qubes-linux-kernel/patches.xen/xen-balloon-add-runtime-control-for-scrubbing-balloo.patch

From 59e44d8c45afe91204e90229bef64a6d2c5ac103 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 6 Sep 2018 15:09:44 +0200
Subject: [PATCH] xen/balloon: add runtime control for scrubbing ballooned out
 pages

Scrubbing pages on initial balloon down can take some time, especially
in nested virtualization case (nested EPT is slow). When HVM/PVH guest is
started with memory= significantly lower than maxmem=, all the extra
pages will be scrubbed before returning to Xen. But since most of them
weren't used at all at that point, Xen needs to populate them first
(from populate-on-demand pool). In nested virt case (Xen inside KVM)
this slows down the guest boot by 15-30s with just 1.5GB needed to be
returned to Xen.

Add runtime parameter to enable/disable it, to allow initially disabling
scrubbing, then enable it back during boot (for example in initramfs).
Such usage relies on assumption that a) most pages ballooned out during
initial boot weren't used at all, and b) even if they were, very few
secrets are in the guest at that time (before any serious userspace
kicks in).
Convert CONFIG_XEN_SCRUB_PAGES to CONFIG_XEN_SCRUB_PAGES_DEFAULT (also
enabled by default), controlling default value for the new runtime
switch.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

---
 .../ABI/stable/sysfs-devices-system-xen_memory         |  9 +++++++++
 Documentation/admin-guide/kernel-parameters.txt        |  6 ++++++
 drivers/xen/Kconfig                                    | 10 +++++++---
 drivers/xen/balloon.c                                  |  9 ++++++---
 drivers/xen/xen-balloon.c                              |  2 ++
 include/xen/balloon.h                                  |  1 +
 6 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/Documentation/ABI/stable/sysfs-devices-system-xen_memory b/Documentation/ABI/stable/sysfs-devices-system-xen_memory
index caa311d59ac1..6d83f95a8a8e 100644
--- a/Documentation/ABI/stable/sysfs-devices-system-xen_memory
+++ b/Documentation/ABI/stable/sysfs-devices-system-xen_memory
@@ -75,3 +75,12 @@ Contact:	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
 Description:
 		Amount (in KiB) of low (or normal) memory in the
 		balloon.
+
+What:		/sys/devices/system/xen_memory/xen_memory0/scrub_pages
+Date:		September 2018
+KernelVersion:	4.20
+Contact:	xen-devel@lists.xenproject.org
+Description:
+		Control scrubbing pages before returning them to Xen for others domains
+		use. Can be set with xen_scrub_pages cmdline
+		parameter. Default value controlled with CONFIG_XEN_SCRUB_PAGES_DEFAULT.
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 1370b424a453..c62691ddd476 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4921,6 +4921,12 @@
 			Disables the PV optimizations forcing the HVM guest to
 			run as generic HVM guest with no PV drivers.
 
+	xen_scrub_pages=	[XEN]
+			Boolean option to control scrubbing pages before giving them back
+			to Xen, for use by other domains. Can be also changed at runtime
+			with /sys/devices/system/xen_memory/xen_memory0/scrub_pages.
+			Default value controlled with CONFIG_XEN_SCRUB_PAGES_DEFAULT.
+
 	xirc2ps_cs=	[NET,PCMCIA]
 			Format:
 			<irq>,<irq_mask>,<io>,<full_duplex>,<do_sound>,<lockup_hack>[,<irq2>[,<irq3>[,<irq4>]]]
diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig
index e5d0c28372ea..2f0353290ce5 100644
--- a/drivers/xen/Kconfig
+++ b/drivers/xen/Kconfig
@@ -79,15 +79,19 @@ config XEN_BALLOON_MEMORY_HOTPLUG_LIMIT
 	  This value is used to allocate enough space in internal
 	  tables needed for physical memory administration.
 
-config XEN_SCRUB_PAGES
-	bool "Scrub pages before returning them to system"
+config XEN_SCRUB_PAGES_DEFAULT
+	bool "Scrub pages before returning them to system by default"
 	depends on XEN_BALLOON
 	default y
 	help
 	  Scrub pages before returning them to the system for reuse by
 	  other domains.  This makes sure that any confidential data
 	  is not accidentally visible to other domains.  Is it more
-	  secure, but slightly less efficient.
+	  secure, but slightly less efficient. This can be controlled with
+	  xen_scrub_pages=0 parameter and
+	  /sys/devices/system/xen_memory/xen_memory0/scrub_pages.
+	  This option only sets the default value.
+
 	  If in doubt, say yes.
 
 config XEN_DEV_EVTCHN
diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index 065f0b607373..a3e5dfa71796 100644
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -56,6 +56,7 @@
 #include <linux/percpu-defs.h>
 #include <linux/slab.h>
 #include <linux/sysctl.h>
+#include <linux/moduleparam.h>
 
 #include <asm/page.h>
 #include <asm/pgalloc.h>
@@ -74,6 +75,9 @@
 
 static int xen_hotplug_unpopulated;
 
+bool __read_mostly xen_scrub_pages = IS_ENABLED(CONFIG_XEN_SCRUB_PAGES_DEFAULT);
+core_param(xen_scrub_pages, xen_scrub_pages, bool, 0);
+
 #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
 
 static int zero;
@@ -159,9 +163,8 @@ static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);
 
 static void scrub_page(struct page *page)
 {
-#ifdef CONFIG_XEN_SCRUB_PAGES
-	clear_highpage(page);
-#endif
+	if (xen_scrub_pages)
+		clear_highpage(page);
 }
 
 /* balloon_append: add the given page to the balloon. */
diff --git a/drivers/xen/xen-balloon.c b/drivers/xen/xen-balloon.c
index b437fccd4e62..a3dd7c6ec371 100644
--- a/drivers/xen/xen-balloon.c
+++ b/drivers/xen/xen-balloon.c
@@ -137,6 +137,7 @@ static DEVICE_ULONG_ATTR(schedule_delay, 0444, balloon_stats.schedule_delay);
 static DEVICE_ULONG_ATTR(max_schedule_delay, 0644, balloon_stats.max_schedule_delay);
 static DEVICE_ULONG_ATTR(retry_count, 0444, balloon_stats.retry_count);
 static DEVICE_ULONG_ATTR(max_retry_count, 0644, balloon_stats.max_retry_count);
+static DEVICE_BOOL_ATTR(scrub_pages, 0644, xen_scrub_pages);
 
 static ssize_t show_target_kb(struct device *dev, struct device_attribute *attr,
 			      char *buf)
@@ -203,6 +204,7 @@ static struct attribute *balloon_attrs[] = {
 	&dev_attr_max_schedule_delay.attr.attr,
 	&dev_attr_retry_count.attr.attr,
 	&dev_attr_max_retry_count.attr.attr,
+	&dev_attr_scrub_pages.attr.attr,
 	NULL
 };
 
diff --git a/include/xen/balloon.h b/include/xen/balloon.h
index 61f410fd74e4..0ec832b9ff55 100644
--- a/include/xen/balloon.h
+++ b/include/xen/balloon.h
@@ -21,6 +21,7 @@ struct balloon_stats {
 };
 
 extern struct balloon_stats balloon_stats;
+extern bool xen_scrub_pages;
 
 void balloon_set_new_target(unsigned long target);
 
-- 
2.17.1
Add xen_scrub_pages runtime control Fix performance issue in nested virtualization (used for system tests). See patch description for details. Similar patch is already accepted for Linux 4.19. 2018-09-12 00:51:28 +00:00			`From 59e44d8c45afe91204e90229bef64a6d2c5ac103 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=`
			`<marmarek@invisiblethingslab.com>`
			`Date: Thu, 6 Sep 2018 15:09:44 +0200`
			`Subject: [PATCH] xen/balloon: add runtime control for scrubbing ballooned out`
			`pages`

			`Scrubbing pages on initial balloon down can take some time, especially`
			`in nested virtualization case (nested EPT is slow). When HVM/PVH guest is`
			`started with memory= significantly lower than maxmem=, all the extra`
			`pages will be scrubbed before returning to Xen. But since most of them`
			`weren't used at all at that point, Xen needs to populate them first`
			`(from populate-on-demand pool). In nested virt case (Xen inside KVM)`
			`this slows down the guest boot by 15-30s with just 1.5GB needed to be`
			`returned to Xen.`

			`Add runtime parameter to enable/disable it, to allow initially disabling`
			`scrubbing, then enable it back during boot (for example in initramfs).`
			`Such usage relies on assumption that a) most pages ballooned out during`
			`initial boot weren't used at all, and b) even if they were, very few`
			`secrets are in the guest at that time (before any serious userspace`
			`kicks in).`
			`Convert CONFIG_XEN_SCRUB_PAGES to CONFIG_XEN_SCRUB_PAGES_DEFAULT (also`
			`enabled by default), controlling default value for the new runtime`
			`switch.`

			`Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>`

			`---`
			`.../ABI/stable/sysfs-devices-system-xen_memory \| 9 +++++++++`
			`Documentation/admin-guide/kernel-parameters.txt \| 6 ++++++`
			`drivers/xen/Kconfig \| 10 +++++++---`
			`drivers/xen/balloon.c \| 9 ++++++---`
			`drivers/xen/xen-balloon.c \| 2 ++`
			`include/xen/balloon.h \| 1 +`
			`6 files changed, 31 insertions(+), 6 deletions(-)`

			`diff --git a/Documentation/ABI/stable/sysfs-devices-system-xen_memory b/Documentation/ABI/stable/sysfs-devices-system-xen_memory`
			`index caa311d59ac1..6d83f95a8a8e 100644`
			`--- a/Documentation/ABI/stable/sysfs-devices-system-xen_memory`
			`+++ b/Documentation/ABI/stable/sysfs-devices-system-xen_memory`
			`@@ -75,3 +75,12 @@ Contact: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>`
			`Description:`
			`Amount (in KiB) of low (or normal) memory in the`
			`balloon.`
			`+`
			`+What: /sys/devices/system/xen_memory/xen_memory0/scrub_pages`
			`+Date: September 2018`
			`+KernelVersion: 4.20`
			`+Contact: xen-devel@lists.xenproject.org`
			`+Description:`
			`+ Control scrubbing pages before returning them to Xen for others domains`
			`+ use. Can be set with xen_scrub_pages cmdline`
			`+ parameter. Default value controlled with CONFIG_XEN_SCRUB_PAGES_DEFAULT.`
			`diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt`
			`index 1370b424a453..c62691ddd476 100644`
			`--- a/Documentation/admin-guide/kernel-parameters.txt`
			`+++ b/Documentation/admin-guide/kernel-parameters.txt`
			`@@ -4921,6 +4921,12 @@`
			`Disables the PV optimizations forcing the HVM guest to`
			`run as generic HVM guest with no PV drivers.`

			`+ xen_scrub_pages= [XEN]`
			`+ Boolean option to control scrubbing pages before giving them back`
			`+ to Xen, for use by other domains. Can be also changed at runtime`
			`+ with /sys/devices/system/xen_memory/xen_memory0/scrub_pages.`
			`+ Default value controlled with CONFIG_XEN_SCRUB_PAGES_DEFAULT.`
			`+`
			`xirc2ps_cs= [NET,PCMCIA]`
			`Format:`
			`<irq>,<irq_mask>,<io>,<full_duplex>,<do_sound>,<lockup_hack>[,<irq2>[,<irq3>[,<irq4>]]]`
			`diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig`
			`index e5d0c28372ea..2f0353290ce5 100644`
			`--- a/drivers/xen/Kconfig`
			`+++ b/drivers/xen/Kconfig`
			`@@ -79,15 +79,19 @@ config XEN_BALLOON_MEMORY_HOTPLUG_LIMIT`
			`This value is used to allocate enough space in internal`
			`tables needed for physical memory administration.`

			`-config XEN_SCRUB_PAGES`
			`- bool "Scrub pages before returning them to system"`
			`+config XEN_SCRUB_PAGES_DEFAULT`
			`+ bool "Scrub pages before returning them to system by default"`
			`depends on XEN_BALLOON`
			`default y`
			`help`
			`Scrub pages before returning them to the system for reuse by`
			`other domains. This makes sure that any confidential data`
			`is not accidentally visible to other domains. Is it more`
			`- secure, but slightly less efficient.`
			`+ secure, but slightly less efficient. This can be controlled with`
			`+ xen_scrub_pages=0 parameter and`
			`+ /sys/devices/system/xen_memory/xen_memory0/scrub_pages.`
			`+ This option only sets the default value.`
			`+`
			`If in doubt, say yes.`

			`config XEN_DEV_EVTCHN`
			`diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c`
			`index 065f0b607373..a3e5dfa71796 100644`
			`--- a/drivers/xen/balloon.c`
			`+++ b/drivers/xen/balloon.c`
			`@@ -56,6 +56,7 @@`
			`#include <linux/percpu-defs.h>`
			`#include <linux/slab.h>`
			`#include <linux/sysctl.h>`
			`+#include <linux/moduleparam.h>`

			`#include <asm/page.h>`
			`#include <asm/pgalloc.h>`
			`@@ -74,6 +75,9 @@`

			`static int xen_hotplug_unpopulated;`

			`+bool __read_mostly xen_scrub_pages = IS_ENABLED(CONFIG_XEN_SCRUB_PAGES_DEFAULT);`
			`+core_param(xen_scrub_pages, xen_scrub_pages, bool, 0);`
			`+`
			`#ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG`

			`static int zero;`
			`@@ -159,9 +163,8 @@ static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);`

			`static void scrub_page(struct page *page)`
			`{`
			`-#ifdef CONFIG_XEN_SCRUB_PAGES`
			`- clear_highpage(page);`
			`-#endif`
			`+ if (xen_scrub_pages)`
			`+ clear_highpage(page);`
			`}`

			`/* balloon_append: add the given page to the balloon. */`
			`diff --git a/drivers/xen/xen-balloon.c b/drivers/xen/xen-balloon.c`
			`index b437fccd4e62..a3dd7c6ec371 100644`
			`--- a/drivers/xen/xen-balloon.c`
			`+++ b/drivers/xen/xen-balloon.c`
			`@@ -137,6 +137,7 @@ static DEVICE_ULONG_ATTR(schedule_delay, 0444, balloon_stats.schedule_delay);`
			`static DEVICE_ULONG_ATTR(max_schedule_delay, 0644, balloon_stats.max_schedule_delay);`
			`static DEVICE_ULONG_ATTR(retry_count, 0444, balloon_stats.retry_count);`
			`static DEVICE_ULONG_ATTR(max_retry_count, 0644, balloon_stats.max_retry_count);`
			`+static DEVICE_BOOL_ATTR(scrub_pages, 0644, xen_scrub_pages);`

			`static ssize_t show_target_kb(struct device dev, struct device_attribute attr,`
			`char *buf)`
			`@@ -203,6 +204,7 @@ static struct attribute *balloon_attrs[] = {`
			`&dev_attr_max_schedule_delay.attr.attr,`
			`&dev_attr_retry_count.attr.attr,`
			`&dev_attr_max_retry_count.attr.attr,`
			`+ &dev_attr_scrub_pages.attr.attr,`
			`NULL`
			`};`

			`diff --git a/include/xen/balloon.h b/include/xen/balloon.h`
			`index 61f410fd74e4..0ec832b9ff55 100644`
			`--- a/include/xen/balloon.h`
			`+++ b/include/xen/balloon.h`
			`@@ -21,6 +21,7 @@ struct balloon_stats {`
			`};`

			`extern struct balloon_stats balloon_stats;`
			`+extern bool xen_scrub_pages;`

			`void balloon_set_new_target(unsigned long target);`

			`--`
			`2.17.1`