[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Design session "grant v3"


  • To: Juergen Gross <jgross@xxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 26 Sep 2022 09:23:53 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2mbHJwnSnW+enGqsvXm/WdU8Os6gkhLRXZQyKs93iA8=; b=RvnvJTL0I6Hx2xshJupp4dnD1+03z6yHBglITNNqe1HGQMAU+pkLVSSkUs682B4IukDIIzzf8g62DkKIEDq1ab+uumtbHZXZFSoq3Mpigq6PLCl5xN+aQz4uT4B/2kcZtCmRPPMfbYU268AYnsOKhzAA/ZhNFy1CEjSgl0Cn6IbmTj8r6OqtOFC6mj8M8kayabnqXi1QOHJxmZhBH/uWDqCVSCNXI0CwZpSoagaR4hrkMyQr37PMxggXTHv4bYRdd8yGXumyuFDCU2B3rjUvCJdt3ReaHNTlNxl1TGgn2EdbZ4AJ047Fvez4xGYCWeY9pphOYHi58qiUa/JFbSqfig==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jGJWT5U0Donpj9lIieDH8NW8DfKu6JAZbXnP782bTU2YFUrpNy6UDFLUbbPghX/QOmnArhHyiFSW9j6lExss+6K9HaRRIkUdDhIQbfn2kWvUs6Lg59Qm4YRk9FIRj+0uoO9gLrKkt5nTKmws8Sfxwz4DwCzB616uITfsdar9rUdPEMam1J3y7Poz67NE9EWY+QOiIEXscCdCON4BtMczIXtVoX3tZcqsMaCXciOA64uqHvwMtUkyy80vMdr1+xykYqktF7TTtd83p7/YFMi63Ttyk+FPfskqOov/boSkWJvssmZe548hEgaPH8vyWSUKFu0RcqL+KLxWdJ7fJR6O9A==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 26 Sep 2022 07:24:08 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 26.09.2022 09:04, Juergen Gross wrote:
> On 26.09.22 08:57, Jan Beulich wrote:
>> On 23.09.2022 11:31, Juergen Gross wrote:
>>> On 22.09.22 20:43, Jan Beulich wrote:
>>>> On 22.09.2022 15:42, Marek Marczykowski-Górecki wrote:
>>>>> Yann:   can backend refuse revoking?
>>>>> Jürgen: it shouldn't be this way, but revoke could be controlled by 
>>>>> feature flag; revoke could pass scratch page per revoke call (more 
>>>>> flexible control)
>>>>
>>>> A single scratch page comes with the risk of data corruption, as all
>>>> I/O would be directed there. A sink page (for memory writes) would
>>>> likely be okay, but device writes (memory reads) can't be done from
>>>> a surrogate page.
>>>
>>> I don't see that problem.
>>>
>>> In case the grant is revoked due to a malicious/buggy backend, you can't
>>> trust the I/O data anyway.
>>
>> I agree for the malicious case, but I'm less certain when is come to
>> buggy backends. Some bugs (like not unmapping a grant) aren't putting
>> the data at risk.
> 
> In case the data page can't be used for anything else, what would be the
> point of revoking the grant? The page would leak in both cases (revoking
> or not).

Sure, but don't you agree it would be better for the guest to have a way
to cleanly shut down in case it notices a misbehaving backend, rather
than having its data corrupted in the process? Of course a guest won't
be able to tell malicious from buggy, but what to do in such a case
ought to be a guest policy, not behavior forced upon it from the outside.
Then again I guess "pass scratch page per revoke call" is meant to cover
that already, i.e. leaving it to the guest how to actually deal with a
failed revoke.

>>>>> Jürgen: we should consider interface to mapping large pages ("map this 
>>>>> area as a large page if backend shared it as large page")
>>>>
>>>> s/backend/frontend/ I guess?
>>>
>>> Yes.
>>>
>>> But large pages have another downside: The backend needs to know it is a 
>>> large
>>> page, otherwise it might get confused. So while this sounds like a nice 
>>> idea, it
>>> is cumbersome in practice. But maybe someone is coming up with a nice idea 
>>> how
>>> to solve that.
>>
>> Couldn't that simply be a new GTF_superpage flag, with the size
>> encoded along the lines of AMD IOMMUs encode superpages (setting all
>> but the top-most of the bits not used for the actual frame address)
>> in the address part of the entry?
> 
> Of course that would be possible, but using the feature would be limited
> to backends having been modified to test that new flag. In the end both
> sides would need to negotiate the feature usability.

Isn't it to be expected that this might need negotiating? Strictly speaking
it might not need to be: The backend's map request (for a sufficiently
large number of grants all in one go) could be checked for being all
contiguous in the applicably address spaces. That wouldn't require the
frontend to advertise anything. But an unaware frontend wouldn't be very
likely to produce suitable I/O requests in the first place, I suspect.

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.