On Fri, Sep 16, 2016 at 06:15:10AM -0600, Jan Beulich wrote:
> >>> On 14.09.16 at 10:23, <daniel.ki...@oracle.com> wrote:
> > Starting from the beginning it looks that there are "soft" limits enforced
> > in BIOS early boot code looking for usable low memory region. Hight limit
> > is set at 640 KiB and low at 256 KiB. This means that if a value from a
> > given
> > source which describes low memory region (i.e. EBDA base segment, base
> > memory
> > size, multiboot protocol) is out of bounds then we try to get new value from
> > next one (I mean source). However, at the end there are no checks that
> > assure
> > us that we got what we expected. So, I think that at first we should add
> > "hard"
> > checks here. This means that if we get value out of earlier mentioned bounds
> > then we should print relevant message on serial console and halt the system.
> I disagree. I think that the best effort approach (what you name "soft"
> checks) are quite okay in the legacy BIOS case: Even if the BIOS has
> screwed things up, we can still _try_ to come up nevertheless.
> This is quite different for (imo) much more sophisticated EFI
> environments: We know they are screwed too, but we can't as
> easily ignore them using certain pieces of memory.
> > Additionally, my investigation has shown that there are no bound checks in
> > low memory allocation machinery for trampoline (by the way, in BIOS path we
> > allocate 64 KiB for trampoline but in EFI code we properly calculate its
> > size;
> > so, I think we should do the same calculation in BIOS path), stack and boot
> > data
> > taken from multiboot protocol. Hence, relevant fixes should be added here
> > too.
> Would be nice, yes, but we need to weigh the need to presumably do
> at least some of this in assembly code (for now at least) against the
> potential gain.
> > Moreover I think that at least allocation machinery with additional checks
> > described in last paragraph can be used on EFI platforms when Xen is booted
> > via multiboot2 protocol. However, then high limit should be defined as 1
> > MiB.
> > Though I think that low limit, 256 KiB, should stay as is.
> Why 1Mb? The 640k limit derives from hardware aspects, but doesn't
> depend on the software environment.
I do not expect that anything which is not memory will reside between 640 KiB
and 1 MiB on EFI platforms. So, if firmware says that it is usable why we cannot
use it? And I have a feeling that this idea lead to currently existing checks
around trampoline allocation code for EFI. Though, as I saw EFI platforms
usually does not expose region 640 KiB and 1 MiB as usable. However, this
does not mean that they cannot in the future.
> > So, I think that we should prepare following patches:
> > - allocate properly calculated amount of memory for trampoline,
> > - define high/low limit as a constants and use them,
> > - add bounds checks for chosen low memory region, and bounds
> > checks in allocation machinery for trampoline and stack,
> > - add bounds checks to allocator in reloc.c.
> > I have a feeling that this fixes are not very critical, however, nice to
> > have.
> Indeed. I'd just like to avoid that new code (read: your mb2 series)
> gets introduced with similar issues. Just like the original EFI code at
> least tries to properly allocate the trampoline space.
OK, I have a feeling that you wish to postpone most of proposed changes for
I can understand that. However, if we wish check that there is sufficient amount
of memory available for trampoline we should decide which value to use. Should
we use 64 KiB from BIOS Xen assembly code or trampoline real size like in Xen
EFI code? Trampoline real size is much more sensible for me but this requires
some changes in assembly code allocating trampoline. We can allocate trampoline
real size on both EFI and BIOS platforms. Or leave BIOS case as is and use
trampoline real size just only on EFI platforms.
Xen-devel mailing list