On Fri, 2020-05-29 at 08:13 +0000, Bertrand Marquis wrote: > Hi Julien, > > > On 28 May 2020, at 19:54, Julien Grall <jul...@xen.org> wrote: > > > > Hi Bertrand, > > > > Thank you for the patch. > > > > On 28/05/2020 16:25, Bertrand Marquis wrote: > > > At the moment on Arm, a Linux guest running with KTPI enabled > > > will > > > cause the following error when a context switch happens in user > > > mode: > > > (XEN) p2m.c:1890: d1v0: Failed to walk page-table va > > > 0xffffff837ebe0cd0 > > > This patch is modifying runstate handling to map the area given > > > by the > > > guest inside Xen during the hypercall. > > > This is removing the guest virtual to physical conversion during > > > context > > > switches which removes the bug > > > > It would be good to spell out that a virtual address is not stable. > > So relying on it is wrong. > > > > > and improve performance by preventing to > > > walk page tables during context switches. > > > > With Secret free hypervisor in mind, I would like to suggest to > > map/unmap the runstate during context switch. > > > > The cost should be minimal when there is a direct map (i.e on Arm64 > > and x86) and still provide better performance on Arm32. > > Even with a minimal cost this is still adding some non real-time > behaviour to the context switch. > But definitely from the security point of view as we have to map a > page from the guest, we could have accessible in Xen some data that > should not be there. > There is a trade here where: > - xen can protect by map/unmapping > - a guest which wants to secure his data should either not use it or > make sure there is nothing else in the page > > That sounds like a thread local storage kind of problematic where we > want data from xen to be accessible fast from the guest and easy to > be modified from xen.
Can't we just map it into the per-domain region, so that the mapping and unmapping of runstate is baked into the per-domain region switch itself during context switch? Anyway, I am glad to help with secret-free bits if required, although my knowledge on the Xen Arm side is limited. Hongyan
