Hi,
Volodymyr Babchuk writes: > Hi Andrew, > > Andrew Cooper writes: > >> On 24/02/2021 23:58, Volodymyr Babchuk wrote: >>> And I am not mentioning x86 support there... >> >> x86 uses per-pCPU stacks, not per-vCPU stacks. >> >> Transcribing from an old thread which happened in private as part of an >> XSA discussion, concerning the implications of trying to change this. >> >> ~Andrew >> >> -----8<----- >> >> Here is a partial list off the top of my head of the practical problems >> you're going to have to solve. >> >> Introduction of new SpectreRSB vulnerable gadgets. I'm really close to >> being able to drop RSB stuffing and recover some performance in Xen. >> >> CPL0 entrypoints need updating across schedule. SYSCALL entry would >> need to become a stub per vcpu, rather than the current stub per pcpu. >> This requires reintroducing a writeable mapping to the TSS (doable) and >> a shadow stack switch of active stacks (This corner case is so broken it >> looks to be a blocker for CET-SS support in Linux, and is resulting in >> some conversation about tweaking Shstk's in future processors). >> >> All per-cpu variables stop working. You'd need to rewrite Xen to use >> %gs for TLS which will have churn in the PV logic, and introduce the x86 >> architectural corner cases of running with an invalid %gs. Xen has been >> saved from a large number of privilege escalation vulnerabilities in >> common with Linux and Windows by the fact that we don't use %gs, so >> anyone trying to do this is going to have to come up with some concrete >> way of proving that the corner cases are covered. > > Thank you. This is exactly what I needed. I am not a big specialist in > x86, but from what I said, I can see that there is no easy way to switch > contexts while in hypervisor mode. > > Then I want to return to a task domain idea, which you mentioned in the > other thread. If I got it right, it would allow to > > 1. Implement asynchronous hypercalls for cases when there is no reason > to hold calling vCPU in hypervisor for the whole call duration > Okay, I was too overexcited there. I mean - surely it is possible to implement async hypercalls, but there is no immediate profit in this: such hypercall can't be preempted anyways. On a SMP system you can offload hypercall to another core, but that's basically all. > I skimmed through ML archives, but didn't found any discussion about it. Maybe you can give some hint how to find it? > As I see it, its implementation would be close to idle domain > implementation, but a little different. -- Volodymyr Babchuk at EPAM
