* [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
@ 2020-02-19 9:18 Alexandru Stefan ISAILA
2020-02-19 16:37 ` Tamas K Lengyel
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Alexandru Stefan ISAILA @ 2020-02-19 9:18 UTC (permalink / raw)
To: xen-devel
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Jun Nakajima,
Wei Liu, Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper,
Ian Jackson, Jan Beulich, Alexandru Stefan ISAILA,
Roger Pau Monné
At this moment a guest can call vmfunc to change the altp2m view. This
should be limited in order to avoid any unwanted view switch.
The new xc_altp2m_set_visibility() solves this by making views invisible
to vmfunc.
This is done by having a separate arch.altp2m_working_eptp that is
populated and made invalid in the same places as altp2m_eptp. This is
written to EPTP_LIST_ADDR.
The views are made in/visible by marking them with INVALID_MFN or
copying them back from altp2m_eptp.
To have consistency the visibility also applies to
p2m_switch_domain_altp2m_by_id().
Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com>
---
CC: Ian Jackson <ian.jackson@eu.citrix.com>
CC: Wei Liu <wl@xen.org>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: George Dunlap <George.Dunlap@eu.citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
CC: Julien Grall <julien@xen.org>
CC: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: "Roger Pau Monné" <roger.pau@citrix.com>
CC: Jun Nakajima <jun.nakajima@intel.com>
CC: Kevin Tian <kevin.tian@intel.com>
CC: George Dunlap <george.dunlap@eu.citrix.com>
---
Changes since V2:
- Drop hap_enabled() check
- Reduce the indentation depth in hvm.c
- Fix assignment indentation
- Drop pad2.
Changes since V1:
- Drop double view from title.
---
tools/libxc/include/xenctrl.h | 2 ++
tools/libxc/xc_altp2m.c | 24 ++++++++++++++++++++++++
xen/arch/x86/hvm/hvm.c | 18 ++++++++++++++++++
xen/arch/x86/hvm/vmx/vmx.c | 2 +-
xen/arch/x86/mm/hap/hap.c | 15 +++++++++++++++
xen/arch/x86/mm/p2m-ept.c | 1 +
xen/arch/x86/mm/p2m.c | 7 +++++--
xen/include/asm-x86/domain.h | 1 +
xen/include/public/hvm/hvm_op.h | 9 +++++++++
9 files changed, 76 insertions(+), 3 deletions(-)
diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index 99552a5f73..414adb143b 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -1943,6 +1943,8 @@ int xc_altp2m_change_gfn(xc_interface *handle, uint32_t domid,
xen_pfn_t new_gfn);
int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
uint32_t vcpuid, uint16_t *p2midx);
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+ uint16_t view_id, bool visible);
/**
* Mem paging operations.
diff --git a/tools/libxc/xc_altp2m.c b/tools/libxc/xc_altp2m.c
index 46fb725806..6987c9541f 100644
--- a/tools/libxc/xc_altp2m.c
+++ b/tools/libxc/xc_altp2m.c
@@ -410,3 +410,27 @@ int xc_altp2m_get_vcpu_p2m_idx(xc_interface *handle, uint32_t domid,
xc_hypercall_buffer_free(handle, arg);
return rc;
}
+
+int xc_altp2m_set_visibility(xc_interface *handle, uint32_t domid,
+ uint16_t view_id, bool visible)
+{
+ int rc;
+
+ DECLARE_HYPERCALL_BUFFER(xen_hvm_altp2m_op_t, arg);
+
+ arg = xc_hypercall_buffer_alloc(handle, arg, sizeof(*arg));
+ if ( arg == NULL )
+ return -1;
+
+ arg->version = HVMOP_ALTP2M_INTERFACE_VERSION;
+ arg->cmd = HVMOP_altp2m_set_visibility;
+ arg->domain = domid;
+ arg->u.set_visibility.altp2m_idx = view_id;
+ arg->u.set_visibility.visible = visible;
+
+ rc = xencall2(handle->xcall, __HYPERVISOR_hvm_op, HVMOP_altp2m,
+ HYPERCALL_BUFFER_AS_ARG(arg));
+
+ xc_hypercall_buffer_free(handle, arg);
+ return rc;
+}
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 00a9e70b7c..24035261f4 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -4558,6 +4558,7 @@ static int do_altp2m_op(
case HVMOP_altp2m_get_mem_access:
case HVMOP_altp2m_change_gfn:
case HVMOP_altp2m_get_p2m_idx:
+ case HVMOP_altp2m_set_visibility:
break;
default:
@@ -4835,6 +4836,23 @@ static int do_altp2m_op(
break;
}
+ case HVMOP_altp2m_set_visibility:
+ {
+ uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx;
+
+ if ( a.u.set_visibility.pad )
+ rc = -EINVAL;
+ else if ( !altp2m_active(d) )
+ rc = -EOPNOTSUPP;
+ else if ( a.u.set_visibility.visible )
+ d->arch.altp2m_working_eptp[altp2m_idx] =
+ d->arch.altp2m_eptp[altp2m_idx];
+ else
+ d->arch.altp2m_working_eptp[altp2m_idx] =
+ mfn_x(INVALID_MFN);
+ break;
+ }
+
default:
ASSERT_UNREACHABLE();
}
diff --git a/xen/arch/x86/hvm/vmx/vmx.c b/xen/arch/x86/hvm/vmx/vmx.c
index bc2f48bf2c..90de909fec 100644
--- a/xen/arch/x86/hvm/vmx/vmx.c
+++ b/xen/arch/x86/hvm/vmx/vmx.c
@@ -2140,7 +2140,7 @@ static void vmx_vcpu_update_vmfunc_ve(struct vcpu *v)
{
v->arch.hvm.vmx.secondary_exec_control |= mask;
__vmwrite(VM_FUNCTION_CONTROL, VMX_VMFUNC_EPTP_SWITCHING);
- __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_eptp));
+ __vmwrite(EPTP_LIST_ADDR, virt_to_maddr(d->arch.altp2m_working_eptp));
if ( cpu_has_vmx_virt_exceptions )
{
diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index 3d93f3451c..5969ec8922 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -488,8 +488,17 @@ int hap_enable(struct domain *d, u32 mode)
goto out;
}
+ if ( (d->arch.altp2m_working_eptp = alloc_xenheap_page()) == NULL )
+ {
+ rv = -ENOMEM;
+ goto out;
+ }
+
for ( i = 0; i < MAX_EPTP; i++ )
+ {
d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+ d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
+ }
for ( i = 0; i < MAX_ALTP2M; i++ )
{
@@ -523,6 +532,12 @@ void hap_final_teardown(struct domain *d)
d->arch.altp2m_eptp = NULL;
}
+ if ( d->arch.altp2m_working_eptp )
+ {
+ free_xenheap_page(d->arch.altp2m_working_eptp);
+ d->arch.altp2m_working_eptp = NULL;
+ }
+
for ( i = 0; i < MAX_ALTP2M; i++ )
p2m_teardown(d->arch.altp2m_p2m[i]);
}
diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c
index eb0f0edfef..6539ca619b 100644
--- a/xen/arch/x86/mm/p2m-ept.c
+++ b/xen/arch/x86/mm/p2m-ept.c
@@ -1368,6 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
ept = &p2m->ept;
ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
+ d->arch.altp2m_working_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
}
unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 9f1c29d7ef..13b96715ba 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2519,6 +2519,7 @@ void p2m_flush_altp2m(struct domain *d)
{
p2m_reset_altp2m(d, i, ALTP2M_DEACTIVATE);
d->arch.altp2m_eptp[i] = mfn_x(INVALID_MFN);
+ d->arch.altp2m_working_eptp[i] = mfn_x(INVALID_MFN);
}
altp2m_list_unlock(d);
@@ -2638,7 +2639,9 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx)
{
p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE);
d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] =
- mfn_x(INVALID_MFN);
+ mfn_x(INVALID_MFN);
+ d->arch.altp2m_working_eptp[array_index_nospec(idx, MAX_EPTP)] =
+ mfn_x(INVALID_MFN);
rc = 0;
}
}
@@ -2665,7 +2668,7 @@ int p2m_switch_domain_altp2m_by_id(struct domain *d, unsigned int idx)
rc = -EINVAL;
altp2m_list_lock(d);
- if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) )
+ if ( d->arch.altp2m_working_eptp[idx] != mfn_x(INVALID_MFN) )
{
for_each_vcpu( d, v )
if ( idx != vcpu_altp2m(v).p2midx )
diff --git a/xen/include/asm-x86/domain.h b/xen/include/asm-x86/domain.h
index 1843c76d1a..b039717778 100644
--- a/xen/include/asm-x86/domain.h
+++ b/xen/include/asm-x86/domain.h
@@ -326,6 +326,7 @@ struct arch_domain
struct p2m_domain *altp2m_p2m[MAX_ALTP2M];
mm_lock_t altp2m_list_lock;
uint64_t *altp2m_eptp;
+ uint64_t *altp2m_working_eptp;
#endif
/* NB. protected by d->event_lock and by irq_desc[irq].lock */
diff --git a/xen/include/public/hvm/hvm_op.h b/xen/include/public/hvm/hvm_op.h
index b599d3cbd0..870ec52060 100644
--- a/xen/include/public/hvm/hvm_op.h
+++ b/xen/include/public/hvm/hvm_op.h
@@ -318,6 +318,12 @@ struct xen_hvm_altp2m_get_vcpu_p2m_idx {
uint16_t altp2m_idx;
};
+struct xen_hvm_altp2m_set_visibility {
+ uint16_t altp2m_idx;
+ uint8_t visible;
+ uint8_t pad;
+};
+
struct xen_hvm_altp2m_op {
uint32_t version; /* HVMOP_ALTP2M_INTERFACE_VERSION */
uint32_t cmd;
@@ -350,6 +356,8 @@ struct xen_hvm_altp2m_op {
#define HVMOP_altp2m_get_p2m_idx 14
/* Set the "Supress #VE" bit for a range of pages */
#define HVMOP_altp2m_set_suppress_ve_multi 15
+/* Set visibility for a given altp2m view */
+#define HVMOP_altp2m_set_visibility 16
domid_t domain;
uint16_t pad1;
uint32_t pad2;
@@ -367,6 +375,7 @@ struct xen_hvm_altp2m_op {
struct xen_hvm_altp2m_suppress_ve_multi suppress_ve_multi;
struct xen_hvm_altp2m_vcpu_disable_notify disable_notify;
struct xen_hvm_altp2m_get_vcpu_p2m_idx get_vcpu_p2m_idx;
+ struct xen_hvm_altp2m_set_visibility set_visibility;
uint8_t pad[64];
} u;
};
--
2.17.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
2020-02-19 9:18 [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility Alexandru Stefan ISAILA
@ 2020-02-19 16:37 ` Tamas K Lengyel
2020-02-20 9:25 ` Alexandru Stefan ISAILA
2020-02-19 17:00 ` Jan Beulich
2020-02-20 12:21 ` George Dunlap
2 siblings, 1 reply; 8+ messages in thread
From: Tamas K Lengyel @ 2020-02-19 16:37 UTC (permalink / raw)
To: Alexandru Stefan ISAILA
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Jan Beulich,
Wei Liu, Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper,
Ian Jackson, Jun Nakajima, xen-devel, Roger Pau Monné
On Wed, Feb 19, 2020 at 2:19 AM Alexandru Stefan ISAILA
<aisaila@bitdefender.com> wrote:
>
> At this moment a guest can call vmfunc to change the altp2m view. This
> should be limited in order to avoid any unwanted view switch.
>
> The new xc_altp2m_set_visibility() solves this by making views invisible
> to vmfunc.
> This is done by having a separate arch.altp2m_working_eptp that is
> populated and made invalid in the same places as altp2m_eptp. This is
> written to EPTP_LIST_ADDR.
> The views are made in/visible by marking them with INVALID_MFN or
> copying them back from altp2m_eptp.
> To have consistency the visibility also applies to
> p2m_switch_domain_altp2m_by_id().
I'm just wondering, what prevents the guest from calling this HVM op
before doing vmfunc? This seems to only make a difference in case the
altp2m mode is either set as external or limited (or have a more
fine-grained XSM policy loaded). Is that correct? If so, perhaps
mention that in the commit message and as a comment on the libxc
function so that people don't get a false sense of security when using
the mixed mode.
Thanks,
Tamas
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
2020-02-19 9:18 [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility Alexandru Stefan ISAILA
2020-02-19 16:37 ` Tamas K Lengyel
@ 2020-02-19 17:00 ` Jan Beulich
2020-02-20 9:59 ` Alexandru Stefan ISAILA
2020-02-20 12:21 ` George Dunlap
2 siblings, 1 reply; 8+ messages in thread
From: Jan Beulich @ 2020-02-19 17:00 UTC (permalink / raw)
To: Alexandru Stefan ISAILA
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Wei Liu,
Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper, Ian Jackson,
Jun Nakajima, xen-devel, Roger Pau Monné
On 19.02.2020 10:18, Alexandru Stefan ISAILA wrote:
> @@ -4835,6 +4836,23 @@ static int do_altp2m_op(
> break;
> }
>
> + case HVMOP_altp2m_set_visibility:
> + {
> + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx;
> +
> + if ( a.u.set_visibility.pad )
> + rc = -EINVAL;
> + else if ( !altp2m_active(d) )
> + rc = -EOPNOTSUPP;
> + else if ( a.u.set_visibility.visible )
> + d->arch.altp2m_working_eptp[altp2m_idx] =
> + d->arch.altp2m_eptp[altp2m_idx];
> + else
> + d->arch.altp2m_working_eptp[altp2m_idx] =
> + mfn_x(INVALID_MFN);
Don't you need to bounds check the index before its use? And
shouldn't you return an error also for in-range ones which
aren't actually valid?
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
2020-02-19 16:37 ` Tamas K Lengyel
@ 2020-02-20 9:25 ` Alexandru Stefan ISAILA
0 siblings, 0 replies; 8+ messages in thread
From: Alexandru Stefan ISAILA @ 2020-02-20 9:25 UTC (permalink / raw)
To: Tamas K Lengyel
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Jan Beulich,
Wei Liu, Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper,
Ian Jackson, Jun Nakajima, xen-devel, Roger Pau Monné
On 19.02.2020 18:37, Tamas K Lengyel wrote:
> On Wed, Feb 19, 2020 at 2:19 AM Alexandru Stefan ISAILA
> <aisaila@bitdefender.com> wrote:
>>
>> At this moment a guest can call vmfunc to change the altp2m view. This
>> should be limited in order to avoid any unwanted view switch.
>>
>> The new xc_altp2m_set_visibility() solves this by making views invisible
>> to vmfunc.
>> This is done by having a separate arch.altp2m_working_eptp that is
>> populated and made invalid in the same places as altp2m_eptp. This is
>> written to EPTP_LIST_ADDR.
>> The views are made in/visible by marking them with INVALID_MFN or
>> copying them back from altp2m_eptp.
>> To have consistency the visibility also applies to
>> p2m_switch_domain_altp2m_by_id().
>
> I'm just wondering, what prevents the guest from calling this HVM op
> before doing vmfunc? This seems to only make a difference in case the
> altp2m mode is either set as external or limited (or have a more
> fine-grained XSM policy loaded). Is that correct? If so, perhaps
Yes, that is correct.
> mention that in the commit message and as a comment on the libxc
> function so that people don't get a false sense of security when using
> the mixed mode.
>
I will add this fact in the commit message and in libxc. Good thing to
point that out.
Thanks,
Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
2020-02-19 17:00 ` Jan Beulich
@ 2020-02-20 9:59 ` Alexandru Stefan ISAILA
2020-02-20 10:23 ` Jan Beulich
0 siblings, 1 reply; 8+ messages in thread
From: Alexandru Stefan ISAILA @ 2020-02-20 9:59 UTC (permalink / raw)
To: Jan Beulich
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Wei Liu,
Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper, Ian Jackson,
Jun Nakajima, xen-devel, Roger Pau Monné
On 19.02.2020 19:00, Jan Beulich wrote:
> On 19.02.2020 10:18, Alexandru Stefan ISAILA wrote:
>> @@ -4835,6 +4836,23 @@ static int do_altp2m_op(
>> break;
>> }
>>
>> + case HVMOP_altp2m_set_visibility:
>> + {
>> + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx;
>> +
>> + if ( a.u.set_visibility.pad )
>> + rc = -EINVAL;
>> + else if ( !altp2m_active(d) )
>> + rc = -EOPNOTSUPP;
>> + else if ( a.u.set_visibility.visible )
>> + d->arch.altp2m_working_eptp[altp2m_idx] =
>> + d->arch.altp2m_eptp[altp2m_idx];
>> + else
>> + d->arch.altp2m_working_eptp[altp2m_idx] =
>> + mfn_x(INVALID_MFN);
>
> Don't you need to bounds check the index before its use?
Unless we want a index out of bounds from the user. Sorry for not having
that, I will add a "altp2m_eptp[array_index_nospec(altp2m_idx,
MAX_EPTP)]" in place for the next version.
> And
> shouldn't you return an error also for in-range ones which
> aren't actually valid?
That is a good thing. Maybe -EINVAL could fit this?
And together with the bounds check it will end up something like this:
if ( !altp2m_idx < 0 || altp2m_idx >=
min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] ==
mfn_x(INVALID_MFN) )
return -EINVAL;
And looking again, it could be coupled with the a.u.set_visibility.pad.
Thanks,
Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
2020-02-20 9:59 ` Alexandru Stefan ISAILA
@ 2020-02-20 10:23 ` Jan Beulich
0 siblings, 0 replies; 8+ messages in thread
From: Jan Beulich @ 2020-02-20 10:23 UTC (permalink / raw)
To: Alexandru Stefan ISAILA
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Wei Liu,
Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper, Ian Jackson,
Jun Nakajima, xen-devel, Roger Pau Monné
On 20.02.2020 10:59, Alexandru Stefan ISAILA wrote:
> On 19.02.2020 19:00, Jan Beulich wrote:
>> On 19.02.2020 10:18, Alexandru Stefan ISAILA wrote:
>>> @@ -4835,6 +4836,23 @@ static int do_altp2m_op(
>>> break;
>>> }
>>>
>>> + case HVMOP_altp2m_set_visibility:
>>> + {
>>> + uint16_t altp2m_idx = a.u.set_visibility.altp2m_idx;
>>> +
>>> + if ( a.u.set_visibility.pad )
>>> + rc = -EINVAL;
>>> + else if ( !altp2m_active(d) )
>>> + rc = -EOPNOTSUPP;
>>> + else if ( a.u.set_visibility.visible )
>>> + d->arch.altp2m_working_eptp[altp2m_idx] =
>>> + d->arch.altp2m_eptp[altp2m_idx];
>>> + else
>>> + d->arch.altp2m_working_eptp[altp2m_idx] =
>>> + mfn_x(INVALID_MFN);
>>
>> Don't you need to bounds check the index before its use?
>
> Unless we want a index out of bounds from the user. Sorry for not having
> that, I will add a "altp2m_eptp[array_index_nospec(altp2m_idx,
> MAX_EPTP)]" in place for the next version.
>
>> And
>> shouldn't you return an error also for in-range ones which
>> aren't actually valid?
> That is a good thing. Maybe -EINVAL could fit this?
Sure.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
2020-02-19 9:18 [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility Alexandru Stefan ISAILA
2020-02-19 16:37 ` Tamas K Lengyel
2020-02-19 17:00 ` Jan Beulich
@ 2020-02-20 12:21 ` George Dunlap
2020-02-20 12:51 ` Alexandru Stefan ISAILA
2 siblings, 1 reply; 8+ messages in thread
From: George Dunlap @ 2020-02-20 12:21 UTC (permalink / raw)
To: Alexandru Stefan ISAILA, xen-devel
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Jun Nakajima,
Wei Liu, Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper,
Ian Jackson, Jan Beulich, Roger Pau Monné
On 2/19/20 9:18 AM, Alexandru Stefan ISAILA wrote:
> At this moment a guest can call vmfunc to change the altp2m view. This
> should be limited in order to avoid any unwanted view switch.
>
> The new xc_altp2m_set_visibility() solves this by making views invisible
> to vmfunc.
> This is done by having a separate arch.altp2m_working_eptp that is
> populated and made invalid in the same places as altp2m_eptp. This is
> written to EPTP_LIST_ADDR.
> The views are made in/visible by marking them with INVALID_MFN or
> copying them back from altp2m_eptp.
> To have consistency the visibility also applies to
> p2m_switch_domain_altp2m_by_id().
So it looks like by default the views are visible, until they're made
non-visible?
Also, does the last line mean that the toolstack can't change to a
"non-visible" altp2m either?
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility
2020-02-20 12:21 ` George Dunlap
@ 2020-02-20 12:51 ` Alexandru Stefan ISAILA
0 siblings, 0 replies; 8+ messages in thread
From: Alexandru Stefan ISAILA @ 2020-02-20 12:51 UTC (permalink / raw)
To: George Dunlap, xen-devel
Cc: Kevin Tian, Stefano Stabellini, Julien Grall, Jun Nakajima,
Wei Liu, Konrad Rzeszutek Wilk, George Dunlap, Andrew Cooper,
Ian Jackson, Jan Beulich, Roger Pau Monné
On 20.02.2020 14:21, George Dunlap wrote:
> On 2/19/20 9:18 AM, Alexandru Stefan ISAILA wrote:
>> At this moment a guest can call vmfunc to change the altp2m view. This
>> should be limited in order to avoid any unwanted view switch.
>>
>> The new xc_altp2m_set_visibility() solves this by making views invisible
>> to vmfunc.
>> This is done by having a separate arch.altp2m_working_eptp that is
>> populated and made invalid in the same places as altp2m_eptp. This is
>> written to EPTP_LIST_ADDR.
>> The views are made in/visible by marking them with INVALID_MFN or
>> copying them back from altp2m_eptp.
>> To have consistency the visibility also applies to
>> p2m_switch_domain_altp2m_by_id().
>
>
> So it looks like by default the views are visible, until they're made
> non-visible?
Yes, by default all the active views are visible until they're made
non-visible.
>
> Also, does the last line mean that the toolstack can't change to a
> "non-visible" altp2m either?
The last line means that xc_altp2m_switch_to_view() will not be able to
switch to a non-visible view.
-Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-02-20 12:51 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-19 9:18 [Xen-devel] [PATCH V3] x86/altp2m: Hypercall to set altp2m view visibility Alexandru Stefan ISAILA
2020-02-19 16:37 ` Tamas K Lengyel
2020-02-20 9:25 ` Alexandru Stefan ISAILA
2020-02-19 17:00 ` Jan Beulich
2020-02-20 9:59 ` Alexandru Stefan ISAILA
2020-02-20 10:23 ` Jan Beulich
2020-02-20 12:21 ` George Dunlap
2020-02-20 12:51 ` Alexandru Stefan ISAILA
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).