From: "Jan Beulich" <JBeulich@suse.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Tim Deegan <tim@xen.org>, Ian Jackson <Ian.Jackson@eu.citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>,
dgdegra@tycho.nsa.gov
Subject: Re: Ping: [PATCH v2 01/11] public / x86: introduce hvmctl hypercall
Date: Mon, 04 Jul 2016 01:31:01 -0600 [thread overview]
Message-ID: <577A2CD502000078000FAB0D@prv-mh.provo.novell.com> (raw)
In-Reply-To: <97612885-c0f0-3ab2-2b42-a0e28f990c3c@citrix.com>
>>> On 01.07.16 at 18:42, <andrew.cooper3@citrix.com> wrote:
> On 01/07/16 17:18, Jan Beulich wrote:
>>>>> On 24.06.16 at 12:28, <JBeulich@suse.com> wrote:
>>> ... as a means to replace all HVMOP_* which a domain can't issue on
>>> itself (i.e. intended for use by only the control domain or device
>>> model).
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>>> Reviewed-by: Wei Liu <wei.liu2@citrix.com>
>> On the x86 side I'm just lacking feedback for this patch.
>
> I have just spent the afternoon being bitten extremely hard by our
> current unstable domctl abi, and in particular, the change of
> DOMCTL_API_VERSION when nothing relevant has changed, and am leaning
> towards David's views.
>
> With the current definition, we have 32 bits of cmd space, proper
> continuation logic via the opaque field, and 120 bytes of per-cmd space
> in the union, which plenty.
>
> How about making a proactive start to our ABI stabilisation effort,
> dropping the interface_version entirely and declaring this stable? We
> would of course want to triple check the suitability of the existing
> ops, but that can easily be rolled into this series (if any action is
> needed).
I have to admit that I'm a little frustrated by this request: The series
has been out for quite some time, and was supposedly ready to go
in if all acks had been given. Yet with what you say above you
effectively would withdraw the ones you gave on the later patches
in the series, even if you don't say so explicitly. The fact that you've
got bitten by the domctl being modeled in similar ways (yet without
actually saying how you got bitten, or what's wrong with that model)
shouldn't really have much of an influence here. Even more so if, as
I would guess, that issue of yours was with the domctl wrapping
logic in your privcmd driver in Dom0 (which is already conceptually
problematic, as the kernel isn't intended to know of or make use of
domctl-s, and hence you having made it know set you up for such
problems).
Nor do I see myself do the auditing of the involved operations right
now (and basically as a prereq for this series to go in), the more that
I've learned from commits aa956976a9 ("domctl: perform initial
post-XSA-77 auditing") and then 5590bd17c4 ("XSA-77: widen scope
again") that it's very easy to overlook some aspect(s), no matter
how much time and effort one invests. I really think that for any
such future efforts we first need to put down a complete check list
of things that need to be ensured prior to making _any_ interface
stable and usable by other than fully trusted entities.
As to the option of marking this interface stable without doing the
security audit - I don't think I would see the point.
> Another area (which is related to the issue which bit me) is the
> stability of operations like DOMCTL_pausedomain, which is unlikely to
> ever change.
>
> If we do chose to stabilise, we should design the new calls around how
> they would be used. We could do with a stable interface for "general
> emulator routines", which applies equally to things like pause/unpause
> and ioreq_server*, as opposed to most of the new hvmctl ops, which are
> specific to qemu being an LPC bus emulator.
>
> One thing I hadn't considered until now is that this takes an existing
> stable ABI and replaces it with an unstable ABI, which is a step
> backwards in terms of usability. There are certainly other advantages
> to moving the ops out of hvmop, but the instability is a detracting factor.
This is not true imo: The existing interface wasn't stable (demonstrated
by it being framed by __XEN_ / __XEN_TOOLS__ conditionals), yet it
_also_ wasn't versioned, so its instablility wasn't represented properly.
So as said to David already, I continue to think this series is an
improvement, albeit other than in the direction that both of you would
like things to move. And while I'm with you for those intentions, I don't
think I should be required to make two steps at once here.
Plus you don't comment at all on my counter proposal to stabilize the
libxc wrappers around these hypercalls instead of the hypercalls
themselves.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-07-04 7:31 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-24 10:21 [PATCH v2 00/11] hvmctl hypercall Jan Beulich
2016-06-24 10:28 ` [PATCH v2 01/11] public / x86: introduce " Jan Beulich
2016-07-01 16:18 ` Ping: " Jan Beulich
2016-07-01 16:42 ` Andrew Cooper
2016-07-04 7:31 ` Jan Beulich [this message]
2016-07-05 17:54 ` Daniel De Graaf
2016-08-03 11:06 ` George Dunlap
2016-08-03 11:52 ` Jan Beulich
2016-06-24 10:29 ` [PATCH v2 00/11] " David Vrabel
2016-06-24 10:35 ` Jan Beulich
2016-06-24 13:27 ` David Vrabel
2016-06-24 13:37 ` Jan Beulich
2016-06-24 13:51 ` David Vrabel
2016-06-24 14:25 ` Jan Beulich
2016-06-24 14:28 ` George Dunlap
2016-06-24 15:02 ` David Vrabel
2016-06-24 10:29 ` [PATCH v2 02/11] hvmctl: convert HVMOP_set_pci_intx_level Jan Beulich
2016-06-24 10:29 ` [PATCH v2 03/11] hvmctl: convert HVMOP_set_isa_irq_level Jan Beulich
2016-07-05 17:56 ` Daniel De Graaf
2016-06-24 10:30 ` [PATCH v2 04/11] hvmctl: convert HVMOP_set_pci_link_route Jan Beulich
2016-07-05 17:56 ` Daniel De Graaf
2016-06-24 10:31 ` [PATCH v2 05/11] hvmctl: convert HVMOP_track_dirty_vram Jan Beulich
2016-07-05 17:57 ` Daniel De Graaf
2016-06-24 10:31 ` [PATCH v2 06/11] hvmctl: convert HVMOP_modified_memory Jan Beulich
2016-07-05 17:58 ` Daniel De Graaf
2016-06-24 10:32 ` [PATCH v2 07/11] hvmctl: convert HVMOP_set_mem_type Jan Beulich
2016-07-05 17:58 ` Daniel De Graaf
2016-06-24 10:32 ` [PATCH v2 08/11] hvmctl: convert HVMOP_inject_trap Jan Beulich
2016-07-05 17:59 ` Daniel De Graaf
2016-06-24 10:33 ` [PATCH v2 09/11] hvmctl: convert HVMOP_inject_msi Jan Beulich
2016-07-05 17:59 ` Daniel De Graaf
2016-06-24 10:34 ` [PATCH v2 10/11] hvmctl: convert HVMOP_*ioreq_server* Jan Beulich
2016-07-05 18:00 ` Daniel De Graaf
2016-06-24 10:34 ` [PATCH v2 11/11] x86/HVM: serialize trap injecting producer and consumer Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=577A2CD502000078000FAB0D@prv-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).