From: "Jan Beulich" <JBeulich@suse.com>
To: george.dunlap@citrix.com
Cc: Tamas K Lengyel <tamas@tklengyel.com>,
Wei Liu <wei.liu2@citrix.com>,
Razvan Cojocaru <rcojocaru@bitdefender.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
aisaila@bitdefender.com,
xen-devel <xen-devel@lists.xenproject.org>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: Re: [PATCH v1] Fix p2m_set_suppress_ve
Date: Fri, 05 Apr 2019 01:36:08 -0600 [thread overview]
Message-ID: <5CA705680200007800224C5D@prv1-mh.provo.novell.com> (raw)
In-Reply-To: <44BAFC90-7662-4A5C-B781-229712663926@citrix.com>
>>> On 04.04.19 at 16:54, <George.Dunlap@citrix.com> wrote:
>> On Apr 4, 2019, at 3:36 PM, Jan Beulich <JBeulich@suse.com> wrote:
>>>>> On 04.04.19 at 15:09, <tamas@tklengyel.com> wrote:
>>> I agree that it is confusing. It would be fine to UNSHARE here as well
>>> to keep things consistent but otherwise it's not really an issue as
>>> the entry type is checked later to ensure that this is a p2m_ram_rw
>>> entry. We are simply trying to keep mem_sharing and _modified_ altp2m
>>> entries exclusive. So it is fine to have mem_shared entries in the
>>> hostp2m and have those entries be copied into altp2m tables lazily,
>>> but for altp2m entries that have changed mem_access permissions or are
>>> remapped we want the entries in the hostp2m to be of regular type.
>>> This is not necessarily a technical requirement, it's mostly just to
>>> reduce complexity. So it would be fine to add UNSHARE here as well, I
>>> guess the only reason why I haven't done that is because I already
>>> trigger the unshare and copy-to-altp2m before remapping by setting
>>> dummy mem_access permission on the entries.
>>
>> I'm afraid I don't agree with this justification: mem-sharing is about
>> contents of pages, whereas altp2m is about meta data (permissions
>> etc). I don't see why one would want to unshare because of a meta
>> data adjustment other than a page becoming non-CoW-writable.
>> Eagerly un-sharing in the end undermines the intentions of sharing.
>
> Remember also that altp2ms allow someone to set not just alternate views
> with different permissions, but also alternate views with different backing
> mfns. Combining shared mfns with alternate views with different mfns on the
> same gfn means that you have to be very careful not to end up giving write
> permission to the shared page, which would be a security issue. Unsharing
> when creating an altp2m entry means that any given gfn is *either* shared
> *or* duplicated across altp2ms, but not both; this simplifies the reasoning.
Hmm, yes, I can see how this gets complicated. But is this behavior
symmetric? I.e. will attempts to share a GFN fail when it has a non-
default setting in one of the alternate views? Looking at the code I
can't seem to recognize such behavior.
Furthermore I'm puzzled by p2m_altp2m_propagate_change()
apparently blindly overwriting (almost) everything. Is it really
intended in almost cases (there looks to be an exception when
the old entry holds INVALID_MFN; I wonder though whether its
condition isn't inverted) to discard special access and/or MFNs in
alternate views when the host p2m's respective slot changes?
Looking at the function I also wonder whether it doesn't
pointlessly call p2m_reset_altp2m() when old and new entry
both hold INVALID_MFN.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
WARNING: multiple messages have this Message-ID (diff)
From: "Jan Beulich" <JBeulich@suse.com>
To: <george.dunlap@citrix.com>
Cc: Tamas K Lengyel <tamas@tklengyel.com>,
Wei Liu <wei.liu2@citrix.com>,
Razvan Cojocaru <rcojocaru@bitdefender.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
aisaila@bitdefender.com,
xen-devel <xen-devel@lists.xenproject.org>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: Re: [Xen-devel] [PATCH v1] Fix p2m_set_suppress_ve
Date: Fri, 05 Apr 2019 01:36:08 -0600 [thread overview]
Message-ID: <5CA705680200007800224C5D@prv1-mh.provo.novell.com> (raw)
Message-ID: <20190405073608.59DRJetuCAstna99sAp_99cyzwnU1TlKU7dUAE9TWIg@z> (raw)
In-Reply-To: <44BAFC90-7662-4A5C-B781-229712663926@citrix.com>
>>> On 04.04.19 at 16:54, <George.Dunlap@citrix.com> wrote:
>> On Apr 4, 2019, at 3:36 PM, Jan Beulich <JBeulich@suse.com> wrote:
>>>>> On 04.04.19 at 15:09, <tamas@tklengyel.com> wrote:
>>> I agree that it is confusing. It would be fine to UNSHARE here as well
>>> to keep things consistent but otherwise it's not really an issue as
>>> the entry type is checked later to ensure that this is a p2m_ram_rw
>>> entry. We are simply trying to keep mem_sharing and _modified_ altp2m
>>> entries exclusive. So it is fine to have mem_shared entries in the
>>> hostp2m and have those entries be copied into altp2m tables lazily,
>>> but for altp2m entries that have changed mem_access permissions or are
>>> remapped we want the entries in the hostp2m to be of regular type.
>>> This is not necessarily a technical requirement, it's mostly just to
>>> reduce complexity. So it would be fine to add UNSHARE here as well, I
>>> guess the only reason why I haven't done that is because I already
>>> trigger the unshare and copy-to-altp2m before remapping by setting
>>> dummy mem_access permission on the entries.
>>
>> I'm afraid I don't agree with this justification: mem-sharing is about
>> contents of pages, whereas altp2m is about meta data (permissions
>> etc). I don't see why one would want to unshare because of a meta
>> data adjustment other than a page becoming non-CoW-writable.
>> Eagerly un-sharing in the end undermines the intentions of sharing.
>
> Remember also that altp2ms allow someone to set not just alternate views
> with different permissions, but also alternate views with different backing
> mfns. Combining shared mfns with alternate views with different mfns on the
> same gfn means that you have to be very careful not to end up giving write
> permission to the shared page, which would be a security issue. Unsharing
> when creating an altp2m entry means that any given gfn is *either* shared
> *or* duplicated across altp2ms, but not both; this simplifies the reasoning.
Hmm, yes, I can see how this gets complicated. But is this behavior
symmetric? I.e. will attempts to share a GFN fail when it has a non-
default setting in one of the alternate views? Looking at the code I
can't seem to recognize such behavior.
Furthermore I'm puzzled by p2m_altp2m_propagate_change()
apparently blindly overwriting (almost) everything. Is it really
intended in almost cases (there looks to be an exception when
the old entry holds INVALID_MFN; I wonder though whether its
condition isn't inverted) to discard special access and/or MFNs in
alternate views when the host p2m's respective slot changes?
Looking at the function I also wonder whether it doesn't
pointlessly call p2m_reset_altp2m() when old and new entry
both hold INVALID_MFN.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2019-04-05 7:36 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-03 14:29 [PATCH v1] Fix p2m_set_suppress_ve Alexandru Stefan ISAILA
2019-04-03 14:58 ` Jan Beulich
2019-04-03 15:17 ` Razvan Cojocaru
2019-04-03 15:30 ` Jan Beulich
2019-04-03 15:48 ` Razvan Cojocaru
2019-04-03 16:04 ` Jan Beulich
2019-04-03 16:16 ` Tamas K Lengyel
2019-04-03 17:07 ` Razvan Cojocaru
2019-04-03 17:12 ` Tamas K Lengyel
2019-04-04 10:16 ` Jan Beulich
2019-04-03 17:41 ` Razvan Cojocaru
2019-04-04 10:47 ` Jan Beulich
2019-04-04 12:46 ` Razvan Cojocaru
2019-04-04 12:49 ` Andrew Cooper
2019-04-04 13:15 ` Tamas K Lengyel
2019-04-04 12:50 ` Razvan Cojocaru
2019-04-04 13:09 ` Tamas K Lengyel
2019-04-04 14:36 ` Jan Beulich
2019-04-04 14:43 ` Tamas K Lengyel
2019-04-04 14:51 ` Jan Beulich
2019-04-04 15:06 ` Tamas K Lengyel
2019-04-04 14:54 ` George Dunlap
2019-04-05 7:36 ` Jan Beulich [this message]
2019-04-05 7:36 ` [Xen-devel] " Jan Beulich
2019-04-05 13:59 ` Tamas K Lengyel
2019-04-05 13:59 ` [Xen-devel] " Tamas K Lengyel
2019-04-04 14:32 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5CA705680200007800224C5D@prv1-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=aisaila@bitdefender.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=rcojocaru@bitdefender.com \
--cc=roger.pau@citrix.com \
--cc=tamas@tklengyel.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.