Xen project Mailing List

Re: [Xen-devel] [PATCH 5 of 6] Rework stale p2m auditing

To: "Tim Deegan" <tim@xxxxxxx>

From: "Andres Lagar-Cavilla" <andres@xxxxxxxxxxxxxxxx>

Date: Thu, 24 Nov 2011 08:21:08 -0800

Cc: olaf@xxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx, george.dunlap@xxxxxxxxxxxxx, andres@xxxxxxxxxxxxxx, keir.xen@xxxxxxxxx, adin@xxxxxxxxxxxxxx

Delivery-date: Thu, 24 Nov 2011 16:21:50 +0000

Domainkey-signature: a=rsa-sha1; c=nofws; d=lagarcavilla.org; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; q=dns; s= lagarcavilla.org; b=dtZJTsUQfyXv35kAb9y+FjXYEI1bzlZgASexDfRM9uLa 4CKuQB5F/gWoQJX3fPdm5rN1onDGyfi67txfpmBWmNzWxEHs/+GbhVUMayh1Eqwa sy4J7mNd9zZGLtioK/dvJfEPIuw0M/j2muxz/JipFnFR+XMXAdw5KoCd+dSur28=

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Tim, I don't think we'll ever be able to move out of global p2m locks if we allow these inline audits. In a fine-grained p2m lock case, the code will acquire exclusive rights on a range of the p2m. But then, in order to audit the whole p2m, it will need to promote its exclusive access to the whole p2m, and that's a deadlock trap. Ultimately, I can submit a patch that fixes the bit rotting and leaves the inlines in place. And if and when the p2m locking becomes fine-grained, we can ifdef into global locking if P2M_AUDIT is nonzero. It's kinda yucky. And somewhat crippling of the intended debugging purposes of an audit (with fine-grained locks). But it will work and will not put the fine-grained cart before the locking horse. Thanks Andres > At 16:48 -0500 on 14 Nov (1321289326), Andres Lagar-Cavilla wrote: >> The p2m audit code doesn't even compile, let alone work. It also >> partially supports ept. Make it: >> >> - compile >> - lay groundwork for eventual ept support >> - move out of the way of all calls and turn it into a domctl. It's >> obviously not being used by anybody presently. >> - enable it via said domctl > > Thanks for looking at this code (which, as you say, had considerably > rotted). > > I'm not sure I'm a big fan of provoking audits from user-space rather > than having them run on every operation; in previous incarnations there > have been serial debug-keys that triggered auditing code (which would > then be run before and after every operation) - I found that much more > helpful in the case of failure, as it pointed to which operation had > caused the problem rather than saying 'something bad happened at somne > point'. > > If you really want to keep the hypercall, I think it could probably be > part of the existing paging/shadow control domctl rather than having > its own. That would have the advantage of preventing an untrusted > domain from calling it on itself (which has in the past turned slightly > bitrotted audit code into a denial-of-service vector!). > > Cheers, > > Tim. > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.