diff mbox series

xen/include/public: add macro for invalid grant reference

Message ID 20220221124221.10245-1-jgross@suse.com (mailing list archive)
State New, archived
Headers show
Series xen/include/public: add macro for invalid grant reference | expand

Commit Message

Jürgen Groß Feb. 21, 2022, 12:42 p.m. UTC
Providing a macro for an invalid grant reference would be beneficial
for users, especially as some are using the wrong value "0" for that
purpose.

Signed-off-by: Juergen Gross <jgross@suse.com>
---
 xen/include/public/grant_table.h | 2 ++
 1 file changed, 2 insertions(+)

Comments

Jan Beulich Feb. 21, 2022, 2:18 p.m. UTC | #1
On 21.02.2022 13:42, Juergen Gross wrote:
> Providing a macro for an invalid grant reference would be beneficial
> for users, especially as some are using the wrong value "0" for that
> purpose.
> 
> Signed-off-by: Juergen Gross <jgross@suse.com>

Over the years I've been considering to add such to the public
interface, perhaps even more than once. But I'm afraid it's not that
easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
be a valid ref. It is really internal agreement by users of the
interface to set for themselves that they're not ever going to make
a valid grant behind that reference.

Jan
Jürgen Groß Feb. 21, 2022, 2:27 p.m. UTC | #2
On 21.02.22 15:18, Jan Beulich wrote:
> On 21.02.2022 13:42, Juergen Gross wrote:
>> Providing a macro for an invalid grant reference would be beneficial
>> for users, especially as some are using the wrong value "0" for that
>> purpose.
>>
>> Signed-off-by: Juergen Gross <jgross@suse.com>
> 
> Over the years I've been considering to add such to the public
> interface, perhaps even more than once. But I'm afraid it's not that
> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could

I can change that to use 0xffffffff explicitly.

> be a valid ref. It is really internal agreement by users of the
> interface to set for themselves that they're not ever going to make
> a valid grant behind that reference.

As the grant reference is an index into the grant table this would
limit the size of the grant table to "only" UINT_MAX - 1. I don't
think this will be ever a concern (other than an academical one).


Juergen
Jan Beulich Feb. 21, 2022, 2:31 p.m. UTC | #3
On 21.02.2022 15:27, Juergen Gross wrote:
> On 21.02.22 15:18, Jan Beulich wrote:
>> On 21.02.2022 13:42, Juergen Gross wrote:
>>> Providing a macro for an invalid grant reference would be beneficial
>>> for users, especially as some are using the wrong value "0" for that
>>> purpose.
>>>
>>> Signed-off-by: Juergen Gross <jgross@suse.com>
>>
>> Over the years I've been considering to add such to the public
>> interface, perhaps even more than once. But I'm afraid it's not that
>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
> 
> I can change that to use 0xffffffff explicitly.
> 
>> be a valid ref. It is really internal agreement by users of the
>> interface to set for themselves that they're not ever going to make
>> a valid grant behind that reference.
> 
> As the grant reference is an index into the grant table this would
> limit the size of the grant table to "only" UINT_MAX - 1. I don't
> think this will be ever a concern (other than an academical one).

That wasn't my point. Limiting the table to one less entry is not a
big deal indeed. But we have no reason to mandate which gref(s) to
consider invalid. A guest could consider gref 0 the invalid one.
The hypervisor doesn't care. Imo this simply is an aspect which is
not in need of pinning down in the ABI. Yet if it was pinned down
like you do, then the hypervisor would need to make sure it refuses
to act on this mandated invalid gref.

Jan
Jürgen Groß Feb. 21, 2022, 3:05 p.m. UTC | #4
On 21.02.22 15:31, Jan Beulich wrote:
> On 21.02.2022 15:27, Juergen Gross wrote:
>> On 21.02.22 15:18, Jan Beulich wrote:
>>> On 21.02.2022 13:42, Juergen Gross wrote:
>>>> Providing a macro for an invalid grant reference would be beneficial
>>>> for users, especially as some are using the wrong value "0" for that
>>>> purpose.
>>>>
>>>> Signed-off-by: Juergen Gross <jgross@suse.com>
>>>
>>> Over the years I've been considering to add such to the public
>>> interface, perhaps even more than once. But I'm afraid it's not that
>>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
>>
>> I can change that to use 0xffffffff explicitly.
>>
>>> be a valid ref. It is really internal agreement by users of the
>>> interface to set for themselves that they're not ever going to make
>>> a valid grant behind that reference.
>>
>> As the grant reference is an index into the grant table this would
>> limit the size of the grant table to "only" UINT_MAX - 1. I don't
>> think this will be ever a concern (other than an academical one).
> 
> That wasn't my point. Limiting the table to one less entry is not a
> big deal indeed. But we have no reason to mandate which gref(s) to
> consider invalid. A guest could consider gref 0 the invalid one.

With the gref being an index starting with 0 (gref 0 is valid, as it is
used for the console ring page), the natural choice for an invalid
value is the highest one being representable. A gref is of type uint32_t
resulting in this value being 0xffffffff.

While in theory a grant table could be that large, in practice this
will never happen.

> The hypervisor doesn't care. Imo this simply is an aspect which is

This isn't true. The hypervisor needs to allocate resources for being
able to handle the highest possible gref value for a guest. For a v1
grant table this would mean 32GB of grant table size. Are you really
concerned we will ever hit this limit? This isn't at the guest's
choice, after all, as the max grant table size is limited by Xen.

> not in need of pinning down in the ABI. Yet if it was pinned down
> like you do, then the hypervisor would need to make sure it refuses
> to act on this mandated invalid gref.

This is an easy one. We could just refuse to have a grant table of
that size. I can add this to the patch if you really think it is
necessary.

TBH, I think such completely theoretical concerns should not stand
in the way of additions to the ABI making life easier for consumers.


Juergen
Jan Beulich Feb. 21, 2022, 3:31 p.m. UTC | #5
On 21.02.2022 16:05, Juergen Gross wrote:
> On 21.02.22 15:31, Jan Beulich wrote:
>> On 21.02.2022 15:27, Juergen Gross wrote:
>>> On 21.02.22 15:18, Jan Beulich wrote:
>>>> On 21.02.2022 13:42, Juergen Gross wrote:
>>>>> Providing a macro for an invalid grant reference would be beneficial
>>>>> for users, especially as some are using the wrong value "0" for that
>>>>> purpose.
>>>>>
>>>>> Signed-off-by: Juergen Gross <jgross@suse.com>
>>>>
>>>> Over the years I've been considering to add such to the public
>>>> interface, perhaps even more than once. But I'm afraid it's not that
>>>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
>>>
>>> I can change that to use 0xffffffff explicitly.
>>>
>>>> be a valid ref. It is really internal agreement by users of the
>>>> interface to set for themselves that they're not ever going to make
>>>> a valid grant behind that reference.
>>>
>>> As the grant reference is an index into the grant table this would
>>> limit the size of the grant table to "only" UINT_MAX - 1. I don't
>>> think this will be ever a concern (other than an academical one).
>>
>> That wasn't my point. Limiting the table to one less entry is not a
>> big deal indeed. But we have no reason to mandate which gref(s) to
>> consider invalid. A guest could consider gref 0 the invalid one.
> 
> With the gref being an index starting with 0 (gref 0 is valid, as it is
> used for the console ring page), the natural choice for an invalid
> value is the highest one being representable. A gref is of type uint32_t
> resulting in this value being 0xffffffff.
> 
> While in theory a grant table could be that large, in practice this
> will never happen.
> 
>> The hypervisor doesn't care. Imo this simply is an aspect which is
> 
> This isn't true. The hypervisor needs to allocate resources for being
> able to handle the highest possible gref value for a guest. For a v1
> grant table this would mean 32GB of grant table size. Are you really
> concerned we will ever hit this limit? This isn't at the guest's
> choice, after all, as the max grant table size is limited by Xen.

If we're not going to hit that limit, what's wrong with declaring the
entire upper half of uint32_t space "invalid" for use a gref? If we
won't ever go up to 32Gb, we quite certainly also won't ever reach
16Gb. Yes, you probably already guessed it, we can then repeat this
process iteratively until we reach 4kb.

>> not in need of pinning down in the ABI. Yet if it was pinned down
>> like you do, then the hypervisor would need to make sure it refuses
>> to act on this mandated invalid gref.
> 
> This is an easy one. We could just refuse to have a grant table of
> that size. I can add this to the patch if you really think it is
> necessary.

Since grant table size is measured in pages, you'd then have to
refuse use of more than just that single gref. This would still not
be an immediate problem, but demonstrates again that it's unclear
where to draw such a boundary, if one is to be artificially drawn.

> TBH, I think such completely theoretical concerns should not stand
> in the way of additions to the ABI making life easier for consumers.

In case it wasn't clear - my concern isn't that sacrificing this one
entry may cause a problem, or that we'd ever see grant tables grow
this big (albeit for the latter: you never really know). Instead my
concern is that it is conceptually wrong for us to (now) introduce
such a value.

Jan
Jürgen Groß Feb. 21, 2022, 3:57 p.m. UTC | #6
On 21.02.22 16:31, Jan Beulich wrote:
> On 21.02.2022 16:05, Juergen Gross wrote:
>> On 21.02.22 15:31, Jan Beulich wrote:
>>> On 21.02.2022 15:27, Juergen Gross wrote:
>>>> On 21.02.22 15:18, Jan Beulich wrote:
>>>>> On 21.02.2022 13:42, Juergen Gross wrote:
>>>>>> Providing a macro for an invalid grant reference would be beneficial
>>>>>> for users, especially as some are using the wrong value "0" for that
>>>>>> purpose.
>>>>>>
>>>>>> Signed-off-by: Juergen Gross <jgross@suse.com>
>>>>>
>>>>> Over the years I've been considering to add such to the public
>>>>> interface, perhaps even more than once. But I'm afraid it's not that
>>>>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
>>>>
>>>> I can change that to use 0xffffffff explicitly.
>>>>
>>>>> be a valid ref. It is really internal agreement by users of the
>>>>> interface to set for themselves that they're not ever going to make
>>>>> a valid grant behind that reference.
>>>>
>>>> As the grant reference is an index into the grant table this would
>>>> limit the size of the grant table to "only" UINT_MAX - 1. I don't
>>>> think this will be ever a concern (other than an academical one).
>>>
>>> That wasn't my point. Limiting the table to one less entry is not a
>>> big deal indeed. But we have no reason to mandate which gref(s) to
>>> consider invalid. A guest could consider gref 0 the invalid one.
>>
>> With the gref being an index starting with 0 (gref 0 is valid, as it is
>> used for the console ring page), the natural choice for an invalid
>> value is the highest one being representable. A gref is of type uint32_t
>> resulting in this value being 0xffffffff.
>>
>> While in theory a grant table could be that large, in practice this
>> will never happen.
>>
>>> The hypervisor doesn't care. Imo this simply is an aspect which is
>>
>> This isn't true. The hypervisor needs to allocate resources for being
>> able to handle the highest possible gref value for a guest. For a v1
>> grant table this would mean 32GB of grant table size. Are you really
>> concerned we will ever hit this limit? This isn't at the guest's
>> choice, after all, as the max grant table size is limited by Xen.
> 
> If we're not going to hit that limit, what's wrong with declaring the
> entire upper half of uint32_t space "invalid" for use a gref? If we
> won't ever go up to 32Gb, we quite certainly also won't ever reach
> 16Gb. Yes, you probably already guessed it, we can then repeat this
> process iteratively until we reach 4kb.

This reasoning is nonsense, and you know it.

>>> not in need of pinning down in the ABI. Yet if it was pinned down
>>> like you do, then the hypervisor would need to make sure it refuses
>>> to act on this mandated invalid gref.
>>
>> This is an easy one. We could just refuse to have a grant table of
>> that size. I can add this to the patch if you really think it is
>> necessary.
> 
> Since grant table size is measured in pages, you'd then have to
> refuse use of more than just that single gref. This would still not
> be an immediate problem, but demonstrates again that it's unclear
> where to draw such a boundary, if one is to be artificially drawn.

It should be as high as possible. I wouldn't mind just refusing the
last possible gref, but I don't think this is necessary.

>> TBH, I think such completely theoretical concerns should not stand
>> in the way of additions to the ABI making life easier for consumers.
> 
> In case it wasn't clear - my concern isn't that sacrificing this one
> entry may cause a problem, or that we'd ever see grant tables grow
> this big (albeit for the latter: you never really know). Instead my
> concern is that it is conceptually wrong for us to (now) introduce
> such a value.

I have understood that this is your concern.

I continue to think that this concern is of purely academical nature.


Juergen
Jan Beulich Feb. 22, 2022, 8:55 a.m. UTC | #7
On 21.02.2022 16:57, Juergen Gross wrote:
> On 21.02.22 16:31, Jan Beulich wrote:
>> On 21.02.2022 16:05, Juergen Gross wrote:
>>> On 21.02.22 15:31, Jan Beulich wrote:
>>>> On 21.02.2022 15:27, Juergen Gross wrote:
>>>>> On 21.02.22 15:18, Jan Beulich wrote:
>>>>>> On 21.02.2022 13:42, Juergen Gross wrote:
>>>>>>> Providing a macro for an invalid grant reference would be beneficial
>>>>>>> for users, especially as some are using the wrong value "0" for that
>>>>>>> purpose.
>>>>>>>
>>>>>>> Signed-off-by: Juergen Gross <jgross@suse.com>
>>>>>>
>>>>>> Over the years I've been considering to add such to the public
>>>>>> interface, perhaps even more than once. But I'm afraid it's not that
>>>>>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
>>>>>
>>>>> I can change that to use 0xffffffff explicitly.
>>>>>
>>>>>> be a valid ref. It is really internal agreement by users of the
>>>>>> interface to set for themselves that they're not ever going to make
>>>>>> a valid grant behind that reference.
>>>>>
>>>>> As the grant reference is an index into the grant table this would
>>>>> limit the size of the grant table to "only" UINT_MAX - 1. I don't
>>>>> think this will be ever a concern (other than an academical one).
>>>>
>>>> That wasn't my point. Limiting the table to one less entry is not a
>>>> big deal indeed. But we have no reason to mandate which gref(s) to
>>>> consider invalid. A guest could consider gref 0 the invalid one.
>>>
>>> With the gref being an index starting with 0 (gref 0 is valid, as it is
>>> used for the console ring page), the natural choice for an invalid
>>> value is the highest one being representable. A gref is of type uint32_t
>>> resulting in this value being 0xffffffff.
>>>
>>> While in theory a grant table could be that large, in practice this
>>> will never happen.
>>>
>>>> The hypervisor doesn't care. Imo this simply is an aspect which is
>>>
>>> This isn't true. The hypervisor needs to allocate resources for being
>>> able to handle the highest possible gref value for a guest. For a v1
>>> grant table this would mean 32GB of grant table size. Are you really
>>> concerned we will ever hit this limit? This isn't at the guest's
>>> choice, after all, as the max grant table size is limited by Xen.
>>
>> If we're not going to hit that limit, what's wrong with declaring the
>> entire upper half of uint32_t space "invalid" for use a gref? If we
>> won't ever go up to 32Gb, we quite certainly also won't ever reach
>> 16Gb. Yes, you probably already guessed it, we can then repeat this
>> process iteratively until we reach 4kb.
> 
> This reasoning is nonsense, and you know it.

Interesting. The underlying "where to draw a boundary" is far from
nonsense, I think. The only way to escape this question is to avoid
introduction of artificial boundaries. While it was me to submit
"SUPPORT.md: limit security support for hosts with very much memory",
I didn't do so because I thought it was a good thing to establish
such a boundary. Nor was I convinced in any way of the precise
value chosen. I merely took on carrying out what was discussed
with the security team in the context of XSA-385, when even that
discussion left it very much to me to pick an arbitrary value.

>>>> not in need of pinning down in the ABI. Yet if it was pinned down
>>>> like you do, then the hypervisor would need to make sure it refuses
>>>> to act on this mandated invalid gref.
>>>
>>> This is an easy one. We could just refuse to have a grant table of
>>> that size. I can add this to the patch if you really think it is
>>> necessary.
>>
>> Since grant table size is measured in pages, you'd then have to
>> refuse use of more than just that single gref. This would still not
>> be an immediate problem, but demonstrates again that it's unclear
>> where to draw such a boundary, if one is to be artificially drawn.
> 
> It should be as high as possible. I wouldn't mind just refusing the
> last possible gref, but I don't think this is necessary.
> 
>>> TBH, I think such completely theoretical concerns should not stand
>>> in the way of additions to the ABI making life easier for consumers.
>>
>> In case it wasn't clear - my concern isn't that sacrificing this one
>> entry may cause a problem, or that we'd ever see grant tables grow
>> this big (albeit for the latter: you never really know). Instead my
>> concern is that it is conceptually wrong for us to (now) introduce
>> such a value.
> 
> I have understood that this is your concern.
> 
> I continue to think that this concern is of purely academical nature.

Well, I'm not going to NAK the change if others agree with your view.
But I'm not going to put my name under it in any form. Academical or
not, it sets a(nother) wrong precedent.

Jan
Jürgen Groß Feb. 22, 2022, 9:32 a.m. UTC | #8
On 22.02.22 09:55, Jan Beulich wrote:
> On 21.02.2022 16:57, Juergen Gross wrote:
>> On 21.02.22 16:31, Jan Beulich wrote:
>>> On 21.02.2022 16:05, Juergen Gross wrote:
>>>> On 21.02.22 15:31, Jan Beulich wrote:
>>>>> On 21.02.2022 15:27, Juergen Gross wrote:
>>>>>> On 21.02.22 15:18, Jan Beulich wrote:
>>>>>>> On 21.02.2022 13:42, Juergen Gross wrote:
>>>>>>>> Providing a macro for an invalid grant reference would be beneficial
>>>>>>>> for users, especially as some are using the wrong value "0" for that
>>>>>>>> purpose.
>>>>>>>>
>>>>>>>> Signed-off-by: Juergen Gross <jgross@suse.com>
>>>>>>>
>>>>>>> Over the years I've been considering to add such to the public
>>>>>>> interface, perhaps even more than once. But I'm afraid it's not that
>>>>>>> easy. In principle 0xffffffff (which btw isn't necessarily ~0u) could
>>>>>>
>>>>>> I can change that to use 0xffffffff explicitly.
>>>>>>
>>>>>>> be a valid ref. It is really internal agreement by users of the
>>>>>>> interface to set for themselves that they're not ever going to make
>>>>>>> a valid grant behind that reference.
>>>>>>
>>>>>> As the grant reference is an index into the grant table this would
>>>>>> limit the size of the grant table to "only" UINT_MAX - 1. I don't
>>>>>> think this will be ever a concern (other than an academical one).
>>>>>
>>>>> That wasn't my point. Limiting the table to one less entry is not a
>>>>> big deal indeed. But we have no reason to mandate which gref(s) to
>>>>> consider invalid. A guest could consider gref 0 the invalid one.
>>>>
>>>> With the gref being an index starting with 0 (gref 0 is valid, as it is
>>>> used for the console ring page), the natural choice for an invalid
>>>> value is the highest one being representable. A gref is of type uint32_t
>>>> resulting in this value being 0xffffffff.
>>>>
>>>> While in theory a grant table could be that large, in practice this
>>>> will never happen.
>>>>
>>>>> The hypervisor doesn't care. Imo this simply is an aspect which is
>>>>
>>>> This isn't true. The hypervisor needs to allocate resources for being
>>>> able to handle the highest possible gref value for a guest. For a v1
>>>> grant table this would mean 32GB of grant table size. Are you really
>>>> concerned we will ever hit this limit? This isn't at the guest's
>>>> choice, after all, as the max grant table size is limited by Xen.
>>>
>>> If we're not going to hit that limit, what's wrong with declaring the
>>> entire upper half of uint32_t space "invalid" for use a gref? If we
>>> won't ever go up to 32Gb, we quite certainly also won't ever reach
>>> 16Gb. Yes, you probably already guessed it, we can then repeat this
>>> process iteratively until we reach 4kb.
>>
>> This reasoning is nonsense, and you know it.
> 
> Interesting. The underlying "where to draw a boundary" is far from
> nonsense, I think. The only way to escape this question is to avoid
> introduction of artificial boundaries. While it was me to submit

Your reasoning that taking away the upper 0.000000025% of grant ref
space is similar to take away 50% or even 99.9999% is nonsense.

Taking away the last entry of more than 4 billion ones, while today
no usage exceeding 1 million is known (the highest value I know of
is allowing 256 grant frames for a guest, resulting in 65536 grant
refs), is hardly a relevant limitation. This is especially true, as
the grant ref space can't be extended to higher values without a
new interface.

> "SUPPORT.md: limit security support for hosts with very much memory",
> I didn't do so because I thought it was a good thing to establish
> such a boundary. Nor was I convinced in any way of the precise
> value chosen. I merely took on carrying out what was discussed
> with the security team in the context of XSA-385, when even that
> discussion left it very much to me to pick an arbitrary value.
> 
>>>>> not in need of pinning down in the ABI. Yet if it was pinned down
>>>>> like you do, then the hypervisor would need to make sure it refuses
>>>>> to act on this mandated invalid gref.
>>>>
>>>> This is an easy one. We could just refuse to have a grant table of
>>>> that size. I can add this to the patch if you really think it is
>>>> necessary.
>>>
>>> Since grant table size is measured in pages, you'd then have to
>>> refuse use of more than just that single gref. This would still not
>>> be an immediate problem, but demonstrates again that it's unclear
>>> where to draw such a boundary, if one is to be artificially drawn.
>>
>> It should be as high as possible. I wouldn't mind just refusing the
>> last possible gref, but I don't think this is necessary.
>>
>>>> TBH, I think such completely theoretical concerns should not stand
>>>> in the way of additions to the ABI making life easier for consumers.
>>>
>>> In case it wasn't clear - my concern isn't that sacrificing this one
>>> entry may cause a problem, or that we'd ever see grant tables grow
>>> this big (albeit for the latter: you never really know). Instead my
>>> concern is that it is conceptually wrong for us to (now) introduce
>>> such a value.
>>
>> I have understood that this is your concern.
>>
>> I continue to think that this concern is of purely academical nature.
> 
> Well, I'm not going to NAK the change if others agree with your view.
> But I'm not going to put my name under it in any form. Academical or
> not, it sets a(nother) wrong precedent.

Fair enough.


Juergen
diff mbox series

Patch

diff --git a/xen/include/public/grant_table.h b/xen/include/public/grant_table.h
index 7fbd1c6d10..af00aacfd3 100644
--- a/xen/include/public/grant_table.h
+++ b/xen/include/public/grant_table.h
@@ -113,6 +113,8 @@ 
  */
 typedef uint32_t grant_ref_t;
 
+#define XEN_GRANT_REF_INVALID  ~0U
+
 /*
  * A grant table comprises a packed array of grant entries in one or more
  * page frames shared between Xen and a guest.