` Ben Catterall
2015-08-17 13:59 ` Ben Catterall
2015-08-17 14:58 ` Tim Deegan
2015-08-17 15:14 ` Jan Beulich
2015-08-12 9:50 ` [RFC 0/4] HVM x86 enhancements to run Xen deprivileged mode operations Jan Beulich
2015-08-12 11:27 ` Ben Catterall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1438879519-564-1-git-send-email-Ben.Catterall@citrix.com \
--to=ben.catterall@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@eu.citrix.com \
--cc=ian.campbell@citrix.com \
--cc=jbeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).