[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen Summit 2025 - Design Discussion Notes - Xen ABI

  • To: "Alexander M. Merritt" <alexander@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Alex Brett <alex.brett@xxxxxxxxxx>
  • Date: Wed, 17 Sep 2025 17:40:39 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kbrb2wxqRuklyfzT+m16BmV/WY7n7MdaBKmHfR7ZfhQ=; b=Jm3jsfgfHZeD4/o4+C78s1hIK7A9bUpC1ACNZ9/l1D9VuIJ6ojjBSletKMvSr7PGXG2bs/ymRkRca0qtS3DUu1hlZwDY6L8U+lbnu4D+0ItLWYbRYf+uVrFgSVd893l1jfPOsL1eWPbtJQ6NKQ/pojMDY/9hux1+RtEFbgztLXsa/d9jJZ9wefpNhZZT4JcCzBE2JlmmxtPXbk2/gkuxaMlW7kBFd7I0EOTokIiYpfq5aT89dB3aE7hzVtPspHnmrU5/jN2VtMux7YWgR2A2p2QLCGBQHcWQrm1MjLPl9MKEnshNZC9iPxtp+AZAooTzqfDru0ckvuFRORVsxRn2RA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EMFBCudxkmZF6bbzW/Nq6NQzUic1ytqzC30H4LiNgeHeu6PJqdnIEZQdsVlzXE2331qHUNteot85aVRU2Mu+OMlt/5yc41R9M2h7jHrS8NLnxFHS7Uk6UdsJ7H9PmOMAuSBVsQYmNWcwykiu1+GLqpSh3tW/p8e32499I/KRxGIWKJA5xG+c/6ox1MlwEna9AbEy4ZzDWp/6R7HmS7BYCGVW+BCy8Okbb1lQGoQKt/EYl+mR5Kz5zGyNhk8jRyS1bvADwOc/kLzgDbLvXSuziKPzdMhp3hzZiqhxZNlU9pE4uIPQlFWq0MPm5SG1l9OrtjHeCNKTUZqh/ruoXNqb9g==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Delivery-date: Wed, 17 Sep 2025 17:40:47 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Msip_labels:
  • Thread-index: AQHcJ46CuGDSzyyGzUK1N7jB9+iAwrSXpRTH
  • Thread-topic: Xen Summit 2025 - Design Discussion Notes - Xen ABI
I also took notes during this session - as usual apologies for any misquotes 
etc:

Christopher Clark (CC): Preparing a collection of docs to understand the 
problem space and what we want to achieve ahead of doing the work
- List of API/ABIs
- List of known limitations / issues / concerns with them, indexed back to the 
API/ABIs

Andrew Cooper (AC): Previously tried addressing some of the issues, but 
addressing only part of it results in a lot of the feedback being "what about 
this other thing?" etc. Designs presented so far fix part/some of the problems, 
but not all. Trying this time to identify all the problems before identifying a 
design to fix them.

First enumerate the APIs and ABIs that currently exist. Set of problems not 
apparent when you just think about API/ABIs, e.g. people think it's "just 
hypercalls", but it's not, there's things like enumeration information. Long 
history of bugs due to Xen originally being a monorepo and having forks of 
kernel/qemu etc, so many ABIs not properly defined/enumerated. Also e.g. 
initial state of vCPUs is an ABI. ~46 hypercalls, but around half are specific 
to PV guests. Hypercalls are the way they are as Xen started with x86 PV 
guests, HVM guests were created by doing minimal adjustments to PV and thus 
resulted in lots of legacy poor choices (e.g. having to walk the guest page 
tables).

Other examples:
- evtchn_send passes a 32-bit pointer to the event channel to use, rather than 
just the event channel id.
- hypercalls have a shift by 12 assuming 4k pages, causes problems in ARM
- Changing the version of Xen breaks userspace (intentional choice early on, 
but causes user pain) - unstable ABIs are killing Xen
- Security patches nominally/officially require rebuilding userspace (including 
qemu)

This is relevant to work like host UEFI secure boot (introduces new privilege 
boundary - admin with root in dom0 can't violate the MS defined boundary of not 
reading/writing arbitrary memory, hypercalls work currently with 
/dev/xen/privcmd which entirely violates this).

All problems compound, want to look at all of them before figuring out 
solutions.

Bertrand Marquis (BM): Need to look at problem discussed yesterday - how we 
create/configure a guest (two ways currently, dom0less and xl), duplicating 
code and configuration format etc. If modifying ABI between dom0 and Xen, can 
we have a coherent format we can use in multiple places to solve problems like 
this and prevent duplication / reduce required hypercalls to create a guest.

Alexander Merrit (AM): Regular applications don't make syscalls directly they 
use libraries, is that an option?
AC: Xen has libraries, but they currently need to be recompiled every time Xen 
changes
Jan Beulich (JB): This could be solved by having a user library vs the library 
that actually calls into the hypervisor
AC: Libraries currently all C, would like libraries for other languages that 
are stable. Need to consider all these possibilities when designing a solution.

JB: Concern about taking a global approach - will changing everything in one go 
mean we never end?
AC: Idea is to come up with one global design. Parties have specific interests 
(e.g. XS around secure boot, Vates for SEV) that will lead to implementation, 
but we should agree the approach up front rather than having people pulling in 
different directions.

JB: Could we deal with e.g. the hypercall problem up front rather than having 
to redesign everything else at the same time?
AC: Don't need e.g. function prototypes, but need the broad strokes agreed to 
ensure things don't diverge later on.

AC: Important to ensure backwards compatibility (can't break HVM guests)

AM: Is the problem unique to us, or are there historical references we can copy?
AC: No one problem we've found is unique, but there's enough overlap between 
problems in different areas that we can't take something off the shelf
BM: Potential problems with lots of compatibility code etc - do we still need 
it? (Room: Yes)

AC/JB/BM: discussion around whether to use physical or virtual addresses from 
PV guests. Currently made HVM consistent with PV, should it be the other way 
round?

Rich Persaud (RP): Unlikely this task can ever be completed, but any work done 
will be very useful to people after this task has failed. Xen already forked 
once (Bromium), other hypervisors focusing on specfic verticals etc. Xen is 
last entity standing trying to pull all stakeholders together, unclear how long 
this will last, but the products which will last the longest are certified 
items, and whatever snapshot is taken at that point will thus be the things 
which last the longest.

Andrei Smenov (AS): Can Xen and guest negotiate which version to use?
AC/JB: Not really, can be multiple instances within a guest (bootloader, 
kernel, kexec kernels etc). Another example OVMF coming up to do boot services 
(blkback) load a file then handing over to the kernel etc (can leave shared 
info page in a bad state)

AC: Shared info page another problem by itself. Layout done with unsigned longs 
which change size between 32 and 64 bit code, so layout of shared info page 
changes. Different vCPUs can be in 32 or 64 bit mode so we cache the mode of 
the vCPU at the point it makes one of two hypercalls, so final vCPU to crash / 
go through kexec hypercall will change the format of the page. Something we 
need to address. Whatever we provide must have in mind aspects like this.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.