Hi, Paul!
On 07/31/2017 12:03 PM, Paul Durrant wrote:
-----Original Message-----
[snip]
Comparison for display use-case
===============================
1 Number of grant references used
1-1 grant references: nr_pages
1-2 GNTTABOP_transfer: nr_pages
1-3 XENMEM_exchange: not an option
2 Effect of DomU crash on Dom0 (its mapped pages)
2-1 grant references: pages can be unmapped by Dom0, Dom0 is fully
recovered
2-2 GNTTABOP_transfer: pages will be returned to the Hypervisor, lost
for Dom0
2-3 XENMEM_exchange: not an option
3 Security issues from sharing Dom0 pages to DomU
1-1 grant references: none
1-2 GNTTABOP_transfer: none
1-3 XENMEM_exchange: not an option
At the moment approach 1 with granted references seems to be a winner for
sharing buffers both ways, e.g. Dom0 -> DomU and DomU -> Dom0.
Conclusion
==========
I would like to get some feedback from the community on which approach
is more
suitable for sharing large buffers and to have a clear vision on cons
and pros
of each one: please feel free to add other metrics I missed and correct
the ones
I commented on. I would appreciate help on comparing approaches 2 and 3
as I
have little knowledge of these APIs (2 seems to be addressed by
Christopher, and
3 seems to be relevant to what Konrad/Stefano do WRT SWIOTLB).
Hi,
I once implemented a scheme where network frontends used memory granted from
backends and this hit quite a few problems:
- If domU is allowed to grant map memory from dom0, there is not currently a
way to forcibly take it back (so I don't think you're quite correct in 2-1
above... but I may have missed something).
This is where I was not 100% confident, so you seem to be right here.
Hence the domU can hold dom0's memory to ransom.
Yes, this is the problem
(In the network case this was avoided by using grant table v2 'copy-only'
grants).
- If you end up having to grant buffers which do not originate in dom0 (i.e.
they were grant mapped from another domU) then this creates similar problems
with one domU holding another domU's memory to ransom, even when using
copy-only grants. I don’t think this would be an issue in your use-case.
In our use-cases we will only share from Dom0 to DomU in case Dom0 is
1:1 mapped
Otherwise, HW should be capable of dealing with non-contiguous memory
- Currently the default grant table size is 32 pages and it may not take that
many guests using a protocol where dom0 grants memory to domU to exhaust dom0's
grant table
Yes, I know about this limitation, thank you
(depending on how many grants-per-domU the protocol allows). If you're
intending to grant large buffers then you may need quite a few grants (since
they are per-4k-chunk) to do this, so you might run into this limit.
Cheers,
Paul
Thank you for comments,
so in both cases (with grant refs or memory transfer) there is no way to
cleanly
recover from DomU crash (either grants cannot be returned or memory goes
to the
hypervisor, not Dom0).
Is this correct?
Thank you,
Oleksandr
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
