Hi Stefano,
On 2/26/19 11:07 PM, Stefano Stabellini wrote:
struct xen_domctl_memory_mapping {
uint64_aligned_t first_gfn; /* first page (hvm guest phys page) in range
*/
uint64_aligned_t first_mfn; /* first page (machine page) in range */
uint64_aligned_t nr_mfns; /* number of pages in range (>0) */
uint32_t add_mapping; /* add or remove mapping */
- uint32_t padding; /* padding for 64-bit aligned structure */
+ uint32_t cache_policy; /* cacheability of the memory mapping */
Looking at this and the way you use it, the naming "cache" is quite
confusing. On Arm, they are memory types (see B2.7 "Memory types and
attributes" in DDI 0487D.a) and then you may have attribute such
cachability attribute (write-through, write-back...) on top. The
cacheability is also not applicable for "device memory".
"device memory" have other attributes related to gathering, re-ordering...
So a better naming would probably be "memory_policy".
Furthermore, those policies are only for configuring stage-2. The
resulting memory type and attributes will be whatever is the strongest
between stage-2 and stage-1 attributes. You can see the stage-2
attributes as a way to give more or less freedom to the guest for
configure the attributes.
For instance, by using p2m_mmio_direct_dev, the resulting attributes
will always be Device-nGnRnE whatever how stage-1 has been configured.
In the case of p2m_mmio_direct_c (similar to p2m_ram_rw). The guest will
be free to chose whatever pretty much any attributes (even Device-nGnRnE).
You might wonder why we didn't give more freedom to the guest from the
start. One of the reason is it is quite unclear what are the consequence
if you give that freedom to the guest. Whether there might be issues
with the device when the attributes are not correct.
Furthermore, there are more handling required in the hypervisor as if
the memory can be cached, you will need to clear the cache in order to
prevent leakage to another domain if the mappings get reassigned.
For completeness, I should mention the feature S2FWB present in ARMv8.4
and onwards. From my understanding, this could be used to force
resulting memory type. I am not suggesting to implement it now, but we
should keep it in my mind while writing the interface exposed in libxl.
To summarize, if we go ahead, we should try to make the documentation
more clearer on what each policy means and the implications on the
guest. I think we should also mark this a not security supported because
it the unknown interactions with devices.
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel