Xen Memory Management

• All low-level memory operations go through Xen.
• Guest OSes are responsible for allocating and initializing PTs for processes (restricted to read only access)
  • allocates and initialize a page and register it with Xen to serve as the new PT
• Direct page writes are intercepted, validated and applied by the Xen VMM
  • update can be batched into a single hypercall (reduce cost of entering/exiting Xen)
• page_info struct associated with each machine page frame
  • page type (none, l1, l2, l3, l4, LDT, GDT, RW)
  • reference count – number of references to the page
  • page frame can be reused only when unpinned and its reference count is zero
• Each domain has a maximum and current memory allocation
  • max allocation is set at domain creation time and cannot be modified
• PT updates
  • hypercall –> mmu_update()
  • writable page tables –> vm_assist()

• Xen exists in the top 64MB (0xFC000000 – 0xFFFFFFFF) section of every guest virtual address space (TLB flush avoided when entering/leaving the hypervisor)
  • not accessible or remappable by guest OSes.
• “fast handler” for system calls - direct access from app into guest OS, without going through Xen
  • muse execute outside Ring 0
• Each guest supports a “ballon” memory management driver - that is used by the VMM to dynamically adjust the guest’s memory usage
• Page fault handling
  • faulting address is written into an extended stack frame on the guest OS stack (normally the faulting address is read from a privileged processor register (CR2))
• In terms of page protection, Ring1/2 are considered to be part of ‘supervisor mode’. The WP bit in CR0 controls whether read-only restrictions are respected in supervisor mode – if the bit is clear then any mapped page is writable. Xen gets around this by always setting the WP bit and disallowing updates to it. xen/arch/x86/boot/x86_32.S#153
• Xen provides a domain with a list of machine frames during bootstrapping, and it is the domain’s responsibility to create the pseudo-physical address space from this

No guarantee that a domain will receive a contiguous stretch of physical memory. Most OSes do not have good support for operating in a fragmented physical address space.

• Machine memory
  • entire amount of memory installed in the machine (physical memory)
  • 4kB machine page frames numbered consecutively starting from 0.

• Pseudo-physical memory
  • per-domain abstraction.
  • allows a guest OS to consider its memory allocation to consist of a contiguous range of physical page frames starting at physical frame 0.

• machine-to-physical table
  • globally readable table maintained by Xen
  • records the mapping from machine addresses to pseudo-physical addresses
  • table size is proportional to the amount of RAM installed in the machine

• physical-to-machine table
  • per-domain table which performs the inverse (physical-to-machine) mapping.
  • table size is proportional to the memory allocation of the given domain.

---

(XEN) VIRTUAL MEMORY ARRANGEMENT (for DOM0)
(XEN) Loaded kernel: c0100000→c042e254
(XEN) Init. ramdisk: c042f000→c07fca00
(XEN) Phys-Mach map: c07fd000→c086e894 == 454 MB (as can be verified by: xm list)
(XEN) Start info: c086f000→c0870000
(XEN) Page tables: c0870000→c0874000 == 16 MB
(XEN) Boot stack: c0874000→c0875000
(XEN) TOTAL: c0000000→c0c00000 
(XEN) ENTRY ADDRESS: c0100000

---

x86-32 Xen supports only guests with 2-level page tables. PGD = l2, PTE =l1

---

How to intercept interrupts from guest domains
http://lists.xensource.com/archives/html/xen-devel/2006-09/msg00597.html
http://lists.xensource.com/archives/html/xen-devel/2006-09/msg00604.html

Page fault handling for Xen guests
http://lists.xensource.com/archives/html/xen-devel/2006-02/msg00263.html

show pagetable walk if guest cannot handle page
http://lists.xensource.com/archives/html/xen-devel/2006-09/msg00612.html

Memory management, mapping, paging questions...
http://lists.xensource.com/archives/html/xen-devel/2006-10/msg01151.html

Information related to shadowing
http://lists.xensource.com/archives/html/xen-devel/2006-11/msg00319.html
http://lists.xensource.com/archives/html/xen-devel/2006-11/msg00793.html
http://lists.xensource.com/archives/html/xen-devel/2006-11/msg00802.html

How to intercept memory operation in Xen
http://lists.xensource.com/archives/html/xen-devel/2006-11/msg00659.html
http://lists.xensource.com/archives/html/xen-devel/2006-11/msg00664.html
http://lists.xensource.com/archives/html/xen-devel/2006-11/msg00717.html

alert message from dom0 to domU
http://lists.xensource.com/archives/html/xen-devel/2006-12/msg00967.html

Share Memory Between DomainU and Domain0
http://lists.xensource.com/archives/html/xen-devel/2006-12/msg01008.html

Call hypercall straightly from user space
http://lists.xensource.com/archives/html/xen-devel/2006-12/msg01061.html

---

xen/arch/x86/traps.c#do_page_fault –> fixup_page_fault –> mm.c#ptwr_do_page_fault

---

xen-3.0.2-2/xen/arch/x86/setup.c#__start_xen()
                |                                 \
                v                                  \
xen-3.0.2-2/xen/common/domain.c#domain_create()     \
                |                                    \
                v                                     \
xen-3.0.2-2/xen/arch/x86/domain.c#arch_domain_create() \
                                                        \
                                                         v
                xen-3.0.2-2/xen/arch/x86/domain_build.c#construct_dom0()

Xen-ELF image vmlinux-syms-2.6.16-xen has a special'__xen_guest' section


Xen hypercall table:
/xen-3.0.2-2/xen/arch/x86/x86_32/entry.S


#I think this is called when DOM0 attempts to create a DOMU
xen-3.0.2-2/xen/common/dom0_ops.c#do_dom0_op()




trousers-0.2.7/src/tspi/spi_tpm.c#Tspi_TPM_Quote()
                |
                v
trousers-0.2.7/src/tcsd_api/calltcsapi.c#TCSP_Quote()
                |
                v
trousers-0.2.7/src/tcsd_api/tcstp.c#TCSP_Quote_TP()
                |
                v
trousers-0.2.7/src/tcsd_api/tcstp.c#sendTCSDPacket()

原文：https://wiki.cs.dartmouth.edu/nihal/doku.php/xen:memory

一.x86_64是怎么嵌入到Dom0的线性空间的
IA32是通过段保护机制做到的：高64M为Ring-0的Xen空间；
1G-64M为Kernel的Ring-1空间；
其他的3G给Application

x86_64没有段保护机制，必须用页保护机制：2^64-2^47 --> 2^64 == 内核空间
0 --> 2^47 == 用户空间
中间空的部分可以作为他用 == 被Xen用了

二.Xen采用直接模式 == Guest OS使用自己的页表直接访问HPA
方法: 页表里的内容为HPA；页表项Guest OS只可读；普通的页Guest OS可直接读写。
一旦更新引起Page异常。如果想要更新/操作页表，可以调用相应的Hypercall。
VMM也能保证Guest OS只能访问自己的内存。

Guest OS操作内存的流程：
1.Guest OS访问一个新内存地址(GVA)，PageFault ==> 更新Guest OS的页表
2.Guest OS先找到页表的GPA,VMM根据GPA找到该GPA对应的HPA(通过P2M)
==> 相当于页表更新，调用页表更新的Hypercall(GPA,HPA)
3.如果子页表不存在，需要挂接该子页
==> 相当于页表挂接操作，调用页表操作的Hypercall(线性地址，HPA)
4.访问该PT表，重复以上2-3步，最终得到一个GVA==>HPA的地址

三.可写页表
由于对页表的操作开销比较大(每次都要进行Hypercall调用)，在某些情况下可以改进它()。
方法是:先把页表(实际上只要把总表PD表)拿下来，不让别人访问，把它作为Guest OS的普通的可读写页
Guest OS随便更改，很多次更改完成后，最后提交给Hypercall，让VMM一次完全的完成更新操作。
前提：PAE模式。因为PDE只有一个PD页。

四.Balloon驱动（存在的Dom0和DomU中）
为Dom0和DomU申请/释放内存
可以查看自己和全Machine的内存状况
Balloon驱动根据设置在XenStore的中的目标值来自动调整它的内存的大小。

五.共享页是怎么实现的
Start Info Page(包括里面的内容)是VMM在Domain初始化时拼成的，它的内容包括了Shared Info Page和XenStore的连接，进入Domain的前几件事就是把本Doamin的Shared Info Page利用页表更新上真正VMM已经分配了的存在Start Info Page。
HVM的PV驱动(主要是)当然也要用Shared Info Page，它的Shared Info Page是自己拼成的。

4.就算是Dom0利用VT-x不也很好吗，用了吗？
没有用，半虚拟化不需要用VT-x技术，目的是为了提高系统的性能
5.PAE模式是什么，有什么影响
物理地址扩展 (PAE) 允许将最多64GB 的物理内存用作常规的4KB 页面，并扩展内核能使用的位数以将物理内存地址从32扩展到36。

Dom0只有在迁移的时候才用到影子页表，其他时候都用直接访问物理内存。

注释：
gpfn/gfn: guset page frame number 客户物理页面号(客户操作系统使用gpfn/gfn对客户物理地址空间寻址)
mfn: machine page frame number 机器页面号
smfn: machine page frame number for shadow pages shadow页面所在的机器页面号
l1e: level 1 page table entry 
gl1e: level 1 guest page table entry
sl1e: level 1 shadow page table entry 一级shadow页表项
PV: para-virtualization
HVM: Hardware assistant Virtual Machine