From: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Steve Rutherford <srutherford@google.com>,
Ashish Kalra <Ashish.Kalra@amd.com>
Cc: thomas.lendacky@amd.com, brijesh.singh@amd.com,
ehabkost@redhat.com, kvm@vger.kernel.org, mst@redhat.com,
tobin@ibm.com, jejb@linux.ibm.com, richard.henderson@linaro.org,
qemu-devel@nongnu.org, dgilbert@redhat.com, frankeh@us.ibm.com,
dovmurik@linux.vnet.ibm.com
Subject: Re: [RFC PATCH 00/13] Add support for Mirror VM.
Date: Tue, 17 Aug 2021 16:50:53 -0400 [thread overview]
Message-ID: <37796fd1-bbc2-f22c-b786-eb44f4d473b9@linux.ibm.com> (raw)
In-Reply-To: <0fcfafde-a690-f53a-01fc-542054948bb2@redhat.com>
On 8/17/21 12:32 PM, Paolo Bonzini wrote:
> On 17/08/21 01:53, Steve Rutherford wrote:
>> Separately, I'm a little weary of leaving the migration helper mapped
>> into the shared address space as writable.
>
> A related question here is what the API should be for how the
> migration helper sees the memory in both physical and virtual address.
>
> First of all, I would like the addresses passed to and from the
> migration helper to *not* be guest physical addresses (this is what I
> referred to as QEMU's ram_addr_t in other messages). The reason is
> that some unmapped memory regions, such as virtio-mem hotplugged
> memory, would still have to be transferred and could be encrypted.
> While the guest->host hypercall interface uses guest physical
> addresses to communicate which pages are encrypted, the host can do
> the GPA->ram_addr_t conversion and remember the encryption status of
> currently-unmapped regions.
>
> This poses a problem, in that the guest needs to prepare the page
> tables for the migration helper and those need to use the migration
> helper's physical address space.
>
> There's three possibilities for this:
>
> 1) the easy one: the bottom 4G of guest memory are mapped in the
> mirror VM 1:1. The ram_addr_t-based addresses are shifted by either
> 4G or a huge value such as 2^42 (MAXPHYADDR - physical address
> reduction - 1). This even lets the migration helper reuse the OVMF
> runtime services memory map (but be careful about thread safety...).
This is essentially what we do in our prototype, although we have an
even simpler approach. We have a 1:1 mapping that maps an address to
itself with the cbit set. During Migration QEMU asks the migration
handler to import/export encrypted pages and provides the GPA for said
page. Since the migration handler only exports/imports encrypted pages,
we can have the cbit set for every page in our mapping. We can still use
OVMF functions with these mappings because they are on encrypted pages.
The MH does need to use a few shared pages (to communicate with QEMU,
for instance), so we have another mapping without the cbit that is at a
large offset.
I think this is basically equivalent to what you suggest. As you point
out above, this approach does require that any page that will be
exported/imported by the MH is mapped in the guest. Is this a bad
assumption? The VMSA for SEV-ES is one example of a region that is
encrypted but not mapped in the guest (the PSP handles it directly). We
have been planning to map the VMSA into the guest to support migration
with SEV-ES (along with other changes).
> 2) the more future-proof one. Here, the migration helper tells QEMU
> which area to copy from the guest to the mirror VM, as a (main GPA,
> length, mirror GPA) tuple. This could happen for example the first
> time the guest writes 1 to MSR_KVM_MIGRATION_CONTROL. When migration
> starts, QEMU uses this information to issue KVM_SET_USER_MEMORY_REGION
> accordingly. The page tables are built for this (usually very high)
> mirror GPA and the migration helper operates in a completely separate
> address space. However, the backing memory would still be shared
> between the main and mirror VMs. I am saying this is more future
> proof because we have more flexibility in setting up the physical
> address space of the mirror VM.
The Migration Handler in OVMF is not a contiguous region of memory. The
MH uses OVMF helper functions that are allocated in various regions of
runtime memory. I guess I can see how separating the memory of the MH
and the guest OS could be positive. On the other hand, since the MH is
in OVMF, it is fundamentally designed to coexist with the guest OS.
What do you envision in terms of future changes to the mirror address space?
> 3) the paranoid one, which I think is what you hint at above: this is
> an extension of (2), where userspace invokes the PSP send/receive API
> to copy the small requested area of the main VM into the mirror VM.
> The mirror VM code and data are completely separate from the main VM.
> All that the mirror VM shares is the ram_addr_t data. Though I am not
> even sure it is possible to use the send/receive API this way...
Yeah not sure if you could use the PSP for this.
-Tobin
>
> What do you think?
>
> Paolo
>
>
next prev parent reply other threads:[~2021-08-17 20:51 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 13:25 [RFC PATCH 00/13] Add support for Mirror VM Ashish Kalra
2021-08-16 13:26 ` [RFC PATCH 01/13] machine: Add mirrorvcpus=N suboption to -smp Ashish Kalra
2021-08-16 21:23 ` Eric Blake
2021-08-16 13:27 ` [RFC PATCH 02/13] hw/boards: Add mirror_vcpu flag to CPUArchId Ashish Kalra
2021-08-16 13:27 ` [RFC PATCH 03/13] hw/i386: Mark mirror vcpus in possible_cpus Ashish Kalra
2021-08-16 13:27 ` [RFC PATCH 04/13] hw/acpi: Don't include mirror vcpus in ACPI tables Ashish Kalra
2021-08-16 13:28 ` [RFC PATCH 05/13] cpu: Add boolean mirror_vcpu field to CPUState Ashish Kalra
2021-08-16 13:28 ` [RFC PATCH 06/13] hw/i386: Set CPUState.mirror_vcpu=true for mirror vcpus Ashish Kalra
2021-08-16 13:29 ` [RFC PATCH 07/13] kvm: Add Mirror VM ioctl and enable cap interfaces Ashish Kalra
2021-08-16 13:29 ` [RFC PATCH 08/13] kvm: Add Mirror VM support Ashish Kalra
2021-08-16 13:29 ` [RFC PATCH 09/13] kvm: create Mirror VM and share primary VM's encryption context Ashish Kalra
2021-08-16 13:30 ` [RFC PATCH 10/13] softmmu/cpu: Skip mirror vcpu's for pause, resume and synchronization Ashish Kalra
2021-08-16 13:30 ` [RFC PATCH 11/13] kvm/apic: Disable in-kernel APIC support for mirror vcpu's Ashish Kalra
2021-08-16 13:31 ` [RFC PATCH 12/13] hw/acpi: disable modern CPU hotplug interface " Ashish Kalra
2021-08-16 13:31 ` [RFC PATCH 13/13] hw/i386/pc: reduce fw_cfg boot cpu count taking into account " Ashish Kalra
2021-08-16 14:01 ` [RFC PATCH 00/13] Add support for Mirror VM Claudio Fontana
2021-08-16 14:15 ` Paolo Bonzini
2021-08-16 14:23 ` Daniel P. Berrangé
2021-08-16 15:00 ` Paolo Bonzini
2021-08-16 15:16 ` Daniel P. Berrangé
2021-08-16 15:35 ` Paolo Bonzini
2021-08-16 14:44 ` Ashish Kalra
2021-08-16 14:58 ` Paolo Bonzini
2021-08-16 15:13 ` Ashish Kalra
2021-08-16 15:38 ` Paolo Bonzini
2021-08-16 15:48 ` Dr. David Alan Gilbert
2021-08-18 10:31 ` Ashish Kalra
2021-08-18 11:25 ` James Bottomley
2021-08-18 15:31 ` Dr. David Alan Gilbert
2021-08-18 15:35 ` James Bottomley
2021-08-18 15:43 ` Dr. David Alan Gilbert
2021-08-18 16:28 ` James Bottomley
2021-08-18 17:30 ` Dr. David Alan Gilbert
2021-08-18 18:51 ` James Bottomley
2021-08-16 17:23 ` Dr. David Alan Gilbert
2021-08-16 23:53 ` Steve Rutherford
2021-08-17 7:05 ` Michael S. Tsirkin
2021-08-17 8:38 ` Dr. David Alan Gilbert
2021-08-17 14:08 ` Ashish Kalra
2021-08-17 16:32 ` Paolo Bonzini
2021-08-17 20:50 ` Tobin Feldman-Fitzthum [this message]
2021-08-17 22:04 ` Steve Rutherford
2021-08-18 15:32 ` Tobin Feldman-Fitzthum
2021-08-18 19:04 ` Dr. David Alan Gilbert
2021-08-18 21:42 ` Tobin Feldman-Fitzthum
2021-08-19 8:22 ` Dr. David Alan Gilbert
2021-08-19 14:06 ` James Bottomley
2021-08-19 14:28 ` Dr. David Alan Gilbert
2021-08-19 22:10 ` James Bottomley
2021-08-23 12:26 ` Dr. David Alan Gilbert
2021-08-23 16:28 ` Tobin Feldman-Fitzthum
2021-08-19 14:07 ` Tobin Feldman-Fitzthum
2021-08-17 23:20 ` Paolo Bonzini
2021-08-17 21:54 ` Steve Rutherford
2021-08-17 22:37 ` Paolo Bonzini
2021-08-17 22:57 ` James Bottomley
2021-08-17 23:10 ` Steve Rutherford
2021-08-18 2:49 ` James Bottomley
2021-08-18 14:06 ` Ashish Kalra
2021-08-18 17:07 ` Ashish Kalra
2021-08-16 15:07 Tobin Feldman-Fitzthum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=37796fd1-bbc2-f22c-b786-eb44f4d473b9@linux.ibm.com \
--to=tobin@linux.ibm.com \
--cc=Ashish.Kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=dgilbert@redhat.com \
--cc=dovmurik@linux.vnet.ibm.com \
--cc=ehabkost@redhat.com \
--cc=frankeh@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=srutherford@google.com \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).