Re: [Xen-devel] [Hackathon minutes] PV network improvements

[Wei Liu <wei.liu2@xxxxxxxxxx>]

On Mon, May 20, 2013 at 03:49:32PM +0100, George Dunlap wrote:
[...]
> > J) Map the whole physical memory of the machine in dom0
> > If mapping/unmapping or copying slows us down, could we just keep the
> > whole physical memory of the machine mapped in dom0 (with corresponding
> > IOMMU entries)?
> > At that point the frontend could just pass mfn numbers to the backend,
> > and the backend would already have them mapped.
> > >From a security perspective it doesn't change anything when running
> > the backend in dom0, because dom0 is already capable of mapping random
> > pages of any guests. QEMU instances do that all the time.
> > But it would take away one of the benefits of deploying driver domains:
> > we wouldn't be able to run the backends at a lower privilege level.
> > However it might still be worth considering as an option? The backend is
> > still trusted and protected from the frontend, but the frontend wouldn't
> > be protected from the backend.
> 
> What's missing from this was my side of the discussion:
> 
> I was saying that if TLB flushes from grant-unmap is indeed the
> problem, then maybe we could have the *front-end* in charge of
> requesting a TLB flush for its pages.  The strict TLB flushing is to
> protect a frontend from rogue back-ends from reading sensitive data;
> if the front-end were willing to just not use the pages for a short
> amount of time, and issue a flush say every second or so, that would
> reduce the TLB flushes greatly while maintaining the safety advantages
> of driver domains.
> 

I'm not sure I get what you mean here. Are you saying DomU flushes
Dom0's TLB entries?


Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel