Hi, I am trying to figure out how address mapping is done for zero-copy I/O. Is it allowed by the hypervisor that a page allocated to domain0 (the privileged domain) is mapped to the address space of a domainU? So far it seems to be the other way around: a page from a domainU is mapped to the address space of domain0 when I/O requests are sent to domain0. Another question is about the hypercall: update_va_mapping. It has three arguments: vaddr, val, flags. Can anyone kindly explain the meaning of them and how they are used in the hypercall? Actually I am puzzled why there is no machine page id as an argument, since the virtual address should be mapped to a machine page anyway when the page table is updated. Thanks a lot. -------------------------- Zhiyi from EPFL Switzerland ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
much more likely that a privileged domain should have write access to an unpriv domain''s memory than the other way around, don''t you think? update_va_mapping: vaddr: virtual address to be updated val: new PTE value including machine address to stick in there flags: whether you thump the TLB or not (or reload LDT too, by the looks of it) c. On Mon, 2005-03-07 at 15:59, Zhiyi Huang wrote:> Hi, I am trying to figure out how address mapping is done for zero-copy I/O. Is it allowed by the hypervisor that a page allocated to domain0 (the privileged domain) is mapped to the address space of a domainU? So far it seems to be the other way around: a page from a domainU is mapped to the address space of domain0 when I/O requests are sent to domain0. > > Another question is about the hypercall: update_va_mapping. It has three arguments: vaddr, val, flags. Can anyone kindly explain the meaning of them and how they are used in the hypercall? Actually I am puzzled why there is no machine page id as an argument, since the virtual address should be mapped to a machine page anyway when the page table is updated. > > Thanks a lot. > > -------------------------- > Zhiyi from EPFL Switzerland > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Hi, I am trying to figure out how address mapping is done for zero-copy > I/O. Is it allowed by the hypervisor that a page allocated to domain0 (the > privileged domain) is mapped to the address space of a domainU? So far it > seems to be the other way around: a page from a domainU is mapped to the > address space of domain0 when I/O requests are sent to domain0.The domain that''s controlling the real device (usually dom0) maps the domU''s memory before putting data into it (either directly or using PIO).> Another question is about the hypercall: update_va_mapping. It has three > arguments: vaddr, val, flags. Can anyone kindly explain the meaning of them > and how they are used in the hypercall? Actually I am puzzled why there is > no machine page id as an argument, since the virtual address should be > mapped to a machine page anyway when the page table is updated.Arguments to this as as Chris described. Note that the backend drivers often use a "multicall" to perfrom multiple operations (e.g. update multiple address mappings) in one hypercall. Cheers, Mark> > Thanks a lot. > > -------------------------- > Zhiyi from EPFL Switzerland > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Thanks, Chris and Mark. Yes, I understand and appreciate the security issue between domains. Since I am considering a shared memory device in domain0, I really need a mechanism to map pages in domain0 to address space of a domainU.> > Hi, I am trying to figure out how address mapping is done for zero-copy > > I/O. Is it allowed by the hypervisor that a page allocated to domain0 (the > > privileged domain) is mapped to the address space of a domainU? So far it > > seems to be the other way around: a page from a domainU is mapped to the > > address space of domain0 when I/O requests are sent to domain0. > > The domain that''s controlling the real device (usually dom0) maps the domU''s > memory before putting data into it (either directly or using PIO).Can I use this mechanism to make domU to share some pages in dom0? Where can I find the code, please?> > Another question is about the hypercall: update_va_mapping. It has three > > arguments: vaddr, val, flags. Can anyone kindly explain the meaning of them > > and how they are used in the hypercall? Actually I am puzzled why there is > > no machine page id as an argument, since the virtual address should be > > mapped to a machine page anyway when the page table is updated. > > Arguments to this as as Chris described. > > Note that the backend drivers often use a "multicall" to perfrom multiple > operations (e.g. update multiple address mappings) in one hypercall.Yes, I have noticed it. Thanks a lot for help. -------------------------- Zhiyi from EPFL Switzerland ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> > The domain that''s controlling the real device (usually dom0) maps the > > domU''s memory before putting data into it (either directly or using PIO). > > Can I use this mechanism to make domU to share some pages in dom0? Where > can I find the code, please?Right now only privileged domains (i.e. dom0 or a driver domain) can map the memory of other domains. Sharing will be more flexible once the grant tables work is done and the reverse operation will be possible. Perhaps for your shared memory work you could initially test with sharing between dom0 and a single domU? Then you can move to grant tables when they''re ready to perform arbitrary sharing? Cheers, Mark> > > Another question is about the hypercall: update_va_mapping. It has > > > three arguments: vaddr, val, flags. Can anyone kindly explain the > > > meaning of them and how they are used in the hypercall? Actually I am > > > puzzled why there is no machine page id as an argument, since the > > > virtual address should be mapped to a machine page anyway when the page > > > table is updated. > > > > Arguments to this as as Chris described. > > > > Note that the backend drivers often use a "multicall" to perfrom multiple > > operations (e.g. update multiple address mappings) in one hypercall. > > Yes, I have noticed it. Thanks a lot for help. > > -------------------------- > Zhiyi from EPFL Switzerland------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Right now only privileged domains (i.e. dom0 or a driver domain) can map > the memory of other domains. Sharing will be more flexible once the grant > tables work is done and the reverse operation will be possible. > > Perhaps for your shared memory work you could initially test with sharing > between dom0 and a single domU? Then you can move to grant tables when > they''re ready to perform arbitrary sharing?Another thing you could do as a workaround is make all the domains you''re interested in into privileged domains. Right now this means making them into driver domains* - you could give them all access to a spare PCI device on your system but not compile the driver into their kernels so they won''t try to drive it. Once you do this, they can map any other domain''s memory. [*] this is a hack - it''d be nice if it were possible to just make domains privileged but there''s currently not there corresponding path in the tools. Cheers, Mark> > Cheers, > Mark > > > > > Another question is about the hypercall: update_va_mapping. It has > > > > three arguments: vaddr, val, flags. Can anyone kindly explain the > > > > meaning of them and how they are used in the hypercall? Actually I am > > > > puzzled why there is no machine page id as an argument, since the > > > > virtual address should be mapped to a machine page anyway when the > > > > page table is updated. > > > > > > Arguments to this as as Chris described. > > > > > > Note that the backend drivers often use a "multicall" to perfrom > > > multiple operations (e.g. update multiple address mappings) in one > > > hypercall. > > > > Yes, I have noticed it. Thanks a lot for help. > > > > -------------------------- > > Zhiyi from EPFL Switzerland------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Tue, 8 Mar 2005, Mark Williamson wrote:> The domain that''s controlling the real device (usually dom0) maps the domU''s > memory before putting data into it (either directly or using PIO).Surely this could be optimised by (on a 64 bit system) mapping all of physical memory into dom0 kernel virtual memory, so it doesn''t need to bother mapping and unmapping pages that IO is being done to ? -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> > The domain that''s controlling the real device (usually > dom0) maps the domU''s > > memory before putting data into it (either directly or using PIO). > > Surely this could be optimised by (on a 64 bit system) mapping > all of physical memory into dom0 kernel virtual memory, so it > doesn''t need to bother mapping and unmapping pages that IO is > being done to ?At the expense of protection, yes. With sane DMA-capable hardware the driver domain never needs to actually map the page into its address space anyhow. However, the grant table stuff will still be required to enable us to configure the IO MMU appropriately to allow the DMA (we expect to see such h/w support become commonplace). Ian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Tue, 8 Mar 2005, Ian Pratt wrote:> At the expense of protection, yes.Protection against mistakes, which can be mitigated by having the full physical memory map at a different address from where the kernel usually accesses its memory. I suspect we won''t have to try protecting against a malicious domain 0 ;)> With sane DMA-capable hardware the driver domain never needs to actually > map the page into its address space anyhow. However, the grant table > stuff will still be required to enable us to configure the IO MMU > appropriately to allow the DMA (we expect to see such h/w support become > commonplace).True for some kinds of IO. Network IO needs sorting through packets, so no direct DMA will be done. -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Tuesday, March 08, Rik van Riel wrote:> On Tue, 8 Mar 2005, Ian Pratt wrote: > >> At the expense of protection, yes. > > Protection against mistakes, which can be mitigated by having the > full physical memory map at a different address from where the > kernel usually accesses its memory. > > I suspect we won''t have to try protecting against a malicious > domain 0 ;)While domain 0 may not start out being malicious, all it takes is one remotely exploitable buffer overflow to make it so.>> With sane DMA-capable hardware the driver domain never needs to >> actually map the page into its address space anyhow. However, the >> grant table stuff will still be required to enable us to configure >> the IO MMU appropriately to allow the DMA (we expect to see such h/w >> support become commonplace). > > True for some kinds of IO. Network IO needs sorting through > packets, so no direct DMA will be done.But if we generalize this to every I/O domain that owns a DMA device and provides access to it to other domains (for whatever reason) then it is easy to see how protection quickly deteriorates. And if we don''t generalize it then we should ask why domain 0 should be special in this regard. Perhaps a better way to tackle this is to understand what you feel the issues with grant tables and selective mappings are. Joseph Cihula (Linux) Software Security Architect Intel Corp. *** These opinions are not necessarily those of my employer *** ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> > With sane DMA-capable hardware the driver domain never > needs to actually > > map the page into its address space anyhow. However, the grant table > > stuff will still be required to enable us to configure the IO MMU > > appropriately to allow the DMA (we expect to see such h/w > support become > > commonplace). > > True for some kinds of IO. Network IO needs sorting through > packets, so no direct DMA will be done.The headers of network packets are sent out-of-band so that mapping of the main payload is only required if you have some very fancy iptables rules that do deep inspection. I don''t believe there''s a significant overhead to the protection provided by grant tables, and they go some way to keeping the security folks happy. Anyhow, we can benchmark it in a couple of days... Ian ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel