[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen Memory Sharing Query


  • To: Marc Bonnici <Marc.Bonnici@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Mon, 18 Jul 2022 14:26:35 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1QE++DKcBwCnHsMRSia20tXPlUS+rCZNxSodvgto4lg=; b=CXxrjfIqoFONkMDxJ7EQDagJYAbKILFTQ/HrVmwHLccuuc1EWJwBbt345PA75K05JqSNeNtZjg6gjfgYKFYugX7aYrNTFUKH/U/bwtgdYgMYawvYzC2vIRAfPQRcG4p5yq6e1XMJKvham1hVaJLmZN3fehD5wSRUjxqAzQ2+FzPEHsTCHB5x2mvcjqTd1x4EGeQEvcMDU9BSgMA8E5IdkgfQiUCHSu8fbU/8F1phdslrFtKMBbK+jnQtKI9Q1ZV07YyLgAL39M97yiABZZvhv3ko9kUrkysZUBVW/OWtDSST0U8+Kkh4ZCo8eWyXOV0MNLWe8yRg4bEhEQU1663xHw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G0Z1GZgWEZfdxZgxRW1CswMSJJxVrq8vTk3SYfD/PSnYYCxaE4myrMSNkqR/YBODSeHCU4969oGMN+HMLeqQQX7EzOg8X6GPvl14ruTGB3+hLcca+hJwcKR6B2Y7dfZORC6FkXAskbGBhs8gOqQN3uNa7MpquqNlVB7GyGr2qgo1vpnIPTUm4GUEc+PytA7gcsqnYEpCLv8O+g66SQrWszbQhtB64ilP3GDVYvdL+2+ouwWtyskB6zgzT+EKdMyY4Te6Qjhq0+fER12jMjABlDJW6ampA6Bandt8m1fjw0m49hWM2dKasKUY9/U1JINYre7pJSgsJDLJuF41kh435w==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Delivery-date: Mon, 18 Jul 2022 14:26:50 +0000
  • Ironport-data: A9a23:aHpdSqOvqmjAKSnvrR3dlsFynXyQoLVcMsEvi/4bfWQNrUol0jFWn WRJC2GEO/aOYDeme9gjOYS/pEhVvcDcy9MyTgto+SlhQUwRpJueD7x1DKtR0wB+jCHnZBg6h ynLQoCYdKjYdleF+lH3dOCJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kqsyj5UAbeKRWmthg vuv5ZyFULOZ82QsaDhMtPvT8EoHUMna41v0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL woU5Ojklo9x105F5uKNyt4XQGVTKlLhFVHmZk5tc7qjmnB/Shkaic7XAha+hXB/0F1ll/gpo DlEWAfZpQ0BZsUgk8xFO/VU/r0X0QSrN9YrLFDm2fF/wXEqfFO2mvdTD09oHrcDpPkvL1513 /Ayd200O0Xra+KemNpXS8FKr+F6dYzHGd1avXttizbEEfwhXJbPBb3Q4sNV1ysxgcYIGuvCY 80eanxkaxGojx9nYw9LTs5h2rr3wCChI1W0q3rMzUYzy0HVwBZ8z/7GN93Nd8bRbc5UglyZt iTN+GGR7hQya4LHlWHVqyzEaunnrAb8QI00FJmC5KBJsmCTzWFQKDAwSg7uyRW+ogvkMz5FE GQE9yxroaUs+UiDStjmQwb+sHOCpgQbWddbD6s98g7l90bPywOQB2xBQjsfbtUj7ZYyXWZzi A/PmM71DztytrHTUWia6rqfsTK1P24SMHMGYigHCwAC5rEPvb0Os/4Gdf47eIbdszE/MWiYL +yixMTmu4gusA==
  • Ironport-hdrordr: A9a23:zS2CG6n+guyUK1yBZ++LmMxz9ejpDfOAimdD5ihNYBxZY6Wkfp +V8cjzhCWftN9OYhodcIi7SdG9qeu1z+8+3WBjB8bYYOCAghrkEGgC1/qo/9SEIUHDH4FmpM NdmsRFaeEYSGIK9PoSgzPIX+rIouP3l5xA7N22pxgCcegpUdAH0+4TMHf5LqQCfngiOXNPLu v/2iMonVqdUEVSSv7+KmgOXuDFqdGOvonhewQ6Cxku7xTLpS+06ZbheiLokCs2Yndq+/MP4G LFmwv26uGIqPeg0CLR0GfV8tB/hMbh8N1eH8aB4/JlawkEyzzYJLiJaYfy/gzdk9vfrWrCV+ O85yvICv4DqE85uFvF5icFlTOQlgrGoEWSs2NwyUGT3PARAghKRPapzLgpDScwoSAbza1B+b MO0GSDu5VNCxTc2Cz7+tjTThlv0lG5uHw4jIco/gpiuKYlGctsRLYkjTRoOYZFGDi/5JEsEe FoAs2Z7PFKcUmCZ3ScumV02tSjUnk6Ax/DGyE5y4So+ikTmGo8w1oTxcQZkHtF/JUhS4Nc7+ CBNqhzjrlBQsIfcKo4DuYcRsm8DHDLXHv3QSuvCEWiELtCN2PGqpbx7rlw7Oa2eIYQxJ93g5 jFWEMwjx9GR6svM7z94HRmyGG9fIzmZ0WS9ih33ekIhpTsALz2LCaEVFci18O9vvR3OLypZ8 qO
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AdiXcIvKzj1u3ooYRvOwLKlCsLdCEAA/89UAAIdcHqAACSWogA==
  • Thread-topic: Xen Memory Sharing Query

On 18/07/2022 14:40, Marc Bonnici wrote:
> Hi Andrew,
>
> Thank you very much for your detailed reply, that make things 
> a lot clearer. I did have a few follow up questions.
>
>> gnttab v2 is horribly more complicated.  
> With v2, do the high level behaviours change much from 
> what you have outlined here? Do you expect in the long term 
> for v2 to be the preferred implementation or are they more like 
> alternatives?

That's harder to answer.  v2 comes with new features, but some far
sharper corners.

v2 increased the frame size from 32 bits to 64, so you can address a
frame above the 16T boundary.

v2 also introduces sub-page grants.  These are not mappable, but copyable.

On the other hand, v2 also introduces transitive grants, and these are a
security disaster.  They're largely disabled.

Finally, and most importantly, v2 split the status bits out of flags
field as a performance optimisation, but created an API where there is
no race-free way of invalidating a grant.

>> While a gref is mapped, domA is not permitted to edit the 
>> associated entry.  
> So IIUC once the gref is mapped then domA can't make any changes 
> to the entry at all, (or at least they won't be reflected).

Correct.

> So if 
> domA wants to make any modifications (extend the shared memory 
> region, change permissions etc.), then it would just create another
> entry and share the new gref? 

A grant covers a 4k page (until you start using sub-page grants in v2),
so there isn't really any "extend the region".

For permissions, the only interesting bit is the read-only bit, and that
isn't something you want to be changing midway through the use of the grant.

But yes, you could write a new grant out with new permissions and use that.

>> From a grant perspective, Xen doesn't enforce any policy.  domA's grefs
>> can be mapped in the manner permitted by what domA wrote into the grant
>> table.
> So does this mean that if domA grants access to domB for a given frame, 
> and then added a new entry in its grant table with the same frame details 
> but with "domid = domC" instead. This would be allowed? And if so, would this 
> result in a 3-way shared buffer?

Yes and yes.

I suppose it's worth saying that these are from the point of view of the
mechanics of the grant table interface.

In addition, XSM can be used to provide policy based restrictions.  XSM
Silo is "dom0 all powerful, domU's can only communicate with dom0", and
XSM Flask is rather more like SELinux.

> And finally a similar scenario, if a frame was shared from domA to domB, 
> would domB be able to add an entry in its own grant table to share the 
> same frame with domC and end up with the same outcome?

That's more complicated.  Potentially yes, but it depends on the p2m
checks done when mapping a grant, and I have a suspicion it might be
different between x86 and ARM.

But logically speaking, if domA has granted access to domB, then domB is
permitted to whatever it wants with the mapping, including sharing it
further onwards.  This was the idea behind transitive grants, but the
implementation leaves a lot to be desired.

~Andrew

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.