Received: by 10.223.185.116 with SMTP id b49csp6576749wrg; Wed, 28 Feb 2018 11:46:34 -0800 (PST) X-Google-Smtp-Source: AH8x2241A3tHPC8cTHKH5Cvw5eUmgA19DZlsD7YIcucFxTti9jS6F2vAr6tmDJNNUIECJWoOcJZl X-Received: by 10.99.127.29 with SMTP id a29mr14941274pgd.451.1519847193927; Wed, 28 Feb 2018 11:46:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519847193; cv=none; d=google.com; s=arc-20160816; b=ZjXOpjgyW2OyCoC8tk+huE0ougqGyjk+zfJ2bJxcd6TU5FTX7SedHQio53MLfL2lMN FpiFJwmJGUFXYvQ+RSxzXS35ibiR/zc8/Dwz4xuiD3OKklzWQXfPmf0SCz3D9Kq/LK9H bi7NAUhO8P7ay2v4IvS+3Orc7V1ikc/Gp0Tt6yOA9bvUnRG34fwrWDsMFd7qPQRPd2vC 5+PFaOVd1FNs9Wk0oV6ZZK+LCSXUtDHA8BcNxcTS2nPoNtlDJGeLYatpes2yYoCUtgbT h3cK0fk3s788HHqp4Mu6VMZF6sXhzUnJ/wWoqNAyndybQJ5BZ7Bl6TEovjjt+xLN1mNt kdRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature :arc-authentication-results; bh=gITCLduJ9yeTydRpY5EMGgxk/c+Udfzyoj7cdiSl6O0=; b=g8EmCWT+O4nm0F73klrmwAvDGzLIsTkSeRWLm9giKt3yVP6tp4cboMWQ1mVgkY1h+v 3VDG8VgrceGl+Nmp3SMT2fFgRrcaORLIMoKsuHtu4lUjV0h25bF0C2+wQTqmo57xLsP+ D9XgCJ2qW3c7fFHSFVZsItzfq5Eei22h1MWbaa8MLnbhRcTNVLFeFjqjBtstiCS4Olyr npM/0pYOwynZPHd2/W1aHXu+6yRfkRRk0b9uof7wn8iBetI6zGAj9X9dFgClrC+Tb1AW Jhu9nHLcEaMo/fZIhNFtv+IQhAUHJ0CSpE4KeDSKj79xmTFYBQGhke6jg8Vtd+LDVhWm Ii8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=eZ9CWXOQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n8-v6si1786716pll.695.2018.02.28.11.46.19; Wed, 28 Feb 2018 11:46:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=eZ9CWXOQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934052AbeB1TpO (ORCPT + 99 others); Wed, 28 Feb 2018 14:45:14 -0500 Received: from userp2120.oracle.com ([156.151.31.85]:38920 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932351AbeB1TpM (ORCPT ); Wed, 28 Feb 2018 14:45:12 -0500 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w1SJgFce138383; Wed, 28 Feb 2018 19:45:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=gITCLduJ9yeTydRpY5EMGgxk/c+Udfzyoj7cdiSl6O0=; b=eZ9CWXOQSi+elrCAZfVcYTXjZlFsFICC0VSIleBfNZzGwLLxYIbR//7Ud2AT75xaEOlg KregZUsnv+t7WaD4SiQZ82NmU3dqcCxCSJCb7xfL6xUnfh+8cCvf3EKzQKLiJIkqPzjY ilg1NDLRpk+bRmY4E3QF98mntnP/9beXLkuSikAPkqubBXnclNk86fZy5Rpz5e1hx0R8 PauC3hDWZUoItWzMx+NYY4scy7elmnchZrnfbBz8H3uNm3P1a0vcblRAW2bMmY04ZJLT nvsRKjfhIKxgyPgxcgsXuvfCxTGFHoQnJEBVhhrGcurhCvzjAGRDQ3E/RPfCvWMvwMQ6 jA== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2ge1w4gbd4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 28 Feb 2018 19:45:00 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w1SJiwAZ032552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 28 Feb 2018 19:44:59 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w1SJiwNF012519; Wed, 28 Feb 2018 19:44:58 GMT Received: from dhcp-burlington7-2nd-B-east-10-152-55-162.usdhcp.oraclecorp.com (/10.152.32.65) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Feb 2018 11:44:58 -0800 Subject: Re: [PATCH 8/9] drm/xen-front: Implement GEM operations To: Oleksandr Andrushchenko , Oleksandr Andrushchenko , xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, airlied@linux.ie, daniel.vetter@intel.com, seanpaul@chromium.org, gustavo@padovan.org, jgross@suse.com, konrad.wilk@oracle.com References: <1519200222-20623-1-git-send-email-andr2000@gmail.com> <1519200222-20623-9-git-send-email-andr2000@gmail.com> <2f2c6fea-c0cb-e244-41f3-269db07986fc@oracle.com> <56c4a78b-356a-fb35-a97e-187581ae45ad@epam.com> <71ab9d03-dc07-f7f2-c9f8-463cc926e573@oracle.com> From: Boris Ostrovsky Message-ID: <81d77b4c-db75-8830-06c9-6774c15a4c25@oracle.com> Date: Wed, 28 Feb 2018 14:46:22 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8818 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802280240 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/27/2018 01:52 AM, Oleksandr Andrushchenko wrote: > On 02/27/2018 01:47 AM, Boris Ostrovsky wrote: >> On 02/23/2018 10:35 AM, Oleksandr Andrushchenko wrote: >>> On 02/23/2018 05:26 PM, Boris Ostrovsky wrote: >>>> On 02/21/2018 03:03 AM, Oleksandr Andrushchenko wrote: >> >>>>> +        ret = gem_alloc_pages_array(xen_obj, size); >>>>> +        if (ret < 0) { >>>>> +            gem_free_pages_array(xen_obj); >>>>> +            goto fail; >>>>> +        } >>>>> + >>>>> +        ret = alloc_xenballooned_pages(xen_obj->num_pages, >>>>> +                xen_obj->pages); >>>> Why are you allocating balloon pages? >>> in this use-case we map pages provided by the backend >>> (yes, I know this can be a problem from both security >>> POV and that DomU can die holding pages of Dom0 forever: >>> but still it is a configuration option, so user decides >>> if her use-case needs this and takes responsibility for >>> such a decision). >> >> Perhaps I am missing something here but when you say "I know this can be >> a problem from both security POV ..." then there is something wrong with >> your solution. > well, in this scenario there are actually 2 concerns: > 1. If DomU dies the pages/grants from Dom0/DomD cannot be > reclaimed back > 2. Misbehaving guest may send too many requests to the > backend exhausting grant references and memory of Dom0/DomD > (this is the only concern from security POV). Please see [1] > > But, we are focusing on embedded use-cases, > so those systems we use are not that "dynamic" with respect to 2). > Namely: we have fixed number of domains and their functionality > is well known, so we can do rather precise assumption on resource > usage. This is why I try to warn on such a use-case and rely on > the end user who understands the caveats How will dom0/backend know whether or not to trust the front end (and thus whether or not to provide provide pages to it)? Will there be something in xenstore, for example, to indicate such trusted frontends? -boris > > I'll probably add more precise description of this use-case > clarifying what is that security POV, so there is no confusion > > Hope this explanation answers your questions >> -boris >> >>> Please see description of the buffering modes in xen_drm_front.h >>> specifically for backend allocated buffers: >>>   >>> ******************************************************************************* >>> >>>   * 2. Buffers allocated by the backend >>>   >>> ******************************************************************************* >>> >>>   * >>>   * This mode of operation is run-time configured via guest domain >>> configuration >>>   * through XenStore entries. >>>   * >>>   * For systems which do not provide IOMMU support, but having specific >>>   * requirements for display buffers it is possible to allocate such >>> buffers >>>   * at backend side and share those with the frontend. >>>   * For example, if host domain is 1:1 mapped and has DRM/GPU hardware >>> expecting >>>   * physically contiguous memory, this allows implementing zero-copying >>>   * use-cases. >>> >>>> -boris >>>> >>>>> +        if (ret < 0) { >>>>> +            DRM_ERROR("Cannot allocate %zu ballooned pages: %d\n", >>>>> +                    xen_obj->num_pages, ret); >>>>> +            goto fail; >>>>> +        } >>>>> + >>>>> +        return xen_obj; >>>>> +    } >>>>> +    /* >>>>> +     * need to allocate backing pages now, so we can share those >>>>> +     * with the backend >>>>> +     */ >>>>> +    xen_obj->num_pages = DIV_ROUND_UP(size, PAGE_SIZE); >>>>> +    xen_obj->pages = drm_gem_get_pages(&xen_obj->base); >>>>> +    if (IS_ERR_OR_NULL(xen_obj->pages)) { >>>>> +        ret = PTR_ERR(xen_obj->pages); >>>>> +        xen_obj->pages = NULL; >>>>> +        goto fail; >>>>> +    } >>>>> + >>>>> +    return xen_obj; >>>>> + >>>>> +fail: >>>>> +    DRM_ERROR("Failed to allocate buffer with size %zu\n", size); >>>>> +    return ERR_PTR(ret); >>>>> +} >>>>> + >>>>> > Thank you, > Oleksandr > > [1] > https://lists.xenproject.org/archives/html/xen-devel/2017-07/msg03100.html >