On 21/11/2018 17:19, Tamas K Lengyel wrote:
> On Wed, Nov 21, 2018 at 6:21 AM Andrew Cooper <andrew.coop...@citrix.com>
> wrote:
>> This covers various fixes related to XSA-277 which weren't in security
>> supported areas, and associated cleanup.
>>
>> The biggest issue noticed here is that altp2m's use of hardware #VE support
>> will cause general memory corruption if the guest ever balloons out the
>> VEINFO
>> page. The only safe way I think of doing this is for Xen to alloc annonymous
>> domheap pages for the VEINFO, and for the guest to map them in a similar way
>> to the shared info and grant table frames.
> Since ballooning presents all sorts of problems when used with altp2m
> I would suggest just making the two explicitly incompatible during
> domain creation. Beside the info page being possibly ballooned out the
> other problem is when ballooning causes altp2m views to be reset
> completely, removing mem_access permissions and remapped entries.
If only it were that simple.
For reasons of history and/or poor terminology, "ballooning" means two
things.
1) The act of the Toolstack interacting with the balloon driver inside a
VM, to change the current amount of RAM used by the guest.
2) XENMEM_{increase,decrease}_reservation which are the underlying
hypercalls used by guest kernels.
For the toolstack interaction side of things, this is a mess. There is
a single xenstore key, and a blind assumption that all guests know what
changes to memory/target mean. There is no negotiation of whether a
balloon driver is running in the guest, and if one is running, there is
no ability for the balloon driver to nack a request it can't fulfil.
The sole feedback mechanism which exists is the toolstack looking to see
whether the domain has changed the amount of RAM it is using.
PV guests are fairly "special" by any reasonable judgement. They are
fully aware of their memory layout , an of changes to it across
migrate. "Ballooning" was implemented at a time when most computers had
MB of RAM rather than GB, and the knowledge a PV guest had was "I've got
a random set of MFNs which aren't currently used by anything important,
and can be handed back to Xen on request. Xen guests also have shared
memory constructs such as the shared_info page, and grant tables. A PV
guest gets access to these by programming the frame straight into to the
pagetables, and Xen's permission model DTRT.
Then HVM guests came along. For reasons of trying to get things
working, they inherited a lot of same interfaces as PV guests, despite
the fundamental differences in the way they work. One of the biggest
differences was the fact that HVM guests have their gfn=>mfn space
managed by Xen rather than themselves, and in particular, you can no
longer map shared memory structures in the PV way.
For a shared memory structure to be usable, a mapping has to be put into
the guests P2M, so the guest can create a regular pagetable entry
pointing at it. For reasons which are beyond me, Xen doesn't have any
knowledge of the guests physical layout, and guests arbitrary mutative
capabilities on their GFN space, but with a hypercall set that has
properties such as a return value of "how many items of this batch
succeeded", and replacement properties rather than error properties when
trying to modify a GFN which already has something in it.
Whatever the reasons, it is commonplace for guests to
decrease_reservation out some RAM to create holes for the shared memory
mappings, because it is the only safe way to avoid irreparably
clobbering something else (especially if you're HVMLoader and in charge
of trying to construct the E820/ACPI tables).
tl;dr If you actually prohibit XENMEM_decrease_reservation, HVM guests
don't boot, and that's long before a balloon driver gets up and running.
Now, all of that said, there are a number of very good reasons why a
host administrator might want to prohibit the guest from having
arbitrary mutative capabilities, chief among them being to prevent the
guest from shattering host superpagpes, but also due to
incompatibilities with some of our more interesting features.
The only way I see of fixing this to teach Xen about the guests gfn
layout (as chosen by the domainbuilder), and include within that "space
which definitely doesn't have anything in, and is safe to put shared
mappings into". Beyond that, we'll need some administrator level
knowledge of which guests are safe to have XENMEM_decrease_reservation
prohibited, or some interlocks inside Xen to disable unsafe features as
soon as we spot a guest which isn't playing by the new rules.
This probably needs some more more thought, but fundamentally, we have
to undo more than a decades worth of "doing it wrong" which has
percolated through the Xen ecosystem.
I'm half tempted to put together a big hammer bit in the domain creation
path which turns off everything like this (and other areas where we know
Xen is lacking, such as default readability/write-ignore of all MSRs),
after which we'll have a rather a more concrete baseline to discuss what
the guests are actually doing, and how to get them back into a working
state while maintaining architectural.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
