From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52582) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e0TRd-00071Z-Ih for qemu-devel@nongnu.org; Fri, 06 Oct 2017 10:17:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e0TRV-0000xk-Pw for qemu-devel@nongnu.org; Fri, 06 Oct 2017 10:17:41 -0400 Received: from smtp02.citrix.com ([66.165.176.63]:11133) by eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71) (envelope-from ) id 1e0TRV-0000vC-IB for qemu-devel@nongnu.org; Fri, 06 Oct 2017 10:17:33 -0400 From: Ian Jackson MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-ID: <22999.36984.558631.191104@mariner.uk.xensource.com> Date: Fri, 6 Oct 2017 15:17:28 +0100 In-Reply-To: <892cb484-361b-f1c1-c294-6b5d7b5e92fb@citrix.com> References: <1507133891-26013-1-git-send-email-ian.jackson@eu.citrix.com> <892cb484-361b-f1c1-c294-6b5d7b5e92fb@citrix.com> Subject: Re: [Qemu-devel] [PATCH v2 0/*] xen: xen-domid-restrict improvements List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Ross Lagerwall Cc: Ian Jackson , qemu-devel@nongnu.org, Anthony PERARD , xen-devel@lists.xenproject.org, Juergen Gross , Stefano Stabellini Ross Lagerwall writes ("Re: [PATCH v2 0/*] xen: xen-domid-restrict improvements"): > On 10/04/2017 05:18 PM, Ian Jackson wrote: > > However, there are changes to qemu needed. In particular > > > > * The -xen-domid-restrict option does not work properly right now. > > It only restricts a small subset of the descriptors qemu has open. > > I am introducing a new library call in the Xen libraries for this, > > xentoolcore_restrict_all. ... > I'm testing your QEMU and Xen patch series and found that after being > restricted, QEMU fails to setup up the VGA memory properly which causes > a complete stall with stdvga. With cirrus it mostly works although it > seems to have reduced performance. Thanks for your testing. I admit that I didn't look at the VGA console of my guest. I'm using cirrus but my guest isn't using it very much. I use the "serial" console instead. > I think it happens when the VM sets up the BAR some time after > xen_restrict() has been called. The failure comes from QEMU calling > xc_domain_add_to_physmap() which calls do_memory_op() and finally > xencall2(). But the underlying xencall fd has been replaced with /dev/null. I think to fix this properly, we will need to add a dmop version of XENMEM_add_to_physmap. I don't propose to try to do that for Xen 4.10. In the meantime I think this is good enough for "tech preview", and provides a base to work on. > There is a caveat when using -xen-domid-restrict and -chroot at the same > time. The restriction happens after chrooting, so the chroot directory > has to contain a valid /dev/null. This is a bit annoying and prevents > the chroot being on a "nodev" mount. How annoying. I will fix the relevant qemu patch to do the Xen restrict before os_setup_post. Ian. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: Re: [PATCH v2 0/*] xen: xen-domid-restrict improvements Date: Fri, 6 Oct 2017 15:17:28 +0100 Message-ID: <22999.36984.558631.191104@mariner.uk.xensource.com> References: <1507133891-26013-1-git-send-email-ian.jackson@eu.citrix.com> <892cb484-361b-f1c1-c294-6b5d7b5e92fb@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e0TRY-0003kU-6q for xen-devel@lists.xenproject.org; Fri, 06 Oct 2017 14:17:36 +0000 In-Reply-To: <892cb484-361b-f1c1-c294-6b5d7b5e92fb@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: Ross Lagerwall Cc: Juergen Gross , Stefano Stabellini , Ian Jackson , qemu-devel@nongnu.org, Anthony PERARD , xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org Um9zcyBMYWdlcndhbGwgd3JpdGVzICgiUmU6IFtQQVRDSCB2MiAwLypdIHhlbjogeGVuLWRvbWlk LXJlc3RyaWN0IGltcHJvdmVtZW50cyIpOgo+IE9uIDEwLzA0LzIwMTcgMDU6MTggUE0sIElhbiBK YWNrc29uIHdyb3RlOgo+ID4gSG93ZXZlciwgdGhlcmUgYXJlIGNoYW5nZXMgdG8gcWVtdSBuZWVk ZWQuICBJbiBwYXJ0aWN1bGFyCj4gPiAKPiA+ICAgKiBUaGUgLXhlbi1kb21pZC1yZXN0cmljdCBv cHRpb24gZG9lcyBub3Qgd29yayBwcm9wZXJseSByaWdodCBub3cuCj4gPiAgICAgSXQgb25seSBy ZXN0cmljdHMgYSBzbWFsbCBzdWJzZXQgb2YgdGhlIGRlc2NyaXB0b3JzIHFlbXUgaGFzIG9wZW4u Cj4gPiAgICAgSSBhbSBpbnRyb2R1Y2luZyBhIG5ldyBsaWJyYXJ5IGNhbGwgaW4gdGhlIFhlbiBs aWJyYXJpZXMgZm9yIHRoaXMsCj4gPiAgICAgeGVudG9vbGNvcmVfcmVzdHJpY3RfYWxsLgouLi4K PiBJJ20gdGVzdGluZyB5b3VyIFFFTVUgYW5kIFhlbiBwYXRjaCBzZXJpZXMgYW5kIGZvdW5kIHRo YXQgYWZ0ZXIgYmVpbmcgCj4gcmVzdHJpY3RlZCwgUUVNVSBmYWlscyB0byBzZXR1cCB1cCB0aGUg VkdBIG1lbW9yeSBwcm9wZXJseSB3aGljaCBjYXVzZXMgCj4gYSBjb21wbGV0ZSBzdGFsbCB3aXRo IHN0ZHZnYS4gV2l0aCBjaXJydXMgaXQgbW9zdGx5IHdvcmtzIGFsdGhvdWdoIGl0IAo+IHNlZW1z IHRvIGhhdmUgcmVkdWNlZCBwZXJmb3JtYW5jZS4KClRoYW5rcyBmb3IgeW91ciB0ZXN0aW5nLgoK SSBhZG1pdCB0aGF0IEkgZGlkbid0IGxvb2sgYXQgdGhlIFZHQSBjb25zb2xlIG9mIG15IGd1ZXN0 LiAgSSdtIHVzaW5nCmNpcnJ1cyBidXQgbXkgZ3Vlc3QgaXNuJ3QgdXNpbmcgaXQgdmVyeSBtdWNo LiAgSSB1c2UgdGhlICJzZXJpYWwiCmNvbnNvbGUgaW5zdGVhZC4KCj4gSSB0aGluayBpdCBoYXBw ZW5zIHdoZW4gdGhlIFZNIHNldHMgdXAgdGhlIEJBUiBzb21lIHRpbWUgYWZ0ZXIgCj4geGVuX3Jl c3RyaWN0KCkgaGFzIGJlZW4gY2FsbGVkLiBUaGUgZmFpbHVyZSBjb21lcyBmcm9tIFFFTVUgY2Fs bGluZyAKPiB4Y19kb21haW5fYWRkX3RvX3BoeXNtYXAoKSB3aGljaCBjYWxscyBkb19tZW1vcnlf b3AoKSBhbmQgZmluYWxseSAKPiB4ZW5jYWxsMigpLiBCdXQgdGhlIHVuZGVybHlpbmcgeGVuY2Fs bCBmZCBoYXMgYmVlbiByZXBsYWNlZCB3aXRoIC9kZXYvbnVsbC4KCkkgdGhpbmsgdG8gZml4IHRo aXMgcHJvcGVybHksIHdlIHdpbGwgbmVlZCB0byBhZGQgYSBkbW9wIHZlcnNpb24gb2YKWEVOTUVN X2FkZF90b19waHlzbWFwLiAgSSBkb24ndCBwcm9wb3NlIHRvIHRyeSB0byBkbyB0aGF0IGZvciBY ZW4KNC4xMC4gIEluIHRoZSBtZWFudGltZSBJIHRoaW5rIHRoaXMgaXMgZ29vZCBlbm91Z2ggZm9y ICJ0ZWNoIHByZXZpZXciLAphbmQgcHJvdmlkZXMgYSBiYXNlIHRvIHdvcmsgb24uCgo+IFRoZXJl IGlzIGEgY2F2ZWF0IHdoZW4gdXNpbmcgLXhlbi1kb21pZC1yZXN0cmljdCBhbmQgLWNocm9vdCBh dCB0aGUgc2FtZSAKPiB0aW1lLiBUaGUgcmVzdHJpY3Rpb24gaGFwcGVucyBhZnRlciBjaHJvb3Rp bmcsIHNvIHRoZSBjaHJvb3QgZGlyZWN0b3J5IAo+IGhhcyB0byBjb250YWluIGEgdmFsaWQgL2Rl di9udWxsLiBUaGlzIGlzIGEgYml0IGFubm95aW5nIGFuZCBwcmV2ZW50cyAKPiB0aGUgY2hyb290 IGJlaW5nIG9uIGEgIm5vZGV2IiBtb3VudC4KCkhvdyBhbm5veWluZy4gIEkgd2lsbCBmaXggdGhl IHJlbGV2YW50IHFlbXUgcGF0Y2ggdG8gZG8gdGhlIFhlbgpyZXN0cmljdCBiZWZvcmUgb3Nfc2V0 dXBfcG9zdC4KCklhbi4KCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fClhlbi1kZXZlbCBtYWlsaW5nIGxpc3QKWGVuLWRldmVsQGxpc3RzLnhlbi5vcmcKaHR0 cHM6Ly9saXN0cy54ZW4ub3JnL3hlbi1kZXZlbAo=