From: Peter Maydell <peter.maydell@linaro.org>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Steven Price <steven.price@arm.com>,
David Gibson <dgibson@redhat.com>, Haibo Xu <haibo.xu@linaro.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
Juan Quintela <quintela@redhat.com>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 17:10:06 +0000 [thread overview]
Message-ID: <CAFEAcA9mq0xh1CNvw9UZoNwcOBuoVnCNcBkRDSUv7UK27qdESg@mail.gmail.com> (raw)
In-Reply-To: <20201207164428.GD3135@work-vm>
On Mon, 7 Dec 2020 at 16:44, Dr. David Alan Gilbert <dgilbert@redhat.com> wrote:
> * Steven Price (steven.price@arm.com) wrote:
> > Sorry, I know I simplified it rather by saying it's similar to protected VM.
> > Basically as I see it there are three types of memory access:
> >
> > 1) Debug case - has to go via a special case for decryption or ignoring the
> > MTE tag value. Hopefully this can be abstracted in the same way.
> >
> > 2) Migration - for a protected VM there's likely to be a special method to
> > allow the VMM access to the encrypted memory (AFAIK memory is usually kept
> > inaccessible to the VMM). For MTE this again has to be special cased as we
> > actually want both the data and the tag values.
> >
> > 3) Device DMA - for a protected VM it's usual to unencrypt a small area of
> > memory (with the permission of the guest) and use that as a bounce buffer.
> > This is possible with MTE: have an area the VMM purposefully maps with
> > PROT_MTE. The issue is that this has a performance overhead and we can do
> > better with MTE because it's trivial for the VMM to disable the protection
> > for any memory.
>
> Those all sound very similar to the AMD SEV world; there's the special
> case for Debug that Peter mentioned; migration is ...complicated and
> needs special case that's still being figured out, and as I understand
> Device DMA also uses a bounce buffer (and swiotlb in the guest to make
> that happen).
Mmm, but for encrypted VMs the VM has to jump through all these
hoops because "don't let the VM directly access arbitrary guest RAM"
is the whole point of the feature. For MTE, we don't want in general
to be doing tag-checked accesses to guest RAM and there is nothing
in the feature "allow guests to use MTE" that requires that the VMM's
guest RAM accesses must do tag-checking. So we should avoid having
a design that require us to jump through all the hoops. Even if
it happens that handling encrypted VMs means that QEMU has to grow
some infrastructure for carefully positioning hoops in appropriate
places, we shouldn't use it unnecessarily... All we actually need is
a mechanism for migrating the tags: I don't think there's ever a
situation where you want tag-checking enabled for the VMM's accesses
to the guest RAM.
thanks
-- PMM
WARNING: multiple messages have this Message-ID (diff)
From: Peter Maydell <peter.maydell@linaro.org>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Juan Quintela <quintela@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
Steven Price <steven.price@arm.com>,
Haibo Xu <haibo.xu@linaro.org>,
Catalin Marinas <catalin.marinas@arm.com>,
David Gibson <dgibson@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 17:10:06 +0000 [thread overview]
Message-ID: <CAFEAcA9mq0xh1CNvw9UZoNwcOBuoVnCNcBkRDSUv7UK27qdESg@mail.gmail.com> (raw)
In-Reply-To: <20201207164428.GD3135@work-vm>
On Mon, 7 Dec 2020 at 16:44, Dr. David Alan Gilbert <dgilbert@redhat.com> wrote:
> * Steven Price (steven.price@arm.com) wrote:
> > Sorry, I know I simplified it rather by saying it's similar to protected VM.
> > Basically as I see it there are three types of memory access:
> >
> > 1) Debug case - has to go via a special case for decryption or ignoring the
> > MTE tag value. Hopefully this can be abstracted in the same way.
> >
> > 2) Migration - for a protected VM there's likely to be a special method to
> > allow the VMM access to the encrypted memory (AFAIK memory is usually kept
> > inaccessible to the VMM). For MTE this again has to be special cased as we
> > actually want both the data and the tag values.
> >
> > 3) Device DMA - for a protected VM it's usual to unencrypt a small area of
> > memory (with the permission of the guest) and use that as a bounce buffer.
> > This is possible with MTE: have an area the VMM purposefully maps with
> > PROT_MTE. The issue is that this has a performance overhead and we can do
> > better with MTE because it's trivial for the VMM to disable the protection
> > for any memory.
>
> Those all sound very similar to the AMD SEV world; there's the special
> case for Debug that Peter mentioned; migration is ...complicated and
> needs special case that's still being figured out, and as I understand
> Device DMA also uses a bounce buffer (and swiotlb in the guest to make
> that happen).
Mmm, but for encrypted VMs the VM has to jump through all these
hoops because "don't let the VM directly access arbitrary guest RAM"
is the whole point of the feature. For MTE, we don't want in general
to be doing tag-checked accesses to guest RAM and there is nothing
in the feature "allow guests to use MTE" that requires that the VMM's
guest RAM accesses must do tag-checking. So we should avoid having
a design that require us to jump through all the hoops. Even if
it happens that handling encrypted VMs means that QEMU has to grow
some infrastructure for carefully positioning hoops in appropriate
places, we shouldn't use it unnecessarily... All we actually need is
a mechanism for migrating the tags: I don't think there's ever a
situation where you want tag-checking enabled for the VMM's accesses
to the guest RAM.
thanks
-- PMM
WARNING: multiple messages have this Message-ID (diff)
From: Peter Maydell <peter.maydell@linaro.org>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Juan Quintela <quintela@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
Steven Price <steven.price@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
David Gibson <dgibson@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 17:10:06 +0000 [thread overview]
Message-ID: <CAFEAcA9mq0xh1CNvw9UZoNwcOBuoVnCNcBkRDSUv7UK27qdESg@mail.gmail.com> (raw)
In-Reply-To: <20201207164428.GD3135@work-vm>
On Mon, 7 Dec 2020 at 16:44, Dr. David Alan Gilbert <dgilbert@redhat.com> wrote:
> * Steven Price (steven.price@arm.com) wrote:
> > Sorry, I know I simplified it rather by saying it's similar to protected VM.
> > Basically as I see it there are three types of memory access:
> >
> > 1) Debug case - has to go via a special case for decryption or ignoring the
> > MTE tag value. Hopefully this can be abstracted in the same way.
> >
> > 2) Migration - for a protected VM there's likely to be a special method to
> > allow the VMM access to the encrypted memory (AFAIK memory is usually kept
> > inaccessible to the VMM). For MTE this again has to be special cased as we
> > actually want both the data and the tag values.
> >
> > 3) Device DMA - for a protected VM it's usual to unencrypt a small area of
> > memory (with the permission of the guest) and use that as a bounce buffer.
> > This is possible with MTE: have an area the VMM purposefully maps with
> > PROT_MTE. The issue is that this has a performance overhead and we can do
> > better with MTE because it's trivial for the VMM to disable the protection
> > for any memory.
>
> Those all sound very similar to the AMD SEV world; there's the special
> case for Debug that Peter mentioned; migration is ...complicated and
> needs special case that's still being figured out, and as I understand
> Device DMA also uses a bounce buffer (and swiotlb in the guest to make
> that happen).
Mmm, but for encrypted VMs the VM has to jump through all these
hoops because "don't let the VM directly access arbitrary guest RAM"
is the whole point of the feature. For MTE, we don't want in general
to be doing tag-checked accesses to guest RAM and there is nothing
in the feature "allow guests to use MTE" that requires that the VMM's
guest RAM accesses must do tag-checking. So we should avoid having
a design that require us to jump through all the hoops. Even if
it happens that handling encrypted VMs means that QEMU has to grow
some infrastructure for carefully positioning hoops in appropriate
places, we shouldn't use it unnecessarily... All we actually need is
a mechanism for migrating the tags: I don't think there's ever a
situation where you want tag-checking enabled for the VMM's accesses
to the guest RAM.
thanks
-- PMM
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Peter Maydell <peter.maydell@linaro.org>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Juan Quintela <quintela@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
Steven Price <steven.price@arm.com>,
Haibo Xu <haibo.xu@linaro.org>,
Catalin Marinas <catalin.marinas@arm.com>,
David Gibson <dgibson@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 17:10:06 +0000 [thread overview]
Message-ID: <CAFEAcA9mq0xh1CNvw9UZoNwcOBuoVnCNcBkRDSUv7UK27qdESg@mail.gmail.com> (raw)
In-Reply-To: <20201207164428.GD3135@work-vm>
On Mon, 7 Dec 2020 at 16:44, Dr. David Alan Gilbert <dgilbert@redhat.com> wrote:
> * Steven Price (steven.price@arm.com) wrote:
> > Sorry, I know I simplified it rather by saying it's similar to protected VM.
> > Basically as I see it there are three types of memory access:
> >
> > 1) Debug case - has to go via a special case for decryption or ignoring the
> > MTE tag value. Hopefully this can be abstracted in the same way.
> >
> > 2) Migration - for a protected VM there's likely to be a special method to
> > allow the VMM access to the encrypted memory (AFAIK memory is usually kept
> > inaccessible to the VMM). For MTE this again has to be special cased as we
> > actually want both the data and the tag values.
> >
> > 3) Device DMA - for a protected VM it's usual to unencrypt a small area of
> > memory (with the permission of the guest) and use that as a bounce buffer.
> > This is possible with MTE: have an area the VMM purposefully maps with
> > PROT_MTE. The issue is that this has a performance overhead and we can do
> > better with MTE because it's trivial for the VMM to disable the protection
> > for any memory.
>
> Those all sound very similar to the AMD SEV world; there's the special
> case for Debug that Peter mentioned; migration is ...complicated and
> needs special case that's still being figured out, and as I understand
> Device DMA also uses a bounce buffer (and swiotlb in the guest to make
> that happen).
Mmm, but for encrypted VMs the VM has to jump through all these
hoops because "don't let the VM directly access arbitrary guest RAM"
is the whole point of the feature. For MTE, we don't want in general
to be doing tag-checked accesses to guest RAM and there is nothing
in the feature "allow guests to use MTE" that requires that the VMM's
guest RAM accesses must do tag-checking. So we should avoid having
a design that require us to jump through all the hoops. Even if
it happens that handling encrypted VMs means that QEMU has to grow
some infrastructure for carefully positioning hoops in appropriate
places, we shouldn't use it unnecessarily... All we actually need is
a mechanism for migrating the tags: I don't think there's ever a
situation where you want tag-checking enabled for the VMM's accesses
to the guest RAM.
thanks
-- PMM
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-12-07 17:11 UTC|newest]
Thread overview: 152+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 15:38 [PATCH v5 0/2] MTE support for KVM guest Steven Price
2020-11-19 15:38 ` Steven Price
2020-11-19 15:38 ` Steven Price
2020-11-19 15:38 ` Steven Price
2020-11-19 15:39 ` [PATCH v5 1/2] arm64: kvm: Save/restore MTE registers Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` [PATCH v5 2/2] arm64: kvm: Introduce MTE VCPU feature Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:45 ` [PATCH v5 0/2] MTE support for KVM guest Peter Maydell
2020-11-19 15:45 ` Peter Maydell
2020-11-19 15:45 ` Peter Maydell
2020-11-19 15:45 ` Peter Maydell
2020-11-19 15:57 ` Steven Price
2020-11-19 15:57 ` Steven Price
2020-11-19 15:57 ` Steven Price
2020-11-19 15:57 ` Steven Price
2020-11-19 16:39 ` Peter Maydell
2020-11-19 16:39 ` Peter Maydell
2020-11-19 16:39 ` Peter Maydell
2020-11-19 16:39 ` Peter Maydell
2020-11-19 18:42 ` Andrew Jones
2020-11-19 18:42 ` Andrew Jones
2020-11-19 18:42 ` Andrew Jones
2020-11-19 18:42 ` Andrew Jones
2020-11-19 19:11 ` Marc Zyngier
2020-11-19 19:11 ` Marc Zyngier
2020-11-19 19:11 ` Marc Zyngier
2020-11-19 19:11 ` Marc Zyngier
2020-11-20 9:50 ` Steven Price
2020-11-20 9:50 ` Steven Price
2020-11-20 9:50 ` Steven Price
2020-11-20 9:50 ` Steven Price
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:58 ` Steven Price
2020-11-20 9:58 ` Steven Price
2020-11-20 9:58 ` Steven Price
2020-11-20 9:58 ` Steven Price
2020-12-04 8:25 ` Haibo Xu
2020-12-04 8:25 ` Haibo Xu
2020-12-04 8:25 ` Haibo Xu
2020-12-04 8:25 ` Haibo Xu
2020-12-07 14:48 ` Steven Price
2020-12-07 14:48 ` Steven Price
2020-12-07 14:48 ` Steven Price
2020-12-07 14:48 ` Steven Price
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:45 ` Steven Price
2020-12-07 15:45 ` Steven Price
2020-12-07 15:45 ` Steven Price
2020-12-07 15:45 ` Steven Price
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 19:03 ` Marc Zyngier
2020-12-07 19:03 ` Marc Zyngier
2020-12-07 19:03 ` Marc Zyngier
2020-12-07 19:03 ` Marc Zyngier
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 18:21 ` Marc Zyngier
2020-12-08 18:21 ` Marc Zyngier
2020-12-08 18:21 ` Marc Zyngier
2020-12-08 18:21 ` Marc Zyngier
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:20 ` Peter Maydell
2020-12-09 20:20 ` Peter Maydell
2020-12-09 20:20 ` Peter Maydell
2020-12-09 20:20 ` Peter Maydell
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 17:10 ` Peter Maydell [this message]
2020-12-07 17:10 ` Peter Maydell
2020-12-07 17:10 ` Peter Maydell
2020-12-07 17:10 ` Peter Maydell
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-08 10:05 ` Haibo Xu
2020-12-08 10:05 ` Haibo Xu
2020-12-08 10:05 ` Haibo Xu
2020-12-08 10:05 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:10 ` Haibo Xu
2020-12-08 10:10 ` Haibo Xu
2020-12-08 10:10 ` Haibo Xu
2020-12-08 10:10 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 10:22 ` Steven Price
2020-12-16 10:22 ` Steven Price
2020-12-16 10:22 ` Steven Price
2020-12-16 10:22 ` Steven Price
2020-12-17 1:47 ` Haibo Xu
2020-12-17 1:47 ` Haibo Xu
2020-12-17 1:47 ` Haibo Xu
2020-12-17 1:47 ` Haibo Xu
2020-11-23 12:16 ` Dr. David Alan Gilbert
2020-11-23 12:16 ` Dr. David Alan Gilbert
2020-11-23 12:16 ` Dr. David Alan Gilbert
2020-11-23 12:16 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFEAcA9mq0xh1CNvw9UZoNwcOBuoVnCNcBkRDSUv7UK27qdESg@mail.gmail.com \
--to=peter.maydell@linaro.org \
--cc=Dave.Martin@arm.com \
--cc=catalin.marinas@arm.com \
--cc=dgibson@redhat.com \
--cc=dgilbert@redhat.com \
--cc=haibo.xu@linaro.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=richard.henderson@linaro.org \
--cc=steven.price@arm.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.