Xen devel - Jul 2008 - how to callback from hypervisor to guest os?

I try to let xen calls a kernel function in guest OS, is it possible?

Here is the detail:

Normally, when a guest hits a fault, the control is transfered to xen. Then
xen handles the fault and then transfer the control back to guest.

For example, in original xen:
void some_fault_handler()
{

   ...
   ...
   finally, then let guest os handles it
}

Now, I want to call some guest OS function in xen''s handler:

void some_fault_handler()
{

  guest_func() // a function in guest kernel
   ...
   ...
   finally, then let guest os handles it
}


I can write a module (driver) in guest os, so when guest os boots, I can
pass the address of my function to xen. My question is that when xen calls
my function, it needs to swtich to "guest mode". How to do this? and
when
the function call finishes, how to let it come back to xen''s context?

Thanks,
Weiming


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Sun, 2008-07-06 at 00:18 -0400, weiming wrote:
> I try to let xen calls a kernel function in guest OS, is it possible?
> 
> Here is the detail:
> 
> Normally, when a guest hits a fault, the control is transfered to xen.
> Then xen handles the fault and then transfer the control back to
> guest.
> 
> For example, in original xen:
> void some_fault_handler()
> {
> 
>    ...
>    ...
>    finally, then let guest os handles it
> }
> 
> Now, I want to call some guest OS function in xen''s handler:
> 
> void some_fault_handler()
> {
> 
>   guest_func() // a function in guest kernel
>    ...
>    ...
>    finally, then let guest os handles it
> }
> 
> 
> I can write a module (driver) in guest os, so when guest os boots, I
> can pass the address of my function to xen. My question is that when
> xen calls my function, it needs to swtich to "guest mode". How to
do
> this? and when the function call finishes, how to let it come back to
> xen''s context?
The way you envision it, i.e. per function pointer, this is just a
mega-bad idea :). While in theory possible, you''d execute arbitrary
insecure (per definition) guest system code at the VMM privilege level.
If at all, it would only work if the calling conventions in Xen and the
guest code match. Beyond that, there''s 32/64-bit mixed modes, NPT
translation, and many more reasons not even to consider it.

There''s different ways for Xen to communicate with guests. None of them
can give you the simple synchronous calling scheme you suggest.
Reasons include limitations in how the hardware implements control
transfers accross different privilege levels and security/stability
considerations. Even if that were not enough, you would experience some
funny effects in the guest kernel, and an overall hypervisor design
which will just refuse to switch back and forth between VMM and guest
execution.

Have a look at Xen''s event channels, trap (interrupt) injections and
the
overall shared memory paradigm underlying communications with guests. If
that''s what you need, then maybe send a description on what
you''re
actually up to. :)

hth,
Daniel

-- 
Daniel Stodden
LRR     -      Lehrstuhl für Rechnertechnik und Rechnerorganisation
Institut für Informatik der TU München             D-85748 Garching
http://www.lrr.in.tum.de/~stodden         mailto:stodden@cs.tum.edu
PGP Fingerprint: F5A4 1575 4C56 E26A 0B33  3D80 457E 82AE B0D8 735B



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi Daniel,

Thanks a lot. You confirmed my worries. Event channel may not work for me
since I need to call the function in a interrupt handler.
I''ll check out trap injection. I don''t know what is this, hope
it would be
helpful.

Thanks again,
Weiming

On Sun, Jul 6, 2008 at 5:15 AM, Daniel Stodden <stodden@cs.tum.edu> wrote:
> On Sun, 2008-07-06 at 00:18 -0400, weiming wrote:
> > I try to let xen calls a kernel function in guest OS, is it possible?
> >
> > Here is the detail:
> >
> > Normally, when a guest hits a fault, the control is transfered to xen.
> > Then xen handles the fault and then transfer the control back to
> > guest.
> >
> > For example, in original xen:
> > void some_fault_handler()
> > {
> >
> >    ...
> >    ...
> >    finally, then let guest os handles it
> > }
> >
> > Now, I want to call some guest OS function in xen''s handler:
> >
> > void some_fault_handler()
> > {
> >
> >   guest_func() // a function in guest kernel
> >    ...
> >    ...
> >    finally, then let guest os handles it
> > }
> >
> >
> > I can write a module (driver) in guest os, so when guest os boots, I
> > can pass the address of my function to xen. My question is that when
> > xen calls my function, it needs to swtich to "guest mode".
How to do
> > this? and when the function call finishes, how to let it come back to
> > xen''s context?
>
> The way you envision it, i.e. per function pointer, this is just a
> mega-bad idea :). While in theory possible, you''d execute
arbitrary
> insecure (per definition) guest system code at the VMM privilege level.
> If at all, it would only work if the calling conventions in Xen and the
> guest code match. Beyond that, there''s 32/64-bit mixed modes, NPT
> translation, and many more reasons not even to consider it.
>
> There''s different ways for Xen to communicate with guests. None of
them
> can give you the simple synchronous calling scheme you suggest.
> Reasons include limitations in how the hardware implements control
> transfers accross different privilege levels and security/stability
> considerations. Even if that were not enough, you would experience some
> funny effects in the guest kernel, and an overall hypervisor design
> which will just refuse to switch back and forth between VMM and guest
> execution.
>
> Have a look at Xen''s event channels, trap (interrupt) injections
and the
> overall shared memory paradigm underlying communications with guests. If
> that''s what you need, then maybe send a description on what
you''re
> actually up to. :)
>
> hth,
> Daniel
>
> --
> Daniel Stodden
> LRR     -      Lehrstuhl für Rechnertechnik und Rechnerorganisation
> Institut für Informatik der TU München             D-85748 Garching
> http://www.lrr.in.tum.de/~stodden
<http://www.lrr.in.tum.de/%7Estodden>
>       mailto:stodden@cs.tum.edu
> PGP Fingerprint: F5A4 1575 4C56 E26A 0B33  3D80 457E 82AE B0D8 735B
>
>
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Sun, 2008-07-06 at 11:46 -0400, weiming wrote:
> Hi Daniel,
> 
> Thanks a lot. You confirmed my worries. Event channel may not work for
> me since I need to call the function in a interrupt handler. 
> I''ll check out trap injection. I don''t know what is this,
hope it
> would be helpful.
Pardon, sloppy word choice. What I mean would be rather called a ''trap
bounce'' or just ''callback'' in the Xen source. Event
channel activations
work on top of that.

Best,
Daniel

-- 
Daniel Stodden
LRR     -      Lehrstuhl für Rechnertechnik und Rechnerorganisation
Institut für Informatik der TU München             D-85748 Garching
http://www.lrr.in.tum.de/~stodden         mailto:stodden@cs.tum.edu
PGP Fingerprint: F5A4 1575 4C56 E26A 0B33  3D80 457E 82AE B0D8 735B



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi Daniel,

Event channel is one-way and async, right?
When hypervisor send a notification to guest within a interrupt handler, can
the guest receive and response to the notification? If yes, after guest
finished processing, can the control be back to xen?

(In the interrupt handler, I need the guest to look up something within its
own kernel data structure and return the result to xen. This is the purpose
of my question)

Thanks in advance!

Weiming

On Sun, Jul 6, 2008 at 5:26 PM, Daniel Stodden <stodden@cs.tum.edu> wrote:
> On Sun, 2008-07-06 at 11:46 -0400, weiming wrote:
> > Hi Daniel,
> >
> > Thanks a lot. You confirmed my worries. Event channel may not work for
> > me since I need to call the function in a interrupt handler.
> > I''ll check out trap injection. I don''t know what is
this, hope it
> > would be helpful.
>
> Pardon, sloppy word choice. What I mean would be rather called a
''trap
> bounce'' or just ''callback'' in the Xen source.
Event channel activations
> work on top of that.
>
> Best,
> Daniel
>
> --
> Daniel Stodden
> LRR     -      Lehrstuhl für Rechnertechnik und Rechnerorganisation
> Institut für Informatik der TU München             D-85748 Garching
> http://www.lrr.in.tum.de/~stodden
<http://www.lrr.in.tum.de/%7Estodden>
>       mailto:stodden@cs.tum.edu
> PGP Fingerprint: F5A4 1575 4C56 E26A 0B33  3D80 457E 82AE B0D8 735B
>
>
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

weiming wrote:
> Hi Daniel,
>
> Event channel is one-way and async, right?
> When hypervisor send a notification to guest within a interrupt 
> handler, can the guest receive and response to the notification? If 
> yes, after guest finished processing, can the control be back to xen?
It can do a hypercall.

    J

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Do you mean making a hypercall after guest domain finishes processing?  If
so, in xen, after event_send(), will xxx() be executed immediately
(non-blocking)?

Xen:                                              Guest:

_interrupt_handler()
{
   ...
   ...
   event_send(guest_dom)                event_virq_handler()
post: xxx()                                  {
                                                              do_process()

hypercall_xxx()?

                                                     }
   ...
}

On Mon, Jul 7, 2008 at 5:57 PM, Jeremy Fitzhardinge <jeremy@goop.org>
wrote:
> weiming wrote:
>
>> Hi Daniel,
>>
>> Event channel is one-way and async, right?
>> When hypervisor send a notification to guest within a interrupt
handler,
>> can the guest receive and response to the notification? If yes, after
guest
>> finished processing, can the control be back to xen?
>>
>
> It can do a hypercall.
>
>   J
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

weiming wrote:
> Do you mean making a hypercall after guest domain finishes 
> processing?  If so, in xen, after event_send(), will xxx() be executed 
> immediately (non-blocking)?
>
> Xen:                                              Guest:
>
> _interrupt_handler()                                     
> {
>    ...
>    ...
>    event_send(guest_dom)                event_virq_handler()
> post: xxx()                                  {
>                                                               do_process()
>                                                               
> hypercall_xxx()?
>
>                                                      }
>    ...
> }
You can get Xen to do a callback into the guest.  You can either define 
this as an event callback (probably a virq like the timer or debug 
interrupts), or a specific callback like syscall, event delivery, 
failsafe exceptions etc.  That schedules the guest vcpu running at a 
particular address in kernel context; it can do whatever processing you 
want, then do a hypercall to pass the results back into the hypervisor.

It''s a close as you''re going to get to a syncronous "call
into guest"
mechanism.  On the hypervisor side you''re going to have to deal with it
as an async operation with split "call into guest" and "get
results from
guest" phases.  You also have to deal with the guest calling the 
hypercall 0-N times - with no correlation to your callbacks, and with 
arbitrary arguments (ie, can''t trust the guest''s data).

    J

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi Jeremy,

Thanks for your answering.

If my understanding is correct, do you mean the hypervisor side should look
like:

Xen:

_interrupt_handler()
  ...
  ...
  event_send(guest_dom)
  while(event_receive(&result))
  {

  }
post: xxx()

  ...
}

Thanks a lot!
Weiming

On Mon, Jul 7, 2008 at 6:32 PM, Jeremy Fitzhardinge <jeremy@goop.org>
wrote:
> weiming wrote:
>
>> Do you mean making a hypercall after guest domain finishes processing? 
If
>> so, in xen, after event_send(), will xxx() be executed immediately
>> (non-blocking)?
>>
>> Xen:                                              Guest:
>>
>> _interrupt_handler()                                     {
>>   ...
>>   ...
>>   event_send(guest_dom)                event_virq_handler()
>> post: xxx()                                  {
>>                                                             
do_process()
>>
>>  hypercall_xxx()?
>>
>>                                                     }
>>   ...
>> }
>>
>
> You can get Xen to do a callback into the guest.  You can either define
> this as an event callback (probably a virq like the timer or debug
> interrupts), or a specific callback like syscall, event delivery, failsafe
> exceptions etc.  That schedules the guest vcpu running at a particular
> address in kernel context; it can do whatever processing you want, then do
a
> hypercall to pass the results back into the hypervisor.
>
> It''s a close as you''re going to get to a syncronous
"call into guest"
> mechanism.  On the hypervisor side you''re going to have to deal
with it as
> an async operation with split "call into guest" and "get
results from guest"
> phases.  You also have to deal with the guest calling the hypercall 0-N
> times - with no correlation to your callbacks, and with arbitrary arguments
> (ie, can''t trust the guest''s data).
>
>   J
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

weiming wrote:
> Hi Jeremy,
>
> Thanks for your answering.
>
> If my understanding is correct, do you mean the hypervisor side should 
> look like:
>
> Xen:                                             
>
> _interrupt_handler()                                    
>   ...
>   ...
>   event_send(guest_dom) 
>   while(event_receive(&result))
>   {
>
>   }                                                  
> post: xxx()                                 
>                                                            
>   ...
> }
>
No, not at all.  It would have to be something like:

interrupt_handler()
{
	set_up_state(guest_dom);
	send_event(guest_dom);
}

...

do_my_hypercall(...)
{
	do_stuff(guest_dom);
}


    J

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel