From: David Hildenbrand <david@redhat.com> To: David Gibson <david@gibson.dropbear.id.au>, Cornelia Huck <cohuck@redhat.com> Cc: qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com, pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>, kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson <rth@twiddle.net>, pasic@linux.ibm.com, Eduardo Habkost <ehabkost@redhat.com>, qemu-s390x@nongnu.org Subject: Re: [PATCH v3 0/9] Generalize memory encryption models Date: Thu, 25 Jun 2020 09:06:05 +0200 [thread overview] Message-ID: <025fb54b-60b7-a58b-e3d7-1bbaad152c5c@redhat.com> (raw) In-Reply-To: <20200625052518.GD172395@umbus.fritz.box> >> Still unsure how to bring this new machine property and the cpu feature >> together. Would be great to have the same interface everywhere, but >> having two distinct command line objects depend on each other sucks. > > Kinda, but the reality is that hardware - virtual and otherwise - > frequently doesn't have entirely orthogonal configuration for each of > its components. This is by no means new in that regard. > >> Automatically setting the feature bit if pv is supported complicates >> things further. > > AIUI, on s390 the "unpack" feature is available by default on recent > models. In that case you could do this: > > * Don't modify either cpu or HTL options based on each other > * Bail out if the user specifies a non "unpack" secure CPU along with > the HTL option > > Cases of note: > - User specifies an old CPU model + htl > or explicitly sets unpack=off + htl > => fails with an error, correctly > - User specifies modern/default cpu + htl, with secure aware guest > => works as a secure guest > - User specifies modern/default cpu + htl, with non secure aware guest > => works, though not secure (and maybe slower than neccessary) > - User specifies modern/default cpu, no htl, with non-secure guest > => works, "unpack" feature is present but unused > - User specifies modern/default cpu, no htl, secure guest > => this is the worst one. It kind of works by accident if > you've also manually specified whatever virtio (and > anything else) options are necessary. Ugly, but no > different from the situation right now, IIUC > >> (Is there any requirement that the machine object has been already set >> up before the cpu features are processed? Or the other way around?) > > CPUs are usually created by the machine, so I believe we can count on > the machine object being there first. CPU model initialization is one of the first things machine initialization code does on s390x. static void ccw_init(MachineState *machine) { [... memory init ...] s390_sclp_init(); s390_memory_init(machine->ram); /* init CPUs (incl. CPU model) early so s390_has_feature() works */ s390_init_cpus(machine); [...] } > >> Does this have any implications when probing with the 'none' machine? > > I'm not sure. In your case, I guess the cpu bit would still show up > as before, so it would tell you base feature availability, but not > whether you can use the new configuration option. > > Since the HTL option is generic, you could still set it on the "none" > machine, though it wouldn't really have any effect. That is, if you > could create a suitable object to point it at, which would depend on > ... details. > The important point is that we never want the (expanded) host cpu model look different when either specifying or not specifying the HTL property. We don't want to run into issues where libvirt probes and gets host model X, but when using that probed model (automatically) for a guest domain, we suddenly cannot run X anymore. -- Thanks, David / dhildenb
WARNING: multiple messages have this Message-ID (diff)
From: David Hildenbrand <david@redhat.com> To: David Gibson <david@gibson.dropbear.id.au>, Cornelia Huck <cohuck@redhat.com> Cc: pair@us.ibm.com, brijesh.singh@amd.com, frankja@linux.ibm.com, kvm@vger.kernel.org, mst@redhat.com, qemu-devel@nongnu.org, Eduardo Habkost <ehabkost@redhat.com>, dgilbert@redhat.com, pasic@linux.ibm.com, qemu-s390x@nongnu.org, qemu-ppc@nongnu.org, pbonzini@redhat.com, mdroth@linux.vnet.ibm.com, Richard Henderson <rth@twiddle.net> Subject: Re: [PATCH v3 0/9] Generalize memory encryption models Date: Thu, 25 Jun 2020 09:06:05 +0200 [thread overview] Message-ID: <025fb54b-60b7-a58b-e3d7-1bbaad152c5c@redhat.com> (raw) In-Reply-To: <20200625052518.GD172395@umbus.fritz.box> >> Still unsure how to bring this new machine property and the cpu feature >> together. Would be great to have the same interface everywhere, but >> having two distinct command line objects depend on each other sucks. > > Kinda, but the reality is that hardware - virtual and otherwise - > frequently doesn't have entirely orthogonal configuration for each of > its components. This is by no means new in that regard. > >> Automatically setting the feature bit if pv is supported complicates >> things further. > > AIUI, on s390 the "unpack" feature is available by default on recent > models. In that case you could do this: > > * Don't modify either cpu or HTL options based on each other > * Bail out if the user specifies a non "unpack" secure CPU along with > the HTL option > > Cases of note: > - User specifies an old CPU model + htl > or explicitly sets unpack=off + htl > => fails with an error, correctly > - User specifies modern/default cpu + htl, with secure aware guest > => works as a secure guest > - User specifies modern/default cpu + htl, with non secure aware guest > => works, though not secure (and maybe slower than neccessary) > - User specifies modern/default cpu, no htl, with non-secure guest > => works, "unpack" feature is present but unused > - User specifies modern/default cpu, no htl, secure guest > => this is the worst one. It kind of works by accident if > you've also manually specified whatever virtio (and > anything else) options are necessary. Ugly, but no > different from the situation right now, IIUC > >> (Is there any requirement that the machine object has been already set >> up before the cpu features are processed? Or the other way around?) > > CPUs are usually created by the machine, so I believe we can count on > the machine object being there first. CPU model initialization is one of the first things machine initialization code does on s390x. static void ccw_init(MachineState *machine) { [... memory init ...] s390_sclp_init(); s390_memory_init(machine->ram); /* init CPUs (incl. CPU model) early so s390_has_feature() works */ s390_init_cpus(machine); [...] } > >> Does this have any implications when probing with the 'none' machine? > > I'm not sure. In your case, I guess the cpu bit would still show up > as before, so it would tell you base feature availability, but not > whether you can use the new configuration option. > > Since the HTL option is generic, you could still set it on the "none" > machine, though it wouldn't really have any effect. That is, if you > could create a suitable object to point it at, which would depend on > ... details. > The important point is that we never want the (expanded) host cpu model look different when either specifying or not specifying the HTL property. We don't want to run into issues where libvirt probes and gets host model X, but when using that probed model (automatically) for a guest domain, we suddenly cannot run X anymore. -- Thanks, David / dhildenb
next prev parent reply other threads:[~2020-06-25 7:06 UTC|newest] Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-06-19 2:05 [PATCH v3 0/9] Generalize memory encryption models David Gibson 2020-06-19 2:05 ` David Gibson 2020-06-19 2:05 ` [PATCH v3 1/9] host trust limitation: Introduce new host trust limitation interface David Gibson 2020-06-19 2:05 ` David Gibson 2020-06-26 11:01 ` Dr. David Alan Gilbert 2020-06-26 11:01 ` Dr. David Alan Gilbert 2020-07-14 19:26 ` Richard Henderson 2020-07-14 19:26 ` Richard Henderson 2020-06-19 2:05 ` [PATCH v3 2/9] host trust limitation: Handle memory encryption via interface David Gibson 2020-06-19 2:05 ` David Gibson 2020-06-19 2:05 ` [PATCH v3 3/9] host trust limitation: Move side effect out of machine_set_memory_encryption() David Gibson 2020-06-19 2:05 ` David Gibson 2020-06-19 2:05 ` [PATCH v3 4/9] host trust limitation: Rework the "memory-encryption" property David Gibson 2020-06-19 2:05 ` David Gibson 2020-07-14 19:36 ` Richard Henderson 2020-07-14 19:36 ` Richard Henderson 2020-06-19 2:05 ` [PATCH v3 5/9] host trust limitation: Decouple kvm_memcrypt_*() helpers from KVM David Gibson 2020-06-19 2:05 ` David Gibson 2020-06-19 2:05 ` [PATCH v3 6/9] host trust limitation: Add Error ** to HostTrustLimitation::kvm_init David Gibson 2020-06-19 2:05 ` David Gibson 2020-06-19 2:06 ` [PATCH v3 7/9] spapr: Add PEF based host trust limitation David Gibson 2020-06-19 2:06 ` David Gibson 2020-06-19 2:06 ` [PATCH v3 8/9] spapr: PEF: block migration David Gibson 2020-06-19 2:06 ` David Gibson 2020-06-26 10:33 ` Dr. David Alan Gilbert 2020-06-26 10:33 ` Dr. David Alan Gilbert 2020-07-05 7:38 ` David Gibson 2020-07-05 7:38 ` David Gibson 2020-06-19 2:06 ` [PATCH v3 9/9] host trust limitation: Alter virtio default properties for protected guests David Gibson 2020-06-19 2:06 ` David Gibson 2020-06-19 10:12 ` Daniel P. Berrangé 2020-06-19 10:12 ` Daniel P. Berrangé 2020-06-19 11:46 ` Michael S. Tsirkin 2020-06-19 11:46 ` Michael S. Tsirkin 2020-06-19 11:47 ` Michael S. Tsirkin 2020-06-19 11:47 ` Michael S. Tsirkin 2020-06-19 12:16 ` Daniel P. Berrangé 2020-06-19 12:16 ` Daniel P. Berrangé 2020-06-19 20:04 ` Halil Pasic 2020-06-19 20:04 ` Halil Pasic 2020-06-24 7:55 ` Michael S. Tsirkin 2020-06-24 7:55 ` Michael S. Tsirkin 2020-06-25 4:57 ` David Gibson 2020-06-25 4:57 ` David Gibson 2020-06-25 5:02 ` David Gibson 2020-06-25 5:02 ` David Gibson 2020-06-19 14:45 ` David Gibson 2020-06-19 14:45 ` David Gibson 2020-06-19 15:05 ` Daniel P. Berrangé 2020-06-19 15:05 ` Daniel P. Berrangé 2020-06-20 8:24 ` David Gibson 2020-06-20 8:24 ` David Gibson 2020-06-22 9:09 ` Daniel P. Berrangé 2020-06-22 9:09 ` Daniel P. Berrangé 2020-06-25 5:06 ` David Gibson 2020-06-25 5:06 ` David Gibson 2020-06-19 2:42 ` [PATCH v3 0/9] Generalize memory encryption models no-reply 2020-06-19 2:42 ` no-reply 2020-06-19 8:28 ` David Hildenbrand 2020-06-19 8:28 ` David Hildenbrand 2020-06-19 9:45 ` Cornelia Huck 2020-06-19 9:45 ` Cornelia Huck 2020-06-19 9:56 ` David Hildenbrand 2020-06-19 9:56 ` David Hildenbrand 2020-06-19 10:05 ` Cornelia Huck 2020-06-19 10:05 ` Cornelia Huck 2020-06-19 10:10 ` David Hildenbrand 2020-06-19 10:10 ` David Hildenbrand 2020-06-22 12:02 ` Cornelia Huck 2020-06-22 12:02 ` Cornelia Huck 2020-06-25 5:25 ` David Gibson 2020-06-25 5:25 ` David Gibson 2020-06-25 7:06 ` David Hildenbrand [this message] 2020-06-25 7:06 ` David Hildenbrand 2020-06-26 4:42 ` David Gibson 2020-06-26 4:42 ` David Gibson 2020-06-26 6:53 ` David Hildenbrand 2020-06-26 6:53 ` David Hildenbrand 2020-06-26 9:01 ` Janosch Frank 2020-06-26 9:01 ` Janosch Frank 2020-06-26 9:32 ` Daniel P. Berrangé 2020-06-26 9:32 ` Daniel P. Berrangé 2020-06-26 9:49 ` Janosch Frank 2020-06-26 9:49 ` Janosch Frank 2020-06-26 10:29 ` Dr. David Alan Gilbert 2020-06-26 10:29 ` Dr. David Alan Gilbert 2020-06-26 10:58 ` Daniel P. Berrangé 2020-06-26 10:58 ` Daniel P. Berrangé 2020-06-26 12:49 ` Janosch Frank 2020-06-26 12:49 ` Janosch Frank 2020-07-01 11:59 ` Halil Pasic 2020-07-01 11:59 ` Halil Pasic 2020-06-19 9:48 ` David Gibson 2020-06-19 9:48 ` David Gibson 2020-06-19 10:04 ` David Hildenbrand 2020-06-19 10:04 ` David Hildenbrand 2020-06-25 5:42 ` David Gibson 2020-06-25 5:42 ` David Gibson 2020-06-25 6:59 ` David Hildenbrand 2020-06-25 6:59 ` David Hildenbrand 2020-06-25 9:49 ` Cornelia Huck 2020-06-25 9:49 ` Cornelia Huck 2020-06-22 14:27 ` Christian Borntraeger 2020-06-22 14:27 ` Christian Borntraeger 2020-06-24 7:06 ` Cornelia Huck 2020-06-24 7:06 ` Cornelia Huck 2020-06-25 5:47 ` David Gibson 2020-06-25 5:47 ` David Gibson 2020-06-25 5:48 ` David Gibson 2020-06-25 5:48 ` David Gibson 2020-06-25 5:44 ` David Gibson 2020-06-25 5:44 ` David Gibson
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=025fb54b-60b7-a58b-e3d7-1bbaad152c5c@redhat.com \ --to=david@redhat.com \ --cc=brijesh.singh@amd.com \ --cc=cohuck@redhat.com \ --cc=david@gibson.dropbear.id.au \ --cc=dgilbert@redhat.com \ --cc=ehabkost@redhat.com \ --cc=frankja@linux.ibm.com \ --cc=kvm@vger.kernel.org \ --cc=marcel.apfelbaum@gmail.com \ --cc=mdroth@linux.vnet.ibm.com \ --cc=mst@redhat.com \ --cc=pair@us.ibm.com \ --cc=pasic@linux.ibm.com \ --cc=pbonzini@redhat.com \ --cc=qemu-devel@nongnu.org \ --cc=qemu-ppc@nongnu.org \ --cc=qemu-s390x@nongnu.org \ --cc=rth@twiddle.net \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.