| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Oct 2006 16:05:26 +0200 From: Arnd Bergmann <arnd@...db.de> To: Avi Kivity <avi@...ranet.com> Cc: linux-kernel@...r.kernel.org, kvm-devel@...ts.sourceforge.net Subject: Re: [PATCH 6/13] KVM: memory slot management On Friday 27 October 2006 15:26, Avi Kivity wrote: > > The idea would be to mmap the file into the guest real address space. > > With -o xip, the page cache for the virtual device would basically > > reside in that high address range. > > > > Ah, I see what you mean now. Like the "memory technology device" thing. Similar, but not quite. For an example, look at drivers/s390/block/dcssblk.c > > Guest users reading/writing files on it cause a memcopy between guest > > user space and the host file mapping, done by the guest file system > > implementation. > > > > The interesting point here is how to handle a host page fault on the > > file mapping. The solution on z/VM for this is to generate a special > > exception for this that will be caught by the guest kernel, telling > > it to wait until the page is there. The guest kernel can then put the > > current thread to sleep and do something else, until a second exception > > tells it that the page has been loaded by the host. The guest then > > wakes up the sleeping thread. > > > > This can work the same way for host file backed (guest block device) > > and host anonymous (guest RAM) memory. > > Certainly something like that can be done, for paravirtualized guests. Right. I forgot that the guest OS needs to at least be able to ignore the pseudo-fault. In z/VM, the pseudo-fault is delivered the first time that a guest accesses a page. If it tries to access the same page again without waiting for the second fault to be delivered, the hypervisor blocks the virtual CPU. > > Don't understand. Can't one CPU cause a TLB entry to be flushed on all > > CPUs? > It's not about tlb entries. The shadow page tables collaples a GV -> HV > -> HP double translation into a GV -> HP page table. When the Linux vm > goes around evicting pages, it invalidates those mappings. > > There are two solutions possible: lock pages which participate in these > translations (and their number can be large) or modify the Linux vm to > consult a reverse mapping and remove the translations (in which case TLB > entries need to be removed). Ok, I see. > It can shoot not only its foot, but anything the monitor's uid has > access to. Host files, the host network, other guests belonging to the > user, etc. Yes, that's what I meant. It's obviously nicer if the guest can't do that, but it's a tradeoff of the potential security impact against on how hard it is to implement hiding the addresses you don't want your guest to see. To put it into other words, do you want the optimal performance, or the optimal security? > >> c. we need to extend host tlb invalidations to invalidate tlbs on guests > >> > > > > I don't understand much about the x86 specific memory management, > > but shouldn't a TLB invalidate of a given page do the right thing > > on all CPUs, even if they are currently running a guest? > > > It's worse than I thouht: tlb entries generated by guest accesses are > tagged with the guest virtual address, to if you remove a guest > physical/host virtual page you need to invalidate the entire guest tlb. Ok, so it's the HW's fault. They either copied bad or decided doing the s390 approach was too expensive. Arnd <>< - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists