Xen devel - Mar 2008 - information leaking between domains via granted pages?

Is there a statement anywhere regarding information that could be leaked
or modified between domains when pages are granted?

Eg, Dom0 sends a network packet to DomU. The network data only uses 64
bytes in the page, but DomU (via a specially crafted netfront driver)
can access and record all the other data in the page...

James


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> -----Original Message-----
> From: xen-devel-bounces@lists.xensource.com
> [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of
> James Harper
> Sent: Monday, March 03, 2008 7:35 PM
> To: xen-devel@lists.xensource.com
> Subject: [Xen-devel] information leaking between domains via
> granted pages?
>
> Is there a statement anywhere regarding information that
> could be leaked or modified between domains when pages are granted?
>
> Eg, Dom0 sends a network packet to DomU. The network data
> only uses 64 bytes in the page, but DomU (via a specially
> crafted netfront driver) can access and record all the other
> data in the page...
>
  This is not a problem today as DomU is not granted access to any Dom0 page.
DomU is the one which grants access to dom0 both for TX and RX.
  On the other hand dom0 can access any data in granted domU pages but this is
OK as we trust dom0.
  Renato
> James
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

>   This is not a problem today as DomU is not granted access to any
Dom0
> page. DomU is the one which grants access to dom0 both for TX and RX.
>   On the other hand dom0 can access any data in granted domU pages but
> this is OK as we trust dom0.
Maybe I''m mistaken about the way ''page flipping'' on
the rx path works
then... care to enlighten me?

James

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 4/3/08 08:21, "James Harper" <james.harper@bendigoit.com.au>
wrote:
>>   This is not a problem today as DomU is not granted access to any
> Dom0
>> page. DomU is the one which grants access to dom0 both for TX and RX.
>>   On the other hand dom0 can access any data in granted domU pages but
>> this is OK as we trust dom0.
> 
> Maybe I''m mistaken about the way ''page flipping''
on the rx path works
> then... care to enlighten me?
The flipping path is not high performance these days as we expect only very
old domUs to use it. All skbuffs destined for a flipping interface are
laundered through netbk_copy_skb(). Note its judicious use of __GFP_ZERO.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> > Maybe I''m mistaken about the way ''page
flipping'' on the rx path
works
> > then... care to enlighten me?
> 
> The flipping path is not high performance these days as we expect only
> very old domUs to use it. All skbuffs destined for a flipping
interface
> are laundered through netbk_copy_skb(). Note its judicious use of
> __GFP_ZERO.
Hmmm... I thought that flipping would be a high performance path?

So if we use rx-copy, does this mean that data is received from a
physical interface (or another domain) via DMA, and then actually copied
into the buffers for DomU? Do we consider the performance implications
of this too low to be worrying about?

Thanks

James


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 4/3/08 08:53, "James Harper" <james.harper@bendigoit.com.au>
wrote:
>> The flipping path is not high performance these days as we expect only
>> very old domUs to use it. All skbuffs destined for a flipping
> interface
>> are laundered through netbk_copy_skb(). Note its judicious use of
>> __GFP_ZERO.
> 
> Hmmm... I thought that flipping would be a high performance path?
> 
> So if we use rx-copy, does this mean that data is received from a
> physical interface (or another domain) via DMA, and then actually copied
> into the buffers for DomU? Do we consider the performance implications
> of this too low to be worrying about?
Yes, it''s a little surprising, but experiments showed that, even with
lareg
datagrams, the performance of copying versus flipping was pretty comparable.
With normal Ethernet MTU copying was significantly faster. Also copying
gives us more flexibility wrt where we place the data in the domU page. So
flipping is now deprecated.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> Yes, it''s a little surprising, but experiments showed that, even
with
> lareg
> datagrams, the performance of copying versus flipping was pretty
> comparable.
> With normal Ethernet MTU copying was significantly faster. Also
copying
> gives us more flexibility wrt where we place the data in the domU
page. So
> flipping is now deprecated.
> 
Even with large send offload?

Thanks for the explanation.

James

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 4/3/08 09:43, "James Harper" <james.harper@bendigoit.com.au>
wrote:
>> Yes, it''s a little surprising, but experiments showed that,
even with
>> lareg
>> datagrams, the performance of copying versus flipping was pretty
>> comparable.
>> With normal Ethernet MTU copying was significantly faster. Also
> copying
>> gives us more flexibility wrt where we place the data in the domU
> page. So
>> flipping is now deprecated.
>> 
> 
> Even with large send offload?
Up to a page of data, yes, and that''s all that matters (since flipping
overhead is per-page).

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel