Reworked the internals and declaration, applying (un)boxing
where needed. Converted calls to map_domain_page() to
provide mfn_t types, boxing where needed.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
---
xen/arch/arm/domain_build.c | 2 +-
xen/arch/arm/kernel.c
From: Andrew Cooper andrew.coop...@citrix.com
Signed-off-by: Andrew Cooper andrew.coop...@citrix.com
[Convert grant_table.c to pass mfn_t types and fix ARM compiling]
Signed-off-by: Ben Catterall ben.catter...@citrix.com
---
xen/arch/x86/mm.c | 7 ---
xen/common/grant_table.c
From: Andrew Cooper andrew.coop...@citrix.com
The sh_map/unmap wrappers can be dropped, and take the opportunity to turn
some #define's into static inlines, for added type saftey.
As part of adding the type safety, GCC highlights an problematic include cycle
with arm/mm.h including domain_page.h
Converting map_domain_page() to use the mfn_t type and (un)boxing
where needed. This follows on from Andrew Cooper's similar work on
copy/clear_domain_page().
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
From: Andrew Cooper andrew.coop...@citrix.com
The sh_map/unmap wrappers can be dropped, and take the opportunity to turn
some #define's into static inlines, for added type saftey.
As part of adding the type safety, GCC highlights an problematic include cycle
with arm/mm.h including domain_page.h
Removed as they were wrappers around map_domain_page() to
make it appear to take an mfn_t type.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
---
xen/arch/x86/mm/hap/hap.c| 4 +-
xen/arch/x86/mm/shadow/common.c | 22 +++---
xen/arch/x86/mm/shadow/multi.c | 152
Reworked the internals and declaration, applying (un)boxing
where needed. Converted calls to map_domain_page() to
provide mfn_t types, boxing where needed.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
Reviewed-by: Andrew Cooper andrew.coop...@citrix.com
---
Changed since v1
On 18/08/15 11:25, Ben Catterall wrote:
On 17/08/15 16:17, Jan Beulich wrote:
On 17.08.15 at 17:07, t...@xen.org wrote:
At 14:53 +0100 on 17 Aug (1439823232), Ben Catterall wrote:
So, have we arrived at a decision for this? Thanks!
Seems to have stalled a bit. OK, I propose
On 17/08/15 16:17, Jan Beulich wrote:
On 17.08.15 at 17:07, t...@xen.org wrote:
At 14:53 +0100 on 17 Aug (1439823232), Ben Catterall wrote:
So, have we arrived at a decision for this? Thanks!
Seems to have stalled a bit. OK, I propose that:
- we use TR/IST to make Xen take interrupts
On 12/08/15 14:33, Andrew Cooper wrote:
On 12/08/15 14:29, Andrew Cooper wrote:
On 11/08/15 19:29, Boris Ostrovsky wrote:
On 08/11/2015 01:19 PM, Andrew Cooper wrote:
On 11/08/15 18:05, Tim Deegan wrote:
* Under this model, PV exception handlers should copy themselves
onto
the privileged
On 11/08/15 11:33, Ben Catterall wrote:
On 10/08/15 11:07, Tim Deegan wrote:
Hi,
@@ -685,8 +685,17 @@ static int hap_page_fault(struct vcpu *v,
unsigned long va,
{
struct domain *d = v-domain;
+/* If we get a page fault whilst in HVM security user mode */
+if( v-user_mode
Hi all,
I've hit a blocker on getting this working for AMD's SVM and would
appreciate any thoughts. Hopefully I've missed a much simpler way of
doing this or I've missed something!
So, AMD and Intel differ in how they handle the TR on a VMEXIT and
VMRUM. On a VMEXIT, Intel Save the guest's
On 19/08/15 16:43, Tim Deegan wrote:
At 16:04 +0100 on 19 Aug (144260), Ben Catterall wrote:
I've hit a blocker on getting this working for AMD's SVM and would
appreciate any thoughts. Hopefully I've missed a much simpler way of
doing this or I've missed something!
So, AMD and Intel
On 18/08/15 17:55, Andrew Cooper wrote:
On 17/08/15 08:07, Tim Deegan wrote:
At 14:53 +0100 on 17 Aug (1439823232), Ben Catterall wrote:
On 12/08/15 14:33, Andrew Cooper wrote:
On 12/08/15 14:29, Andrew Cooper wrote:
On 11/08/15 19:29, Boris Ostrovsky wrote:
Would switching TR only when
On 20/08/15 10:34, Tim Deegan wrote:
At 17:36 +0100 on 19 Aug (1440005801), Ben Catterall wrote:
On 19/08/15 16:43, Tim Deegan wrote:
At 16:04 +0100 on 19 Aug (144260), Ben Catterall wrote:
I've hit a blocker on getting this working for AMD's SVM and would
appreciate any thoughts
On 10/08/15 11:14, Andrew Cooper wrote:
On 10/08/15 10:49, Tim Deegan wrote:
Hi,
At 17:45 +0100 on 06 Aug (1438883118), Ben Catterall wrote:
The process to switch into and out of deprivileged mode can be likened to
setjmp/longjmp.
To enter deprivileged mode, we take a copy of the stack
On 06/08/15 20:52, Andrew Cooper wrote:
On 06/08/15 17:45, Ben Catterall wrote:
The paging structure mappings for the deprivileged mode are added
to the monitor page table for HVM guests. The entries are generated by
walking the page tables and mapping in new pages. If a higher-level page
On 07/08/15 14:19, Andrew Cooper wrote:
On 07/08/15 13:32, Ben Catterall wrote:
On 06/08/15 22:24, Andrew Cooper wrote:
On 06/08/2015 17:45, Ben Catterall wrote:
Added trap handlers to catch exceptions such as a page fault, general
protection fault, etc. These handlers will crash
On 10/08/15 11:07, Tim Deegan wrote:
Hi,
@@ -685,8 +685,17 @@ static int hap_page_fault(struct vcpu *v, unsigned long va,
{
struct domain *d = v-domain;
+/* If we get a page fault whilst in HVM security user mode */
+if( v-user_mode == 1 )
+{
+printk(HVM: #PF
On 10/08/15 10:49, Tim Deegan wrote:
Hi,
At 17:45 +0100 on 06 Aug (1438883118), Ben Catterall wrote:
The process to switch into and out of deprivileged mode can be likened to
setjmp/longjmp.
To enter deprivileged mode, we take a copy of the stack from the guest's
registers up to the current
On 04/08/15 14:46, George Dunlap wrote:
On Mon, Aug 3, 2015 at 3:34 PM, Ian Campbell ian.campb...@citrix.com wrote:
On Mon, 2015-08-03 at 14:54 +0100, Andrew Cooper wrote:
On 03/08/15 14:35, Ben Catterall wrote:
Hi all,
I am working on an x86 proof-of-concept to evaluate if it is feasible
On 11/08/15 10:55, Tim Deegan wrote:
At 11:14 +0100 on 10 Aug (1439205273), Andrew Cooper wrote:
On 10/08/15 10:49, Tim Deegan wrote:
Hi,
At 17:45 +0100 on 06 Aug (1438883118), Ben Catterall wrote:
The process to switch into and out of deprivileged mode can be likened to
setjmp/longjmp
On 06/08/15 20:22, Andrew Cooper wrote:
On 06/08/15 17:45, Ben Catterall wrote:
This allocation function is used by the deprivileged mode initialisation code
to allocate pages for the new page table mappings and page frames on the HAP
page heap.
Signed-off-by: Ben Catterall ben.catter
could count
the number of quanta which have passed since we failed to migrate, then
migrate when it becomes too high.
- Add support for SVM and test on AMD processors.
- We need to get the host MSRs for AMD SVM mode.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
on the syscall handler in entry.S has also been added which handles
returning from user mode and will support deprivileged mode system calls when
these are needed.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
---
xen/arch/x86/domain.c | 12 +++
xen/arch/x86/hvm/Makefile
accessible, with NX bits set for the data and stack regions and the
code region is set to be executable and read-only.
The needed pages are allocated on the HAP page heap and are deallocated when
those heap pages are deallocated (on domain destruction).
Signed-off-by: Ben Catterall ben.catter
This allocation function is used by the deprivileged mode initialisation code
to allocate pages for the new page table mappings and page frames on the HAP
page heap.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
---
xen/arch/x86/mm/hap/hap.c| 23 +++
xen/include
Added trap handlers to catch exceptions such as a page fault, general
protection fault, etc. These handlers will crash the domain as such exceptions
would indicate that either there is a bug in deprivileged mode or it has been
compromised by an attacker.
Signed-off-by: Ben Catterall ben.catter
On 06/08/15 22:24, Andrew Cooper wrote:
On 06/08/2015 17:45, Ben Catterall wrote:
Added trap handlers to catch exceptions such as a page fault, general
protection fault, etc. These handlers will crash the domain as such exceptions
would indicate that either there is a bug in deprivileged mode
On 06/08/15 21:55, Andrew Cooper wrote:
On 06/08/15 17:45, Ben Catterall wrote:
The process to switch into and out of deprivileged mode can be likened to
setjmp/longjmp.
To enter deprivileged mode, we take a copy of the stack from the guest's
registers up to the current stack pointer
On 12/08/15 10:50, Jan Beulich wrote:
On 06.08.15 at 18:45, ben.catter...@citrix.com wrote:
Performance testing
---
Performance testing indicates that the overhead for this deprivileged mode is
approximately 25%. This overhead is the cost of moving into deprivileged mode
and
On 11/08/15 18:05, Tim Deegan wrote:
Hi,
At 17:51 +0100 on 11 Aug (1439315508), Ben Catterall wrote:
On 11/08/15 10:55, Tim Deegan wrote:
At 11:14 +0100 on 10 Aug (1439205273), Andrew Cooper wrote:
On 10/08/15 10:49, Tim Deegan wrote:
Hi,
At 17:45 +0100 on 06 Aug (1438883118), Ben
On 17/07/15 15:20, Jan Beulich wrote:
On 17.07.15 at 12:09, ben.catter...@citrix.com wrote:
Moving between privilege levels
The general process is to determine if we need to run a device model (or
similar) and then, if so, switch into deprivileged mode. The
Hi all,
I'm working on an x86 proof-of-concept series to evaluate if it is
feasible to move device models currently running in the hypervisor and
x86 emulation code for HVM guests into a deprivileged context.
I've put together the following document as I have been considering
several
On 20/07/15 14:58, Jan Beulich wrote:
On 20.07.15 at 15:43, andrew.coop...@citrix.com wrote:
On 17/07/15 16:38, Jan Beulich wrote:
On 17.07.15 at 17:19, ben.catter...@citrix.com wrote:
On 17/07/15 15:20, Jan Beulich wrote:
If not, then method 2 would seem quite a bit less troublesome than
Reworked the internals and declaration, applying (un)boxing
where needed. Converted calls to map_domain_page() to
provide mfn_t types, boxing where needed.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
Reviewed-by: Andrew Cooper andrew.coop...@citrix.com
---
Changed since v1
From: Andrew Cooper andrew.coop...@citrix.com
The sh_map/unmap wrappers can be dropped, and take the opportunity to turn
some #define's into static inlines, for added type saftey.
As part of adding the type safety, GCC highlights an problematic include cycle
with arm/mm.h including domain_page.h
Removed as they were wrappers around map_domain_page() to
make it appear to take an mfn_t type.
Signed-off-by: Ben Catterall ben.catter...@citrix.com
Reviewed-by: Andrew Cooper andrew.coop...@citrix.com
Reviewed-by: Tim Deegan t...@xen.org
---
xen/arch/x86/mm/hap/hap.c| 4 +-
xen/arch
From: Andrew Cooper andrew.coop...@citrix.com
Signed-off-by: Andrew Cooper andrew.coop...@citrix.com
[Convert grant_table.c to pass mfn_t types and fix ARM compiling]
Signed-off-by: Ben Catterall ben.catter...@citrix.com
Reviewed-by: Andrew Cooper andrew.coop...@citrix.com
Acked-by: Jan Beulich
On 07/07/15 11:10, Jan Beulich wrote:
On 02.07.15 at 14:04, ben.catter...@citrix.com wrote:
Reworked the internals and declaration, applying (un)boxing
where needed. Converted calls to map_domain_page() to
provide mfn_t types, boxing where needed.
Signed-off-by: Ben Catterall ben.catter
in future.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
---
xen/arch/x86/hvm/deprivileged.c| 17 +
xen/arch/x86/nmi.c | 17 +
xen/include/xen/hvm/deprivileged.h | 1 +
3 files changed, 31 insertions(+), 4 deletions(-)
diff --git
are mapped in as user mode accessible, with NX bits set
for the data and stack regions and the code region is set to be executable and
read-only.
The needed pages are allocated on the paging heap and are deallocated when
those heap pages are deallocated (on domain destruction).
Signed-off-by: Ben
will be
transparent to callers. This should allow the feature to be more easily
deployed to different parts of Xen.
The switch to and from deprivileged mode is performed using sysret and syscall
respectively.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
Changed since v1
*
deprvileged mode.
So approximately 178% overhead.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
in deprivileged mode, we need to restore
the host's context so that we do not have guest-defined registers and values
in use after this point due to lazy loading of these values in the SVM and VMX
implementations.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
Changed si
On 03/09/15 17:15, David Vrabel wrote:
On 03/09/15 17:01, Ben Catterall wrote:
Intel Intel 2.2GHz Xeon E5-2407 0 processor:
1.55e-06 seconds was the average time for performing the write without the
deprivileged code running.
5.75e-06
-by: Ben Catterall <ben.catter...@citrix.com>
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.o
in deprivileged mode, we need to restore
the host's context so that we do not have guest-defined registers and values
in use after this point due to lazy loading of these values in the SVM and VMX
implementations.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
Changed si
in future.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
Changed since v2:
* Coding style: Added space after if
---
xen/arch/x86/hvm/deprivileged.c | 4
xen/arch/x86/nmi.c | 17 +
2 files changed, 21 insertions(+)
diff --git a/xen/arch/x
table to do this, so that, when
aliasing, we just need to switch the mfn on the L1 page table, rather than
allocating and mapping in a whole new paging hierarchy. Then, we only
need to invalidate those L1 page table TLB entries when we exit the mode.
Signed-off-by: Ben Catterall <ben.cat
are mapped in as user mode accessible, with NX bits set
for the data and stack regions and the code region is set to be executable and
read-only.
The needed pages are allocated on the paging heap and are deallocated when
those heap pages are deallocated (on domain destruction).
Signed-off-by: Ben
will be
transparent to callers. This should allow the feature to be more easily
deployed to different parts of Xen.
The switch to and from deprivileged mode is performed using sysret and syscall
respectively.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
Changed since v1
*
when it is mapped in.
Signed-off-by: Ben Catterall <ben.catter...@citrix.com>
---
xen/arch/x86/hvm/deprivileged.c | 49 +++
xen/arch/x86/hvm/deprivileged_syscall.c | 4 +-
xen/arch/x86/hvm/vpic.c | 151
xen/arch/x
Hi all,
I have now finished my internship at Citrix and am posting this final version of
my RFC series. I would like to express my thanks to all of those who have taken
the time to review, comment and discuss this series, as well as to my colleagues
who have provided excellent guidance and help.
Hi all,
Here are two Python scripts which I have used to collect performance
benchmarks for this series. I am putting them here in case they are useful.
Ben
On 11/09/15 17:08, Ben Catterall wrote:
Hi all,
I have now finished my internship at Citrix and am posting this final version of
my
55 matches
Mail list logo
