Xen devel - Jul 2011 - Questions on EPT dump and creation

First, I used "xm debug-key D" to dump ept mappings. But I have a
doubt
about the mapping.
I started a 32bit HVM which memory is 512, so the max gfn should be 0x1ffff.
But the result of "xm dmesg" showed gfn->mfn mapping until 0xfffff.
Output looked like below:
(XEN) gfn: fc012  mfn: 179e6
(XEN) gfn: fc013  mfn: 179e5
(XEN) gfn: fee00  mfn: 2e8
(XEN) gfn: feffb  mfn: 178fd
(XEN) gfn: feffc  mfn: 178fc
(XEN) gfn: feffd  mfn: 178fb
(XEN) gfn: feffe  mfn: 178fa
(XEN) gfn: fefff  mfn: 178f9
(XEN) gfn: fffff  mfn: 2eb

What I think is every HVM has one EPT table and the table maps the allocated
memory like from 0 to 0x1ffff, why does the HVM ept map all the 4G space?
Isn''t it unneccessary and waste of memory?

Second, I want to copy the system ept and used the copy for later
translation. Since the HVM is 512M, so I need one PML4 pointed by eptp, one
PDP pointed by PML4 entry[0], one PD pointed by PDP entry[0], 512 PT''s
pointed by all PD entries. After all settings are done, I''v got
gfn->mfn
mapping of 1G memory. I think it should be working, but not. Where am I
wrong? What would I pay attention to?

Looking forward to your help,
Yao


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi, 

At 21:57 +0800 on 18 Jul (1311026244), YAO wrote:
> First, I used "xm debug-key D" to dump ept mappings. But I have a
doubt
> about the mapping.
> I started a 32bit HVM which memory is 512, so the max gfn should be
0x1ffff.
> But the result of "xm dmesg" showed gfn->mfn mapping until
0xfffff.
> Output looked like below:
> (XEN) gfn: fc012  mfn: 179e6
> (XEN) gfn: fc013  mfn: 179e5
> (XEN) gfn: fee00  mfn: 2e8
> (XEN) gfn: feffb  mfn: 178fd
> (XEN) gfn: feffc  mfn: 178fc
> (XEN) gfn: feffd  mfn: 178fb
> (XEN) gfn: feffe  mfn: 178fa
> (XEN) gfn: fefff  mfn: 178f9
> (XEN) gfn: fffff  mfn: 2eb
> 
> What I think is every HVM has one EPT table and the table maps the
allocated
> memory like from 0 to 0x1ffff, why does the HVM ept map all the 4G space?
> Isn''t it unneccessary and waste of memory?
Guest PFN-space is not contiguous.  Like a real PC, there are some
areas of the address space just below 4GB that are used for special
things like MMIO.  So you should see RAM up to about 512MiB, then a big
gap, and then the entries above. 
> Second, I want to copy the system ept and used the copy for later
> translation. Since the HVM is 512M, so I need one PML4 pointed by eptp, one
> PDP pointed by PML4 entry[0], one PD pointed by PDP entry[0], 512
PT''s
> pointed by all PD entries. After all settings are done, I''v got
gfn->mfn
> mapping of 1G memory. I think it should be working, but not. Where am I
> wrong? What would I pay attention to?
As you noticed there are some entries that are not in the bottom
512MiB; you''ll need to handle those as well.  

Other than that it''s hard to tell from your description.  What are you
trying to achieve by copying the p2m? 

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

2011/7/18 Tim Deegan <Tim.Deegan@citrix.com>
> Hi,
>
> At 21:57 +0800 on 18 Jul (1311026244), YAO wrote:
> > First, I used "xm debug-key D" to dump ept mappings. But I
have a doubt
> > about the mapping.
> > I started a 32bit HVM which memory is 512, so the max gfn should be
> 0x1ffff.
> > But the result of "xm dmesg" showed gfn->mfn mapping
until 0xfffff.
> > Output looked like below:
> > (XEN) gfn: fc012  mfn: 179e6
> > (XEN) gfn: fc013  mfn: 179e5
> > (XEN) gfn: fee00  mfn: 2e8
> > (XEN) gfn: feffb  mfn: 178fd
> > (XEN) gfn: feffc  mfn: 178fc
> > (XEN) gfn: feffd  mfn: 178fb
> > (XEN) gfn: feffe  mfn: 178fa
> > (XEN) gfn: fefff  mfn: 178f9
> > (XEN) gfn: fffff  mfn: 2eb
> >
> > What I think is every HVM has one EPT table and the table maps the
> allocated
> > memory like from 0 to 0x1ffff, why does the HVM ept map all the 4G
space?
> > Isn''t it unneccessary and waste of memory?
>
> Guest PFN-space is not contiguous.  Like a real PC, there are some
> areas of the address space just below 4GB that are used for special
> things like MMIO.  So you should see RAM up to about 512MiB, then a big
> gap, and then the entries above.
>
> > Second, I want to copy the system ept and used the copy for later
> > translation. Since the HVM is 512M, so I need one PML4 pointed by
eptp,
> one
> > PDP pointed by PML4 entry[0], one PD pointed by PDP entry[0], 512
PT''s
> > pointed by all PD entries. After all settings are done, I''v
got gfn->mfn
> > mapping of 1G memory. I think it should be working, but not. Where am
I
> > wrong? What would I pay attention to?
>
> As you noticed there are some entries that are not in the bottom
> 512MiB; you''ll need to handle those as well.
>
> Other than that it''s hard to tell from your description.  What are
you
> trying to achieve by copying the p2m?
>
Hi, Tim
Thanks for your reply. Copying the ept table is my first step, next I want
to switch between system ept and my own ept smoothly.
Attach is my code of copying ept and switching ept, I wish you could take a
look at it.

I copied exactly every mapping one by one, but when I dumped the gfn->mfn
mapping(I''ve modified ept_dump_p2m_table to find unequal entry),
there are some strange output like this:

(XEN) gfn: 200  mfn: 117def  my_mfn: 10d600
(XEN) gfn: 400  mfn: 117dee  my_mfn: 111200
(XEN) gfn: 600  mfn: 117ded  my_mfn: 111000
(XEN) gfn: 800  mfn: 117dec  my_mfn: 10de00
......
(XEN) gfn: 14a00  mfn: 1176bb  my_mfn: 10800
(XEN) gfn: 14c00  mfn: 1176ba  my_mfn: 10600
(XEN) gfn: 14e00  mfn: 1176b9  my_mfn: 10400
(XEN) gfn: 15000  mfn: 1176b8  my_mfn: 10200
......
(XEN) gfn: 1f600  mfn: 117b46  my_mfn: 4200
(XEN) gfn: 1f800  mfn: 117b45  my_mfn: 4000

It shouldn''t have any unequal entry, I thought...and
Every mismatch has a step of 0x200 until 0x1f800, which really confused me.


>
> Tim.
>
> --
> Tim Deegan <Tim.Deegan@citrix.com>
> Principal Software Engineer, Xen Platform Team
> Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)
>


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi, 

At 18:57 +0800 on 19 Jul (1311101864), YAO wrote:
> I copied exactly every mapping one by one, but when I dumped the
gfn->mfn
> mapping(I''ve modified ept_dump_p2m_table to find unequal entry),
> there are some strange output like this:
> 
> (XEN) gfn: 200  mfn: 117def  my_mfn: 10d600
> (XEN) gfn: 400  mfn: 117dee  my_mfn: 111200
> (XEN) gfn: 600  mfn: 117ded  my_mfn: 111000
> (XEN) gfn: 800  mfn: 117dec  my_mfn: 10de00
> ......
> (XEN) gfn: 14a00  mfn: 1176bb  my_mfn: 10800
> (XEN) gfn: 14c00  mfn: 1176ba  my_mfn: 10600
> (XEN) gfn: 14e00  mfn: 1176b9  my_mfn: 10400
> (XEN) gfn: 15000  mfn: 1176b8  my_mfn: 10200
> ......
> (XEN) gfn: 1f600  mfn: 117b46  my_mfn: 4200
> (XEN) gfn: 1f800  mfn: 117b45  my_mfn: 4000
> 
> It shouldn''t have any unequal entry, I thought...and
> Every mismatch has a step of 0x200 until 0x1f800, which really confused me.
Hmmm.  The "my_mfn" values go up in 0x200s (which is the size of a
full EPT page) too but the "mfn" values go down 1 at a time.  I
suspect
that your code is confused somewhere about the number of levels in the
EPT tables.

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

2011/7/19 Tim Deegan <Tim.Deegan@citrix.com>
> Hi,
>
> At 18:57 +0800 on 19 Jul (1311101864), YAO wrote:
> > I copied exactly every mapping one by one, but when I dumped the
gfn->mfn
> > mapping(I''ve modified ept_dump_p2m_table to find unequal
entry),
> > there are some strange output like this:
> >
> > (XEN) gfn: 200  mfn: 117def  my_mfn: 10d600
> > (XEN) gfn: 400  mfn: 117dee  my_mfn: 111200
> > (XEN) gfn: 600  mfn: 117ded  my_mfn: 111000
> > (XEN) gfn: 800  mfn: 117dec  my_mfn: 10de00
> > ......
> > (XEN) gfn: 14a00  mfn: 1176bb  my_mfn: 10800
> > (XEN) gfn: 14c00  mfn: 1176ba  my_mfn: 10600
> > (XEN) gfn: 14e00  mfn: 1176b9  my_mfn: 10400
> > (XEN) gfn: 15000  mfn: 1176b8  my_mfn: 10200
> > ......
> > (XEN) gfn: 1f600  mfn: 117b46  my_mfn: 4200
> > (XEN) gfn: 1f800  mfn: 117b45  my_mfn: 4000
> >
> > It shouldn''t have any unequal entry, I thought...and
> > Every mismatch has a step of 0x200 until 0x1f800, which really
confused
> me.
>
> Hmmm.  The "my_mfn" values go up in 0x200s (which is the size of
a
> full EPT page) too but the "mfn" values go down 1 at a time.  I
suspect
> that your code is confused somewhere about the number of levels in the
> EPT tables.
>
> Tim.
>
> --
> Tim Deegan <Tim.Deegan@citrix.com>
> Principal Software Engineer, Xen Platform Team
> Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)
>
Hi, Tim
Many thanks for your tip, yes, I didn''t cope with the levels properly.
I
have fixed it.
But here''s another problem. Since I have a full ept copy, if I replace
the
system eptp with my eptp,
the domU will still be running like nothing happened. Now the domU may be
compromised, it didn''t response to any keystroke or click...
Did I miss something when switching the eptp to and back?

Thanks,
Yao


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

At 15:37 +0800 on 20 Jul (1311176224), YAO wrote:
> Many thanks for your tip, yes, I didn''t cope with the levels
properly. I
> have fixed it.
> But here''s another problem. Since I have a full ept copy, if I
replace the
> system eptp with my eptp,
> the domU will still be running like nothing happened. Now the domU may be
> compromised, it didn''t response to any keystroke or click...
> Did I miss something when switching the eptp to and back?
Maybe?  This isn''t the kind of bug I can fix by email; I think you need
to dig into it yourself. 

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi, Tim
Thanks for your reply, I reviewed my code and found some confusing things:
We know the p2m top-level page is allocated in function
"p2m_alloc_table"
which called p2m_alloc_ptp,
then the eptp can be assigned to point to this page.
An example looks like "mfn of page = 0xd4ec2, eptp = 0xd4ec201e" (I
have 4G
mem, Xen is 32bit PAE)

But when I allocate my p2m_top page, the mfn looks very strange----"mfn
0x117b21".
I use "ept_set_middle_entry" to allocate pdp and get the mfn of pdp is
"0x117b20". So is the case of allocating pd.

How could xen allocate a mfn beyond the total memory without any warning?
When I dump my page, I need to use map_domain_page. But it seems like I did
map successfully using these mfn''s.
That''s puzzling.

Wait for your reply,
Yao

2011/7/20 Tim Deegan <Tim.Deegan@citrix.com>
> At 15:37 +0800 on 20 Jul (1311176224), YAO wrote:
> > Many thanks for your tip, yes, I didn''t cope with the levels
properly. I
> > have fixed it.
> > But here''s another problem. Since I have a full ept copy, if
I replace
> the
> > system eptp with my eptp,
> > the domU will still be running like nothing happened. Now the domU may
be
> > compromised, it didn''t response to any keystroke or click...
> > Did I miss something when switching the eptp to and back?
>
> Maybe?  This isn''t the kind of bug I can fix by email; I think you
need
> to dig into it yourself.
>
> Tim.
>
> --
> Tim Deegan <Tim.Deegan@citrix.com>
> Principal Software Engineer, Xen Platform Team
> Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi, 

At 16:45 +0800 on 22 Jul (1311353108), YAO wrote:
> Thanks for your reply, I reviewed my code and found some confusing things:
> We know the p2m top-level page is allocated in function
"p2m_alloc_table"
> which called p2m_alloc_ptp,
> then the eptp can be assigned to point to this page.
> An example looks like "mfn of page = 0xd4ec2, eptp = 0xd4ec201e"
(I have 4G
> mem, Xen is 32bit PAE)
> 
> But when I allocate my p2m_top page, the mfn looks very
strange----"mfn > 0x117b21".
That MFN is at about 380MiB above 4GiB, which looks normal for a machine
with 4GiB of RAM.  If you look at the e820 RAM map that Xen prints at
boot it will show you how your memory is laid out.

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel