[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 00/12] Alternate p2m: support multiple copies of host p2m
This set of patches adds support to hvm domains for EPTP switching by creating multiple copies of the host p2m (currently limited to 10 copies). The primary use of this capability is expected to be in scenarios where access to memory needs to be monitored and/or restricted below the level at which the guest OS page tables operate. Two examples that were discussed at the 2014 Xen developer summit are: VM introspection: http://www.slideshare.net/xen_com_mgr/ zero-footprint-guest-memory-introspection-from-xen Secure inter-VM communication: http://www.slideshare.net/xen_com_mgr/nakajima-nvf A more detailed design specification can be found at: http://lists.xenproject.org/archives/html/xen-devel/2015-06/msg01319.html Each p2m copy is populated lazily on EPT violations. Permissions for pages in alternate p2m's can be changed in a similar way to the existing memory access interface, and gfn->mfn mappings can be changed. All this is done through extra HVMOP types. The cross-domain HVMOP code has been compile-tested only. Also, the cross-domain code is hypervisor-only, the toolstack has not been modified. The intra-domain code has been tested. Violation notifications can only be received for pages that have been modified (access permissions and/or gfn->mfn mapping) intra-domain, and only on VCPU's that have enabled notification. VMFUNC and #VE will both be emulated on hardware without native support. This code is not compatible with nested hvm functionality and will refuse to work with nested hvm active. It is also not compatible with migration. It should be considered experimental. Changes since v1: Many changes since v1 in response to maintainer feedback, including: Suppress_ve state is now decoupled from memory type VMFUNC emulation handled in x86 emulator Lazy-copy algorithm copies any page where mfn != INVALID_MFN All nested page fault handling except lazy-copy is now in top-level (hvm.c) nested page fault handler Split p2m lock type (as suggested by Tim) to avoid lock order violations XSM hooks Xen parameter to globally enable altp2m (default disabled) and HVM parameter Altp2m reference counting no longer uses dirty_cpu bitmap Remapped page tracking to invalidate altp2m's where needed to protect Xen Many other minor changes The altp2m invalidation is implemented to a level that I believe satisifies the requirements of protecting Xen. Invalidation notification is not yet implemented, and there may be other cases where invalidation is warranted to protect the integrity of the restrictions placed through altp2m. We may add further patches in this area. Testability is still a potential issue. We have offered to make our internal Windows test binaries available for intra-domain testing. Tamas has been working on toolstack support for cross-domain testing with a slightly earlier patch series, and we hope he will submit that support. Not all of the patches will be of interest to everyone copied here. I've copied everyone on this initial mailing to give context. Ed White (10): VMX: VMFUNC and #VE definitions and detection. VMX: implement suppress #VE. x86/HVM: Hardware alternate p2m support detection. x86/altp2m: basic data structures and support routines. VMX/altp2m: add code to support EPTP switching and #VE. x86/altp2m: add control of suppress_ve. x86/altp2m: alternate p2m memory events. x86/altp2m: add remaining support routines. x86/altp2m: define and implement alternate p2m HVMOP types. x86/altp2m: Add altp2mhvm HVM domain parameter. Ravi Sahita (2): VMX: add VMFUNC leaf 0 (EPTP switching) to emulator. x86/altp2m: XSM hooks for altp2m HVM ops docs/man/xl.cfg.pod.5 | 12 + docs/misc/xen-command-line.markdown | 7 + tools/flask/policy/policy/modules/xen/xen.if | 4 +- tools/libxl/libxl_create.c | 1 + tools/libxl/libxl_dom.c | 2 + tools/libxl/libxl_types.idl | 1 + tools/libxl/xl_cmdimpl.c | 8 + xen/arch/x86/hvm/Makefile | 2 + xen/arch/x86/hvm/altp2mhvm.c | 82 +++++ xen/arch/x86/hvm/emulate.c | 13 +- xen/arch/x86/hvm/hvm.c | 357 +++++++++++++++++- xen/arch/x86/hvm/vmx/vmcs.c | 42 ++- xen/arch/x86/hvm/vmx/vmx.c | 163 +++++++++ xen/arch/x86/mm/hap/Makefile | 1 + xen/arch/x86/mm/hap/altp2m_hap.c | 103 ++++++ xen/arch/x86/mm/hap/hap.c | 31 +- xen/arch/x86/mm/mm-locks.h | 33 +- xen/arch/x86/mm/p2m-ept.c | 67 +++- xen/arch/x86/mm/p2m.c | 528 ++++++++++++++++++++++++++- xen/arch/x86/x86_emulate/x86_emulate.c | 8 + xen/arch/x86/x86_emulate/x86_emulate.h | 4 + xen/include/asm-arm/p2m.h | 7 + xen/include/asm-x86/domain.h | 10 + xen/include/asm-x86/hvm/altp2mhvm.h | 42 +++ xen/include/asm-x86/hvm/hvm.h | 25 ++ xen/include/asm-x86/hvm/vcpu.h | 9 + xen/include/asm-x86/hvm/vmx/vmcs.h | 14 +- xen/include/asm-x86/hvm/vmx/vmx.h | 13 +- xen/include/asm-x86/msr-index.h | 1 + xen/include/asm-x86/p2m.h | 80 +++- xen/include/public/hvm/hvm_op.h | 69 ++++ xen/include/public/hvm/params.h | 5 +- xen/include/public/vm_event.h | 13 +- xen/include/xen/mem_access.h | 1 + xen/include/xsm/dummy.h | 12 + xen/include/xsm/xsm.h | 12 + xen/xsm/dummy.c | 2 + xen/xsm/flask/hooks.c | 12 + xen/xsm/flask/policy/access_vectors | 7 + 39 files changed, 1770 insertions(+), 33 deletions(-) create mode 100644 xen/arch/x86/hvm/altp2mhvm.c create mode 100644 xen/arch/x86/mm/hap/altp2m_hap.c create mode 100644 xen/include/asm-x86/hvm/altp2mhvm.h -- 1.9.1 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |