| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] 64bit processors and TLS warning message
> > It's just not an issue like it is on 32-bit - the TLS implementation
> > doesn't conflict with the way Xen enforces protection.
>
> Uhm. Doh.
> Why doesn't the documentation mention this?
I guess nobody thought of it before: the documentation is i386 oriented
because that's what we've had for longest. The information in there is
common to x86_64, but doesn't go into the differences.
> I would've gone a very different route with a Xen system I've spent a
> lot of time on had I known this. *sigh*.
Oops. Sorry.
> Could you elaborate a bit on the above?
Xen protects itself using x86 segmentation. This is because the page-tables
alone only make a distinction between user / supervisor level, and we have
three privilege levels to maintain: user / supervisor / hypervisor. The
default TLS implementation in glibc does something *very strange* with
segments, that one wouldn't expect to be possible at all, as a performance
optimisation. (side note: I recently talked this over with people locally,
trying to get this straight once and for all - my mind boggled, it's such a
weird trick!!!)
Unfortunately, this performance optimisation cannot be allowed to be used
directly under Xen, since it would violate security properties of the system.
Xen *can* emulate the correct behaviour but this is pretty slow; hence the
suggestion that people disable the TLS library. Lots of distros are now
including a libc that is (one way or another) friendly towards Xen (by having
an option not to use the negative segment offset tricks on Xen, or just not
including them at all).
On x86_64 (and other architectures) it's not necessary to protect Xen using
segmentation, so we don't really need to care what the OS actually does with
segmentation - even if the OS does setup weird and wonderful segments, they
can't violate our security properties. Hence the segmentation tricks will
work fine on your 64-bit box, without the slowdown incurred by emulation.
> Is the situation the same for all 64bit CPUs?
I doubt anything but x86 abuses segments in such interesting / disturbing
ways ;-) So yes, they should be OK.
> Could you please update:
> http://wiki.xensource.com/xenwiki/XenSpecificGlibc
> to mention that this hack is not necessary if you're running
> this-and-that CPU (the page is protected)?
Do you have an account? The vast majority of pages are editable by all, but
they do require sign-up - anonymous editting easily results in an
unmanageable amount of spam, unless you're big enough (like Wikipedia) to
clean up quickly.
Cheers,
Mark
--
Dave: Just a question. What use is a unicyle with no seat? And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home