[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Hackathon minutes] PV network improvements

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
Date: Tue, 21 May 2013 09:31:07 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Delivery-date: Tue, 21 May 2013 08:31:29 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 05/21/2013 09:22 AM, Ian Campbell wrote:

On Mon, 2013-05-20 at 19:33 +0100, Wei Liu wrote:

On Mon, May 20, 2013 at 03:49:32PM +0100, George Dunlap wrote:
[...]

J) Map the whole physical memory of the machine in dom0
If mapping/unmapping or copying slows us down, could we just keep the
whole physical memory of the machine mapped in dom0 (with corresponding
IOMMU entries)?
At that point the frontend could just pass mfn numbers to the backend,
and the backend would already have them mapped.
>From a security perspective it doesn't change anything when running
the backend in dom0, because dom0 is already capable of mapping random
pages of any guests. QEMU instances do that all the time.
But it would take away one of the benefits of deploying driver domains:
we wouldn't be able to run the backends at a lower privilege level.
However it might still be worth considering as an option? The backend is
still trusted and protected from the frontend, but the frontend wouldn't
be protected from the backend.


What's missing from this was my side of the discussion:

I was saying that if TLB flushes from grant-unmap is indeed the
problem, then maybe we could have the *front-end* in charge of
requesting a TLB flush for its pages.  The strict TLB flushing is to
protect a frontend from rogue back-ends from reading sensitive data;
if the front-end were willing to just not use the pages for a short
amount of time, and issue a flush say every second or so, that would
reduce the TLB flushes greatly while maintaining the safety advantages
of driver domains.


I'm not sure I get what you mean here. Are you saying DomU flushes
Dom0's TLB entries?


The gnt_unmap made by dom0 needs to flush the TLB of any physical
processor which may have seen the mapping, which means approximately all
dom0 vcpus.

That's what I was getting at. It's Xen that does any actual TLBflushes, and for now the "promise" to the front-end is that the page issafe from the backend* after the transaction is done. But it would benicer if we could batch these flushes to happen once every few hundredmilliseconds, or even one a second. If we allowed the front-end tochoose a new the interface, that said "the page is safe from the backendonce you have made this hypercall", then guests could choose the"window" size based on their own parameters.

* Remember that the point of grant maps isn't to allow *dom0* access tothe guests; dom0 already has all the access it needs. It's to allowdriver domains access to the guests.


 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [Hackathon minutes] PV network improvements
  - From: Stefano Stabellini
- Re: [Xen-devel] [Hackathon minutes] PV network improvements
  - From: George Dunlap
- Re: [Xen-devel] [Hackathon minutes] PV network improvements
  - From: Wei Liu
- Re: [Xen-devel] [Hackathon minutes] PV network improvements
  - From: Ian Campbell

Prev by Date: Re: [Xen-devel] [Hackathon minutes] PV network improvements
Next by Date: Re: [Xen-devel] [Hackathon minutes] PV frontends/backends and NUMA machines
Previous by thread: Re: [Xen-devel] [Hackathon minutes] PV network improvements
Next by thread: Re: [Xen-devel] [Hackathon minutes] PV network improvements
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.