From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tamas K Lengyel Subject: Re: [PATCH for-4.5 v10 15/19] xen/arm: Temporarily disable mem_access for hypervisor access Date: Fri, 26 Sep 2014 15:29:24 +0200 Message-ID: References: <1411646212-17041-1-git-send-email-tklengyel@sec.in.tum.de> <1411646212-17041-16-git-send-email-tklengyel@sec.in.tum.de> <5424407D.70904@linaro.org> <54255F7D.8070107@linaro.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2998490038809837800==" Return-path: In-Reply-To: <54255F7D.8070107@linaro.org> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Julien Grall Cc: Ian Campbell , Tim Deegan , Ian Jackson , "xen-devel@lists.xen.org" , Stefano Stabellini , Andres Lagar-Cavilla , Jan Beulich , Daniel De Graaf , Tamas K Lengyel List-Id: xen-devel@lists.xenproject.org --===============2998490038809837800== Content-Type: multipart/alternative; boundary=001a11c2c5c2d53de20503f7e779 --001a11c2c5c2d53de20503f7e779 Content-Type: text/plain; charset=ISO-8859-1 On Fri, Sep 26, 2014 at 2:43 PM, Julien Grall wrote: > Hello Tamas, > > On 26/09/2014 10:39, Tamas K Lengyel wrote: > >> On Thu, Sep 25, 2014 at 6:19 PM, Julien Grall > > wrote: >> I don't think that modifying temporary the permission is the right >> thing to do because: >> - p2m_set_mem_access is called 2 times which means 2 TLB >> flush (and I'm not counting the table mapping), ie it's very slow >> - The other VCPU of the guest are still running. So you may >> not catch unwanted access. >> >> >> That is a problem. The only way around that I see is to pause the domain >> for the duration of this copy in case the mem_access permissions need to >> be disabled. >> > > [..] > > So you mean only check the mem_access permissions when we failed to get >> the page. I'm not sure what you propose afterwards. If there is a >> mem_access restriction, just return an -errno? It would mean if a >> mem_access listener is trapped that page than the guest can't execute >> the hypercall. Since we would also want this system to be invisible to >> the guest, that I'm affraid is not a good approach. >> > > The P2M is storing the type of the mapping. With this type you can easily > know if the previous mapping was read/write and therefore know if the guest > can effectively copy data to the page or not. > > I don't see why we would need something more complicate as we want ignore > mem_access for now. > > As I said, I'm not sure what you are describing exactly. Based on the p2m type we could already decide if the hypercall should be allowed to read/write form the page. AFAIU the MMU here is only used as a fast-path to determine if that's the case. What I was getting at, its not a good idea to simply disable hypercalls that use this path when there is a mem_access permission set because it would reveal that there is a mem_access listener to the guest. So what I'll do here is pausing the domain when access_in_use is set, temporary disable the mem_access permissions, let the read/write through, then re-enable + unpause the domain. Tamas > Regards, > > -- > Julien Grall > --001a11c2c5c2d53de20503f7e779 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


On Fri, Sep 26, 2014 at 2:43 PM, Julien Grall <julien.grall@lina= ro.org> wrote:
Hello Tamas,=

On 26/09/2014 10:39, Tamas K Lengyel wrote:
On Thu, Sep 25, 2014 at 6:19 PM, Julien Grall <julien.grall@linaro.org
<= span class=3D""> <mailto:jul= ien.grall@linaro.org>> wrote:
=A0 =A0 I don't think that modifying temporary the permission is the ri= ght
=A0 =A0 thing to do because:
=A0 =A0 =A0 =A0 =A0 =A0 =A0- p2m_set_mem_access is called 2 times which mea= ns 2 TLB
=A0 =A0 flush (and I'm not counting the table mapping), ie it's ver= y slow
=A0 =A0 =A0 =A0 =A0 =A0 =A0- The other VCPU of the guest are still running.= So you may
=A0 =A0 not catch unwanted access.


That is a problem. The only way around that I see is to pause the domain for the duration of this copy in case the mem_access permissions need to be disabled.

[..]

So you mean only check the mem_access permissions when we failed to get
the page. I'm not sure what you propose afterwards. If there is a
mem_access restriction, just return an -errno? It would mean if a
mem_access listener is trapped that page than the guest can't execute the hypercall. Since we would also want this system to be invisible to
the guest, that I'm affraid is not a good approach.

 The P2M is storing the type of the mapping. With this type you can easily k= now if the previous mapping was read/write and therefore know if the guest = can effectively copy data to the page or not.

I don't see why we would need something more complicate as we want igno= re mem_access for now.


As I said, I'm not sure what you a= re describing exactly. Based on the p2m type we could already decide if the= hypercall should be allowed to read/write form the page. AFAIU the MMU her= e is only used as a fast-path to determine if that's the case.

W= hat I was getting at, its not a good idea to simply disable hypercalls that= use this path when there is a mem_access permission set because it would r= eveal that there is a mem_access listener to the guest. So what I'll do= here is pausing the domain when access_in_use is set, temporary disable th= e mem_access permissions, let the read/write through, then re-enable + unpa= use the domain.

Tamas
=A0
Regards,

--
Julien Grall

--001a11c2c5c2d53de20503f7e779-- --===============2998490038809837800== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============2998490038809837800==--