From: Julien Grall <julien@xen.org>
To: Penny Zheng <Penny.Zheng@arm.com>, xen-devel@lists.xenproject.org
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Bertrand Marquis <bertrand.marquis@arm.com>,
Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Subject: Re: [PATCH v6 1/9] xen/arm: introduce static shared memory
Date: Fri, 26 Aug 2022 14:17:08 +0100 [thread overview]
Message-ID: <ce6c2e20-2d5f-dccc-e4d0-0e8ce92caeb4@xen.org> (raw)
In-Reply-To: <20220721132115.3015761-2-Penny.Zheng@arm.com>
Hi Penny,
On 21/07/2022 14:21, Penny Zheng wrote:
> From: Penny Zheng <penny.zheng@arm.com>
>
> This patch series introduces a new feature: setting up static
> shared memory on a dom0less system, through device tree configuration.
>
> This commit parses shared memory node at boot-time, and reserve it in
> bootinfo.reserved_mem to avoid other use.
>
> This commits proposes a new Kconfig CONFIG_STATIC_SHM to wrap
> static-shm-related codes, and this option depends on static memory(
> CONFIG_STATIC_MEMORY). That's because that later we want to reuse a few
> helpers, guarded with CONFIG_STATIC_MEMORY, like acquire_staticmem_pages, etc,
> on static shared memory.
>
> Signed-off-by: Penny Zheng <penny.zheng@arm.com>
> ---
> v6 change:
> - when host physical address is ommited, output the error message since
> xen doesn't support it at the moment
> - add the following check: 1) The shm ID matches and the region exactly match
> 2) The shm ID doesn't match and the region doesn't overlap
> - change it to "unsigned int" to be aligned with nr_banks
> - check the len of the property to confirm is it big enough to
> contain "paddr", "size", and "gaddr"
> - shm_id defined before nr_shm_domain, so we could re-use the existing hole and
> avoid increasing the size of the structure.
> - change "nr_shm_domain" to "nr_shm_borrowers", to not increment if the role
> is owner in parsing code
> - make "xen,shm_id" property as arbitrary string, with a strict limit on
> the number of characters, MAX_SHM_ID_LENGTH
> ---
> v5 change:
> - no change
> ---
> v4 change:
> - nit fix on doc
> ---
> v3 change:
> - make nr_shm_domain unsigned int
> ---
> v2 change:
> - document refinement
> - remove bitmap and use the iteration to check
> - add a new field nr_shm_domain to keep the number of shared domain
> ---
> docs/misc/arm/device-tree/booting.txt | 124 ++++++++++++++++++++
> xen/arch/arm/Kconfig | 6 +
> xen/arch/arm/bootfdt.c | 157 ++++++++++++++++++++++++++
> xen/arch/arm/include/asm/setup.h | 9 ++
> 4 files changed, 296 insertions(+)
>
> diff --git a/docs/misc/arm/device-tree/booting.txt b/docs/misc/arm/device-tree/booting.txt
> index 98253414b8..8013fb98fe 100644
> --- a/docs/misc/arm/device-tree/booting.txt
> +++ b/docs/misc/arm/device-tree/booting.txt
> @@ -378,3 +378,127 @@ device-tree:
>
> This will reserve a 512MB region starting at the host physical address
> 0x30000000 to be exclusively used by DomU1.
> +
> +Static Shared Memory
> +====================
> +
> +The static shared memory device tree nodes allow users to statically set up
> +shared memory on dom0less system, enabling domains to do shm-based
> +communication.
> +
> +- compatible
> +
> + "xen,domain-shared-memory-v1"
> +
> +- xen,shm-id
> +
> + An arbitrary string that represents the unique identifier of the shared
> + memory region, with a strict limit on the number of characters(\0 included),
> + `MAX_SHM_ID_LENGTH(16)`. e.g. "xen,shm-id = "my-shared-mem-1"".
> +
> +- xen,shared-mem
> +
> + An array takes a physical address, which is the base address of the
> + shared memory region in host physical address space, a size, and a guest
> + physical address, as the target address of the mapping.
> + e.g. xen,shared-mem = < [host physical address] [size] [guest address] >
Your implementation below is checking for overlap and also have some
restriction. Can they be documented in the binding?
> +
> + The number of cells for the host address (and size) is the same as the
> + guest pseudo-physical address and they are inherited from the parent node.
In v5, we discussed to have the host address optional. However, the
binding has not been updated to reflect that. Note that I am not asking
to implement, but instead request that the binding can be used for such
setup.
> +
> +
> +- role (Optional)
> +
> + A string property specifying the ownership of a shared memory region,
> + the value must be one of the following: "owner", or "borrower"
> + A shared memory region could be explicitly backed by one domain, which is
> + called "owner domain", and all the other domains who are also sharing
> + this region are called "borrower domain".
> + If not specified, the default value is "borrower" and owner is
> + DOMID_IO, a system domain.
> +
> +As an example:
> +
> +chosen {
> + #address-cells = <0x1>;
> + #size-cells = <0x1>;
> + xen,xen-bootargs = "console=dtuart dtuart=serial0 bootscrub=0";
> +
> + ......
> +
> + /* this is for Dom0 */
> + dom0-shared-mem@10000000 {
> + compatible = "xen,domain-shared-memory-v1";
> + role = "owner";
> + xen,shm-id = "my-shared-mem-0";
> + xen,shared-mem = <0x10000000 0x10000000 0x10000000>;
> + }
> +
> + domU1 {
> + compatible = "xen,domain";
> + #address-cells = <0x1>;
> + #size-cells = <0x1>;
> + memory = <0 131072>;
> + cpus = <2>;
> + vpl011;
> +
> + /*
> + * shared memory region identified as 0x0(xen,shm-id = <0x0>)
> + * is shared between Dom0 and DomU1.
> + */
> + domU1-shared-mem@10000000 {
> + compatible = "xen,domain-shared-memory-v1";
> + role = "borrower";
> + xen,shm-id = "my-shared-mem-0";
> + xen,shared-mem = <0x10000000 0x10000000 0x50000000>;
> + }
> +
> + /*
> + * shared memory region identified as 0x1(xen,shm-id = <0x1>)
> + * is shared between DomU1 and DomU2.
> + */
> + domU1-shared-mem@50000000 {
> + compatible = "xen,domain-shared-memory-v1";
> + xen,shm-id = "my-shared-mem-1";
> + xen,shared-mem = <0x50000000 0x20000000 0x60000000>;
> + }
> +
> + ......
> +
> + };
> +
> + domU2 {
> + compatible = "xen,domain";
> + #address-cells = <0x1>;
> + #size-cells = <0x1>;
> + memory = <0 65536>;
> + cpus = <1>;
> +
> + /*
> + * shared memory region identified as 0x1(xen,shm-id = <0x1>)
> + * is shared between domU1 and domU2.
> + */
> + domU2-shared-mem@50000000 {
> + compatible = "xen,domain-shared-memory-v1";
> + xen,shm-id = "my-shared-mem-1";
> + xen,shared-mem = <0x50000000 0x20000000 0x70000000>;
> + }
> +
> + ......
> + };
> +};
> +
> +This is an example with two static shared memory regions.
> +
> +For the static shared memory region identified as "my-shared-mem-0", host
> +physical address starting at 0x10000000 of 256MB will be reserved to be
> +shared between Dom0 and DomU1. It will get mapped at 0x10000000 in Dom0 guest
> +physical address space, and at 0x50000000 in DomU1 guest physical address space.
> +Dom0 is explicitly defined as the owner domain, and DomU1 is the borrower domain.
> +
> +For the static shared memory region identified as "my-shared-mem-1", host
> +physical address starting at 0x50000000 of 512MB will be reserved to be
> +shared between DomU1 and DomU2. It will get mapped at 0x60000000 in DomU1 guest
> +physical address space, and at 0x70000000 in DomU2 guest physical address space.
> +DomU1 and DomU2 are both the borrower domain, the owner domain is the default
> +owner domain DOMID_IO.
> diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig
> index be9eff0141..7321f47c0f 100644
> --- a/xen/arch/arm/Kconfig
> +++ b/xen/arch/arm/Kconfig
> @@ -139,6 +139,12 @@ config TEE
>
> source "arch/arm/tee/Kconfig"
>
> +config STATIC_SHM
> + bool "Statically shared memory on a dom0less system" if UNSUPPORTED
> + depends on STATIC_MEMORY
> + help
> + This option enables statically shared memory on a dom0less system.
> +
> endmenu
>
> menu "ARM errata workaround via the alternative framework"
> diff --git a/xen/arch/arm/bootfdt.c b/xen/arch/arm/bootfdt.c
> index ec81a45de9..c62d8867ec 100644
> --- a/xen/arch/arm/bootfdt.c
> +++ b/xen/arch/arm/bootfdt.c
> @@ -13,6 +13,7 @@
> #include <xen/init.h>
> #include <xen/efi.h>
> #include <xen/device_tree.h>
> +#include <xen/lib.h>
> #include <xen/libfdt/libfdt.h>
> #include <xen/sort.h>
> #include <xsm/xsm.h>
> @@ -361,6 +362,158 @@ static int __init process_domain_node(const void *fdt, int node,
> size_cells, &bootinfo.reserved_mem, true);
> }
>
> +#ifdef CONFIG_STATIC_SHM
> +static int __init process_shm_node(const void *fdt, int node,
> + u32 address_cells, u32 size_cells)
> +{
> + const struct fdt_property *prop, *prop_id, *prop_role;
> + const __be32 *cell;
> + paddr_t paddr, size;
> + struct meminfo *mem = &bootinfo.reserved_mem;
> + unsigned int i;
> + int len;
> + bool owner = false;
> + const char *shm_id;
> +
> + if ( address_cells < 1 || size_cells < 1 )
> + {
> + printk("fdt: invalid #address-cells or #size-cells for static shared memory node.\n");
> + return -EINVAL;
> + }
> +
> + /*
> + * "xen,shm-id" property holds an arbitrary string with a strict limit
> + * on the number of characters, MAX_SHM_ID_LENGTH
> + */
> + prop_id = fdt_get_property(fdt, node, "xen,shm-id", NULL);
> + if ( !prop_id )
> + return -ENOENT;
> + shm_id = (const char *)prop_id->data;
> + if ( strnlen(shm_id, MAX_SHM_ID_LENGTH) == MAX_SHM_ID_LENGTH )
> + {
> + printk("fdt: invalid xen,shm-id %s, it must be limited to %d characters\n",
NIT: s/%d/%u/ as MAX_SHM_ID_LENGTH can not be negative.
> + shm_id, MAX_SHM_ID_LENGTH);
> + return -EINVAL;
> + }
> +
> + /*
> + * "role" property is optional and if it is defined explicitly,
> + * it must be either `owner` or `borrower`.
> + */
> + prop_role = fdt_get_property(fdt, node, "role", NULL);
> + if ( prop_role )
> + {
> + if ( !strcmp(prop_role->data, "owner") )
> + owner = true;
> + else if ( strcmp(prop_role->data, "borrower") )
> + {
> + printk("fdt: invalid `role` property for static shared memory node.\n");
> + return -EINVAL;
> + }
> + }
> +
> + /*
> + * xen,shared-mem = <paddr, size, gaddr>;
> + * Memory region starting from physical address #paddr of #size shall
> + * be mapped to guest physical address #gaddr as static shared memory
> + * region.
> + */
> + prop = fdt_get_property(fdt, node, "xen,shared-mem", &len);
> + if ( !prop )
> + return -ENOENT;
> +
> + if ( len != dt_cells_to_size(address_cells + size_cells + address_cells) )
> + {
> + /* TODO: physical address is optional. */
NIT: I would drop this comment because the printk() clearly indicate
what's unsupported.
> + if ( len == dt_cells_to_size(size_cells + address_cells) )
> + printk("fdt: host physical address must be chosen by users at the moment.\n");
> +
> + printk("fdt: invalid `xen,shared-mem` property.\n");
> + return -EINVAL;
> + }
> +
> + cell = (const __be32 *)prop->data;
> + device_tree_get_reg(&cell, address_cells, size_cells, &paddr, &size);
> +
> + if ( !size )
> + {
> + printk("fdt: the size for static shared memory region can not be zero\n");
> + return -EINVAL;
> + }
> +
> + for ( i = 0; i < mem->nr_banks; i++ )
> + {
> + /*
> + * Meet the following check:
> + * 1) The shm ID matches and the region exactly match
> + * 2) The shm ID doesn't match and the region doesn't overlap
> + * with an existing one
> + */
> + if ( paddr == mem->bank[i].start && size == mem->bank[i].size )
> + {
> + if ( strncmp(shm_id, mem->bank[i].shm_id, MAX_SHM_ID_LENGTH) == 0 )
> + break;
> + else
> + {
> + printk("fdt: xen,shm-id %s does not match for all the nodes using the same region.\n",
> + shm_id);
> + return -EINVAL;
> + }
> + }
> + else
> + {
> + paddr_t end = paddr + size;
> + paddr_t bank_end = mem->bank[i].start + mem->bank[i].size;
In both cases, end/bank_end may end up to be lower than
paddr/mem->bank[i].start. So I think we also want to check that they
don't overflow.
> +
> + if ( (end <= mem->bank[i].start) || (paddr >= bank_end) )
> + {
> + if ( strncmp(shm_id, mem->bank[i].shm_id,
> + MAX_SHM_ID_LENGTH) != 0 )
You have already validate the string. So you could use strcmp() here.
Otherwise, it seems...
> + continue;
> + else
> + {
> + printk("fdt: different shared memory region could not share the same shm ID %s\n",
> + shm_id);
... odd to print the value if you don't trust it :).
> + return -EINVAL;
> + }
> + }
> + else
> + {
> + printk("fdt: shared memory region overlap with an existing entry %#"PRIpaddr" - %#"PRIpaddr"\n",
> + mem->bank[i].start, bank_end);
> + return -EINVAL;
> + }
> + }
> + }
> +
> + if ( i == mem->nr_banks )
> + {
> + if ( i < NR_MEM_BANKS )
> + {
> + /* Static shared memory shall be reserved from any other use. */
> + safe_strcpy(mem->bank[mem->nr_banks].shm_id, shm_id);
> + mem->bank[mem->nr_banks].start = paddr;
> + mem->bank[mem->nr_banks].size = size;
> + mem->bank[mem->nr_banks].xen_domain = true;
> + mem->nr_banks++;
> + }
> + else
> + {
> + printk("Warning: Max number of supported memory regions reached.\n");
> + return -ENOSPC;
> + }
> + }
> + /*
> + * keep a count of the number of borrowers, which later may be used
> + * to calculate the reference count.
> + */
> + if ( !owner )
> + mem->bank[i].nr_shm_borrowers++;
> +
> + return 0;
> +}
> +#endif
> +
> static int __init early_scan_node(const void *fdt,
> int node, const char *name, int depth,
> u32 address_cells, u32 size_cells,
> @@ -386,6 +539,10 @@ static int __init early_scan_node(const void *fdt,
> process_chosen_node(fdt, node, name, address_cells, size_cells);
> else if ( depth == 2 && device_tree_node_compatible(fdt, node, "xen,domain") )
> rc = process_domain_node(fdt, node, name, address_cells, size_cells);
> +#ifdef CONFIG_STATIC_SHM
> + else if ( depth <= 3 && device_tree_node_compatible(fdt, node, "xen,domain-shared-memory-v1") )
> + rc = process_shm_node(fdt, node, address_cells, size_cells);
> +#endif
I would prefer if we provide a dummy helper for process_shm_node() when
!CONFIG_STATIC_SHM. This would also have the advantage to let the user
know that they are trying to use shared memory with a Xen that doesn't
support it.
>
> if ( rc < 0 )
> printk("fdt: node `%s': parsing failed\n", name);
> diff --git a/xen/arch/arm/include/asm/setup.h b/xen/arch/arm/include/asm/setup.h
> index 2bb01ecfa8..39d4e93b8b 100644
> --- a/xen/arch/arm/include/asm/setup.h
> +++ b/xen/arch/arm/include/asm/setup.h
> @@ -23,10 +23,19 @@ typedef enum {
> } bootmodule_kind;
>
>
> +#ifdef CONFIG_STATIC_SHM
> +/* Indicates the maximum number of characters(\0 included) for shm_id */
> +#define MAX_SHM_ID_LENGTH 16
> +#endif
Is the #ifdef really needed?
> +
> struct membank {
> paddr_t start;
> paddr_t size;
> bool xen_domain; /* whether the memory bank is bound to a Xen domain. */
> +#ifdef CONFIG_STATIC_SHM
> + char shm_id[MAX_SHM_ID_LENGTH];
> + unsigned int nr_shm_borrowers;
> +#endif
> };
If I calculated right, the structure will grow from 24 to 40 bytes. At
the moment, this is protected with CONFIG_STATIC_SHM which is
unsupported. However, I think we will need to do something as we can't
continue to grow 'membank' like that.
I don't have a quick suggestion for 4.17 (the feature freeze is in a
week). Long term, I think we will want to consider to move the shm ID in
a separate array that could be referenced here.
The other solution would be to have the shared memory regions in a
separate array. They would have their own structure which would either
embedded "membank" or contain a pointer/index to the bank.
Cheers,
--
Julien Grall
next prev parent reply other threads:[~2022-08-26 13:17 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-21 13:21 [PATCH v6 0/9] static shared memory on dom0less system Penny Zheng
2022-07-21 13:21 ` [PATCH v6 1/9] xen/arm: introduce static shared memory Penny Zheng
2022-08-26 13:17 ` Julien Grall [this message]
2022-08-29 6:57 ` Penny Zheng
2022-08-29 21:16 ` Stefano Stabellini
2022-09-01 15:40 ` Julien Grall
2022-09-01 15:44 ` Bertrand Marquis
2022-09-02 3:26 ` Penny Zheng
2022-09-02 8:13 ` Julien Grall
2022-07-21 13:21 ` [PATCH v6 2/9] xen/arm: allocate static shared memory to the default owner dom_io Penny Zheng
2022-08-26 13:59 ` Julien Grall
2022-07-21 13:21 ` [PATCH v6 3/9] xen/arm: allocate static shared memory to a specific owner domain Penny Zheng
2022-07-21 13:21 ` [PATCH v6 4/9] xen/arm: introduce put_page_nr and get_page_nr Penny Zheng
2022-07-21 13:21 ` [PATCH v6 5/9] xen/arm: Add additional reference to owner domain when the owner is allocated Penny Zheng
2022-09-01 17:12 ` Julien Grall
2022-09-02 1:59 ` Stefano Stabellini
2022-07-21 13:21 ` [PATCH v6 6/9] xen/arm: set up shared memory foreign mapping for borrower domain Penny Zheng
2022-07-21 13:21 ` [PATCH v6 7/9] xen/arm: create shared memory nodes in guest device tree Penny Zheng
2022-08-26 13:13 ` Julien Grall
2022-07-21 13:21 ` [PATCH v6 8/9] xen/arm: enable statically shared memory on Dom0 Penny Zheng
2022-07-21 13:21 ` [PATCH v6 9/9] xen: Add static memory sharing in SUPPORT.md Penny Zheng
2022-08-26 7:21 ` Michal Orzel
2022-08-29 6:20 ` Penny Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ce6c2e20-2d5f-dccc-e4d0-0e8ce92caeb4@xen.org \
--to=julien@xen.org \
--cc=Penny.Zheng@arm.com \
--cc=Volodymyr_Babchuk@epam.com \
--cc=bertrand.marquis@arm.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.