From: Wei Liu <wei.liu2@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Wei Liu <wei.liu2@citrix.com>,
Ian Campbell <ian.campbell@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
PaulDurrant <Paul.Durrant@citrix.com>,
Anthony PERARD <anthony.perard@citrix.com>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: Domctl and physdevop for passthrough (Was: Re: Stabilising some tools only HVMOPs?)
Date: Mon, 29 Feb 2016 18:12:36 +0000 [thread overview]
Message-ID: <20160229181236.GI17111@citrix.com> (raw)
In-Reply-To: <56D447D202000078000D74C9@prv-mh.provo.novell.com>
On Mon, Feb 29, 2016 at 05:29:54AM -0700, Jan Beulich wrote:
> >>> On 29.02.16 at 13:23, <wei.liu2@citrix.com> wrote:
> > On Tue, Feb 23, 2016 at 02:31:30PM +0000, Wei Liu wrote:
> >> On Mon, Feb 22, 2016 at 04:28:19AM -0700, Jan Beulich wrote:
> >> > >>> On 19.02.16 at 17:05, <wei.liu2@citrix.com> wrote:
> >> > > On Wed, Feb 17, 2016 at 05:28:08PM +0000, Wei Liu wrote:
> >> > >> Hi all
> >> > >>
> >> > >> Tools people are in the process of splitting libxenctrl into a set of
> >> > >> stable libraries. One of the proposed libraries is libxendevicemodel
> >> > >> which has a collection of APIs that can be used by device model.
> >> > >>
> >> > >> Currently we use QEMU as reference to extract symbols and go through
> >> > >> them one by one. Along the way we discover QEMU is using some tools
> >> > >> only HVMOPs.
> >> > >>
> >> > >> The list of tools only HVMOPs used by QEMU are:
> >> > >>
> >> > >> #define HVMOP_track_dirty_vram 6
> >> > >> #define HVMOP_modified_memory 7
> >> > >> #define HVMOP_set_mem_type 8
> >> > >> #define HVMOP_inject_msi 16
> >> > >> #define HVMOP_create_ioreq_server 17
> >> > >> #define HVMOP_get_ioreq_server_info 18
> >> > >> #define HVMOP_map_io_range_to_ioreq_server 19
> >> > >> #define HVMOP_unmap_io_range_from_ioreq_server 20
> >> > >> #define HVMOP_destroy_ioreq_server 21
> >> > >> #define HVMOP_set_ioreq_server_state 22
> >> > >>
> >> > >
> >> > > In the process of ploughing through QEMU symbols, there are some domctls
> >> > > and physdevops used to do passthrough. To make passthrough APIs in
> >> > > libxendevicemodel we need to stabilise them as well. Can I use the same
> >> > > trick __XEN_TOOLS_STABLE__ here? If not, what would be the preferred way
> >> > > of doing this?
> >> > >
> >> > > PASSTHRU
> >> > > `xc_domain_bind_pt_pci_irq` `XEN_DOMCTL_bind_pt_irq`
> >> > > `xc_domain_ioport_mapping` `XEN_DOMCTL_ioport_mapping`
> >> > > `xc_domain_memory_mapping` `XEN_DOMCTL_memory_mapping`
> >> > > `xc_domain_unbind_msi_irq` `XEN_DOMCTL_unbind_pt_irq`
> >> > > `xc_domain_unbind_pt_irq` `XEN_DOMCTL_unbind_pt_irq`
> >> > > `xc_domain_update_msi_irq` `XEN_DOMCTL_bind_pt_irq`
> >> > > `xc_physdev_map_pirq` `PHYSDEVOP_map_pirq`
> >> > > `xc_physdev_map_pirq_msi` `PHYSDEVOP_map_pirq`
> >> > > `xc_physdev_unmap_pirq` `PHYSDEVOP_unmap_pirq`
> >> >
> >> > Mechanically I would say yes, but anything here which is also on
> >> > the XSA-77 waiver list would first need removing there (with
> >> > proper auditing and, if necessary, fixing).
> >> >
> >>
> >> I admit I failed to parse xsm-flask.txt and XSA-77 and its implication,
> >> so let's take a concrete example instead.
> >>
> >> Say, now I need to stabilise XEN_DOMCTL_pin_mem_cacheattr, which is on
> >
> > The conversation thus far has indicated stabilising this particular
> > hypercall is no go.
> >
> > The higher order goal is actually pinning the memory cache attribute for
> > video ram. I was thinking to have a set of dedicated hypercalls for
> > video ram.
> >
> > But then my reading of XSA-154 suggests that no untrusted entity should
> > be allowed to alter the caching attribute, so a set of restricted
> > hypercalls might not be feasible either. I would like to know if my
> > reading is correct.
>
> Yes, your reading is mostly correct: Of course this can be
> permitted eventually, but only after having made such a model
> safe against abuse.
>
I read the XSA-154 patch and think a little bit on whether making
dedicated hypercall is feasible.
1. The patch for XSA-154 mentions that only MMIO mappings with
inconsistent attributes can cause system instability.
2. PV case is hard, but the device model library is only of interest to
HVM domain, so PV can be ignored.
3. We want to continue honoring pinned cachability attributes for HVM
domain.
It seems we have a way forward. Say, we have new hypercall just for
pinning video ram cachability attribute.
The new hypercall has following properties:
1. It can only be used on HVM domains.
2. It can only be used on mfns that are not in MMIO ranges, because
vram is just normal ram.
3. It can only set the cachability attribute to WC (used by video ram).
4. It is not considered stable.
so that it won't be abused to change cachability attributes of MMIO
mappings on PV guest to make the host unstable. The stale data issue is
of no relevance as stated in XSA-154 patch.
Does this sound plausible?
Wei.
> Jan
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-02-29 18:12 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-17 17:28 Stabilising some tools only HVMOPs? Wei Liu
2016-02-18 10:24 ` Ian Campbell
2016-02-18 10:37 ` Jan Beulich
2016-02-18 10:45 ` Wei Liu
2016-02-18 10:53 ` Ian Campbell
2016-02-18 10:55 ` Wei Liu
2016-02-18 10:56 ` Jan Beulich
2016-02-18 10:31 ` Jan Beulich
2016-02-18 10:36 ` Wei Liu
2016-02-18 10:44 ` Ian Campbell
2016-02-18 10:55 ` Jan Beulich
2016-02-18 10:59 ` Wei Liu
2016-02-18 11:04 ` Jan Beulich
2016-02-18 12:51 ` Wei Liu
2016-02-18 16:28 ` Ian Jackson
2016-02-18 16:29 ` Wei Liu
2016-02-18 16:41 ` Jan Beulich
2016-02-18 16:45 ` Ian Jackson
2016-02-18 16:49 ` Wei Liu
2016-02-18 16:37 ` Ian Campbell
2016-02-19 16:05 ` Domctl and physdevop for passthrough (Was: Re: Stabilising some tools only HVMOPs?) Wei Liu
2016-02-22 11:28 ` Jan Beulich
2016-02-22 11:56 ` Wei Liu
2016-02-23 14:31 ` Wei Liu
2016-02-23 15:46 ` Jan Beulich
2016-02-23 17:09 ` Wei Liu
2016-02-23 17:24 ` Jan Beulich
2016-02-23 17:28 ` Jan Beulich
2016-02-23 17:55 ` Wei Liu
2016-02-29 12:23 ` Wei Liu
2016-02-29 12:29 ` Jan Beulich
2016-02-29 18:12 ` Wei Liu [this message]
2016-03-01 7:54 ` Jan Beulich
2016-03-01 10:52 ` Wei Liu
2016-03-01 11:10 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160229181236.GI17111@citrix.com \
--to=wei.liu2@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=Paul.Durrant@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=ian.campbell@citrix.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).