[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] reserve e820 ram

From: Tim Deegan [tim@xxxxxxx]
Sent: 11 April 2012 12:58
To: Francisco Rocha
Cc: xen-devel@xxxxxxxxxxxxx
Subject: Re: [Xen-devel] reserve e820 ram


At 12:22 +0100 on 11 Apr (1334146973), Francisco Rocha wrote:
> This part is working.
> I am able to reserve a range of memory and boot a HVM guest
> that uses pages from that range. The problem is when I try
> to restrict dom0 from accessing does pages, it fails in allocating
> the memory to the guest.

Doe sit fail in allocating the memory or in populating it?  Dom0 has to
map the new domain's memory to put the BIOs and firmware in before it

Sorry, it allocates the memory but fails when trying to populate it.
This happened because I changed get_page_from_l1e to restrict access.

> Is get_page_from_l1e always called by dom0?

get_page_from_l1e is called for any pagetables entry (PV or shadowed HVM)
that maps a page of memory.  So it will be called when dom0 triues to
map the memory.

Thank you.

> Can a guest run when dom0 is restricted from
> accessing its memory? I would only want to restrict access
> for certain operations.

Dom0 maps domU's memory three times:
 Once (by force) to populate the BIOS &C at buid time.
 In Qemu (again, by force) to emulate domU's hardware.
 In the PV backend drivers (using the grant tables) for block & net I/O.

You can handle the build-time map by allowing them and the making sure
they all get pulled down before the domain is unpaused for the first
time (Or by having a separate trusted/privileged builder domain that
does nothing but build domains).

All right, I will look for this stage in the code.

You can handle the second by using
stub domains to run qemu in a different domain, or by only usoing PV

If I use the stub domain provided with xen the dom0 will not perform the 
second mapping, right?

The third is pretty much a requirement if the domU's going to do
any I/O via dom0, but at least with grant tables the ACL is under domU's
control.  Or if you have an IOMMU you can give the domU direct access to
its own network card and disk controller.

I only have one ethernet card but i can get an ethernet expresscard.

Can I do this in my the machine that gives me the output that follows?

(XEN) Intel VT-d Snoop Control not enabled.
(XEN) Intel VT-d Dom0 DMA Passthrough not enabled.
(XEN) Intel VT-d Queued Invalidation enabled.
(XEN) Intel VT-d Interrupt Remapping enabled.
(XEN) Intel VT-d Shared EPT tables not enabled.

The not enabled means I should enable them in the BIOS?
Because I have looked everywhere and I can't find any other 
options realted to VT-d.

(XEN) VMX: Supported advanced features:
(XEN)  - APIC MMIO access virtualisation
(XEN)  - APIC TPR shadow
(XEN)  - Extended Page Tables (EPT)
(XEN)  - Virtual-Processor Identifiers (VPID)
(XEN)  - Virtual NMI
(XEN)  - MSR direct-access bitmap
(XEN)  - Unrestricted Guest
(XEN) HVM: ASIDs enabled.
(XEN) HVM: VMX enabled
(XEN) HVM: Hardware Assisted Paging (HAP) detected
(XEN) HVM: HAP page sizes: 4kB, 2MB



Thank you for the help Tim! Cheers,

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.