Re: [PATCH 1/6] xen: extend XEN_DOMCTL_memory_mapping to handle cacheability

From: Julien Grall <julien.grall@arm.com>
To: Stefano Stabellini <sstabellini@kernel.org>,
	xen-devel@lists.xenproject.org
Cc: Stefano Stabellini <stefanos@xilinx.com>,
	JBeulich@suse.com, andrew.cooper3@citrix.com
Subject: Re: [PATCH 1/6] xen: extend XEN_DOMCTL_memory_mapping to handle cacheability
Date: Wed, 27 Feb 2019 21:02:47 +0000	[thread overview]
Message-ID: <3ee8d8d4-fbb6-dd38-e34a-1ac8f730339f@arm.com> (raw)
In-Reply-To: <1551222427-21749-1-git-send-email-sstabellini@kernel.org>

Hi Stefano,

On 2/26/19 11:07 PM, Stefano Stabellini wrote:
>   struct xen_domctl_memory_mapping {
>       uint64_aligned_t first_gfn; /* first page (hvm guest phys page) in range */
>       uint64_aligned_t first_mfn; /* first page (machine page) in range */
>       uint64_aligned_t nr_mfns;   /* number of pages in range (>0) */
>       uint32_t add_mapping;       /* add or remove mapping */
> -    uint32_t padding;           /* padding for 64-bit aligned structure */
> +    uint32_t cache_policy;      /* cacheability of the memory mapping */

Looking at this and the way you use it, the naming "cache" is quite 
confusing. On Arm, they are memory types (see B2.7 "Memory types and 
attributes" in DDI 0487D.a) and then you may have attribute such 
cachability attribute (write-through, write-back...) on top. The 
cacheability is also not applicable for "device memory".

"device memory" have other attributes related to gathering, re-ordering...

So a better naming would probably be "memory_policy".

Furthermore, those policies are only for configuring stage-2. The 
resulting memory type and attributes will be whatever is the strongest 
between stage-2 and stage-1 attributes. You can see the stage-2 
attributes as a way to give more or less freedom to the guest for 
configure the attributes.

For instance, by using p2m_mmio_direct_dev, the resulting attributes 
will always be Device-nGnRnE whatever how stage-1 has been configured.

In the case of p2m_mmio_direct_c (similar to p2m_ram_rw). The guest will 
be free to chose whatever pretty much any attributes (even Device-nGnRnE).

You might wonder why we didn't give more freedom to the guest from the 
start. One of the reason is it is quite unclear what are the consequence 
if you give that freedom to the guest. Whether there might be issues 
with the device when the attributes are not correct.

Furthermore, there are more handling required in the hypervisor as if 
the memory can be cached, you will need to clear the cache in order to 
prevent leakage to another domain if the mappings get reassigned.

For completeness, I should mention the feature S2FWB present in ARMv8.4 
and onwards. From my understanding, this could be used to force 
resulting memory type. I am not suggesting to implement it now, but we 
should keep it in my mind while writing the interface exposed in libxl.

To summarize, if we go ahead, we should try to make the documentation 
more clearer on what each policy means and the implications on the 
guest. I think we should also mark this a not security supported because 
it the unknown interactions with devices.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel