Received: by 10.223.185.116 with SMTP id b49csp6583945wrg; Wed, 28 Feb 2018 11:53:57 -0800 (PST) X-Google-Smtp-Source: AH8x227rP3vyBKo7phfyguZTFSz+uy58VoTYWhHYWIYKwa4ypXR9m8IiIbI0jK8crSQ7PBodS0fM X-Received: by 10.99.54.196 with SMTP id d187mr15222299pga.154.1519847637441; Wed, 28 Feb 2018 11:53:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519847637; cv=none; d=google.com; s=arc-20160816; b=QvZQTCGX4ukzKtfGz2rs6P0rnWA61Z86EWxrQRkuBYpylzCS1M6ccKyyjrhw9DLLed +S4rt9cKuFTgKQehn9G2E2rM1pUIipkzTKD3B48FAXCLjy5mW9VCQbjNz6UfmKr6a0Lc vZbSE+1QwRn895lQ2Y6zmOB30NBjV30RUCsRgzdAep1kUNGyWg7+IKdK1uJmMEPwIhfS BQlb48UjVQWiQ++oBKVaqp6pbR889BaVcyLV7z0l08b8+SJXycmCPz6CHYqXa8rn8vBf qWh4mBcQKlTQ2pjpLaSPzR2++avHQy6BkRsyiHW9AttYwc0m0Ix55XOGNMXoUo01kkWw GlBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature :arc-authentication-results; bh=na+KBM5hDZ6/jSnUaQlgE72snpa4muOXVgTi3Js2t8c=; b=ZOGcSBOSbEzTYctIup0FVu9k7h4sf6p3VirSCmp4aGd1qAXnDYwhIBrHg9gmo2+NaT zkCGvUeycTcDZIAEujWuLXiJ4RCx3XbMql+gUy3gk1ByHYy7jHS/gIsBpniCnI1dRxfw mG/CVVd2nX7Gm8shgAtdciiKZlllxco/GkIZGWBUp5JiMocL5ET5jfSSYV1GxwFlLJZT kfnzlgrMdZlBBumqqnuLCVMeDmUMSz5J+MJ7RbSy2xEh9ExuCMaZ1vw69xtv3Ju3WinC Xlc6HSmAYyKDWKeuG1s3w7jI/pWsg6Wzldahrf6LHm/Y6E/sjOTnBOML7bnJqOigbzRQ Y0Pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=T4M++V1J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j84si1696585pfj.177.2018.02.28.11.53.41; Wed, 28 Feb 2018 11:53:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=T4M++V1J; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933938AbeB1TxC (ORCPT + 99 others); Wed, 28 Feb 2018 14:53:02 -0500 Received: from mail-lf0-f47.google.com ([209.85.215.47]:45320 "EHLO mail-lf0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933687AbeB1TxA (ORCPT ); Wed, 28 Feb 2018 14:53:00 -0500 Received: by mail-lf0-f47.google.com with SMTP id h127so4271785lfg.12 for ; Wed, 28 Feb 2018 11:52:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=na+KBM5hDZ6/jSnUaQlgE72snpa4muOXVgTi3Js2t8c=; b=T4M++V1J4R3EASuG8YeWvjL27LLBIURaZByq0KnSZY9xlkvvTPmRs15+X2Cb2GLYzW fJ/rPJ4DZKlJUP7ixxjLaHLqiv0n2sYCrWT++H/kABCIhaUKr+OApBJzR/DSAV+mZlbZ QSWDfX/iw1OvsUIqbnvdAUBjcHYXnpNwLFZo8sNew2qIT4UbCPWGag3WJtsj0mbsXnZP vYqYOKrjC09IPg15QV6rcn2zRHh6Ncwc2tWbRYuhlJYolNh6Uia4RabdsU1eMgZU4IR+ 8eZ/ddgBcmMlUIuvuC+5ypqBTevV9IQb+t6LoF/+PlmlStKVYiDZGK/Eaupv7o2akHMI CL/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=na+KBM5hDZ6/jSnUaQlgE72snpa4muOXVgTi3Js2t8c=; b=EsVsAl4Nul9O22V4k5AMokgti4bop+IWDkLSXRGpwwVe/ONx82yrGABR984egXdKbC 0B+RcwonjkPnZiyAqslPIQSfJNOYTpdw6I7i5d4AICVRrF+uBxubkyV2N3PF8xmf1HqK DJEiNc55jQnoiK4MwPGRUIrttulvSFbeEF6kTmKVVEQuFAHKV+OdJQpM+EIhuFxXAT1J EzLbGswv/DQAhh8lTILkKX4szB3+2oNbnujYEbzsPpTuux9MkiZZmMKT2HBU2oD+KGYp GftQSdjlfVBqOUUy3ERddPGKU7NH6p5UWotqQWZVMZBx+hT499i07ufIBwjxxd30dFD8 X4Lw== X-Gm-Message-State: APf1xPDr4x5ohrrcLFEQ6PGWL9jQf3fEOtUQWQSy5sAKy+tADdeHSeS7 NWjOkgj8sM8Q2FlirfQloJk= X-Received: by 10.46.116.4 with SMTP id p4mr14025759ljc.101.1519847578800; Wed, 28 Feb 2018 11:52:58 -0800 (PST) Received: from [192.168.0.20] (231-39-94-178.pool.ukrtel.net. [178.94.39.231]) by smtp.googlemail.com with ESMTPSA id n11sm525741lje.15.2018.02.28.11.52.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Feb 2018 11:52:57 -0800 (PST) Subject: Re: [PATCH 8/9] drm/xen-front: Implement GEM operations To: Boris Ostrovsky , Oleksandr Andrushchenko , xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, airlied@linux.ie, daniel.vetter@intel.com, seanpaul@chromium.org, gustavo@padovan.org, jgross@suse.com, konrad.wilk@oracle.com References: <1519200222-20623-1-git-send-email-andr2000@gmail.com> <1519200222-20623-9-git-send-email-andr2000@gmail.com> <2f2c6fea-c0cb-e244-41f3-269db07986fc@oracle.com> <56c4a78b-356a-fb35-a97e-187581ae45ad@epam.com> <71ab9d03-dc07-f7f2-c9f8-463cc926e573@oracle.com> <81d77b4c-db75-8830-06c9-6774c15a4c25@oracle.com> From: Oleksandr Andrushchenko Message-ID: Date: Wed, 28 Feb 2018 21:52:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <81d77b4c-db75-8830-06c9-6774c15a4c25@oracle.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/28/2018 09:46 PM, Boris Ostrovsky wrote: > On 02/27/2018 01:52 AM, Oleksandr Andrushchenko wrote: >> On 02/27/2018 01:47 AM, Boris Ostrovsky wrote: >>> On 02/23/2018 10:35 AM, Oleksandr Andrushchenko wrote: >>>> On 02/23/2018 05:26 PM, Boris Ostrovsky wrote: >>>>> On 02/21/2018 03:03 AM, Oleksandr Andrushchenko wrote: >>>>>> +        ret = gem_alloc_pages_array(xen_obj, size); >>>>>> +        if (ret < 0) { >>>>>> +            gem_free_pages_array(xen_obj); >>>>>> +            goto fail; >>>>>> +        } >>>>>> + >>>>>> +        ret = alloc_xenballooned_pages(xen_obj->num_pages, >>>>>> +                xen_obj->pages); >>>>> Why are you allocating balloon pages? >>>> in this use-case we map pages provided by the backend >>>> (yes, I know this can be a problem from both security >>>> POV and that DomU can die holding pages of Dom0 forever: >>>> but still it is a configuration option, so user decides >>>> if her use-case needs this and takes responsibility for >>>> such a decision). >>> Perhaps I am missing something here but when you say "I know this can be >>> a problem from both security POV ..." then there is something wrong with >>> your solution. >> well, in this scenario there are actually 2 concerns: >> 1. If DomU dies the pages/grants from Dom0/DomD cannot be >> reclaimed back >> 2. Misbehaving guest may send too many requests to the >> backend exhausting grant references and memory of Dom0/DomD >> (this is the only concern from security POV). Please see [1] >> >> But, we are focusing on embedded use-cases, >> so those systems we use are not that "dynamic" with respect to 2). >> Namely: we have fixed number of domains and their functionality >> is well known, so we can do rather precise assumption on resource >> usage. This is why I try to warn on such a use-case and rely on >> the end user who understands the caveats > > How will dom0/backend know whether or not to trust the front end (and > thus whether or not to provide provide pages to it)? Will there be > something in xenstore, for example, to indicate such trusted frontends? Exactly, there is a dedicated xl configuration option available [1] for vdispl: "be-alloc=BOOLEAN Indicates if backend can be a buffer provider/allocator for this domain. See display protocol for details." Thus, one can configure this per domain for trusted ones in corresponding xl configuration files > -boris > > >> I'll probably add more precise description of this use-case >> clarifying what is that security POV, so there is no confusion >> >> Hope this explanation answers your questions >>> -boris >>> >>>> Please see description of the buffering modes in xen_drm_front.h >>>> specifically for backend allocated buffers: >>>> >>>> ******************************************************************************* >>>> >>>>   * 2. Buffers allocated by the backend >>>> >>>> ******************************************************************************* >>>> >>>>   * >>>>   * This mode of operation is run-time configured via guest domain >>>> configuration >>>>   * through XenStore entries. >>>>   * >>>>   * For systems which do not provide IOMMU support, but having specific >>>>   * requirements for display buffers it is possible to allocate such >>>> buffers >>>>   * at backend side and share those with the frontend. >>>>   * For example, if host domain is 1:1 mapped and has DRM/GPU hardware >>>> expecting >>>>   * physically contiguous memory, this allows implementing zero-copying >>>>   * use-cases. >>>> >>>>> -boris >>>>> >>>>>> +        if (ret < 0) { >>>>>> +            DRM_ERROR("Cannot allocate %zu ballooned pages: %d\n", >>>>>> +                    xen_obj->num_pages, ret); >>>>>> +            goto fail; >>>>>> +        } >>>>>> + >>>>>> +        return xen_obj; >>>>>> +    } >>>>>> +    /* >>>>>> +     * need to allocate backing pages now, so we can share those >>>>>> +     * with the backend >>>>>> +     */ >>>>>> +    xen_obj->num_pages = DIV_ROUND_UP(size, PAGE_SIZE); >>>>>> +    xen_obj->pages = drm_gem_get_pages(&xen_obj->base); >>>>>> +    if (IS_ERR_OR_NULL(xen_obj->pages)) { >>>>>> +        ret = PTR_ERR(xen_obj->pages); >>>>>> +        xen_obj->pages = NULL; >>>>>> +        goto fail; >>>>>> +    } >>>>>> + >>>>>> +    return xen_obj; >>>>>> + >>>>>> +fail: >>>>>> +    DRM_ERROR("Failed to allocate buffer with size %zu\n", size); >>>>>> +    return ERR_PTR(ret); >>>>>> +} >>>>>> + >>>>>> >> Thank you, >> Oleksandr >> >> [1] >> https://lists.xenproject.org/archives/html/xen-devel/2017-07/msg03100.html >> [1] https://xenbits.xen.org/docs/4.10-testing/man/xl.cfg.5.html Indicates if backend can be a buffer provider/allocator for this domain. See display protocol for details.