From: Alison Schofield <alison.schofield@intel.com>
To: "Huang, Kai" <kai.huang@intel.com>
Cc: "dhowells@redhat.com" <dhowells@redhat.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
"Shutemov, Kirill" <kirill.shutemov@intel.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
"Sakkinen, Jarkko" <jarkko.sakkinen@intel.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"x86@kernel.org" <x86@kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: [RFC 11/12] keys/mktme: Add a new key service type for memory encryption keys
Date: Mon, 10 Sep 2018 21:47:32 +0000 [thread overview]
Message-ID: <20180910214731.GA29337@alison-desk.jf.intel.com> (raw)
In-Reply-To: <105F7BF4D0229846AF094488D65A098935424C2D@PGSMSX112.gar.corp.intel.com>
On Sun, Sep 09, 2018 at 08:29:29PM -0700, Huang, Kai wrote:
> > -----Original Message-----
> > From: keyrings-owner@vger.kernel.org [mailto:keyrings-
> > owner@vger.kernel.org] On Behalf Of Alison Schofield
> > Sent: Saturday, September 8, 2018 10:39 AM
> > To: dhowells@redhat.com; tglx@linutronix.de
> > Cc: Huang, Kai <kai.huang@intel.com>; Nakajima, Jun
> > <jun.nakajima@intel.com>; Shutemov, Kirill <kirill.shutemov@intel.com>;
> > Hansen, Dave <dave.hansen@intel.com>; Sakkinen, Jarkko
> > <jarkko.sakkinen@intel.com>; jmorris@namei.org; keyrings@vger.kernel.org;
> > linux-security-module@vger.kernel.org; mingo@redhat.com; hpa@zytor.com;
> > x86@kernel.org; linux-mm@kvack.org
> > Subject: [RFC 11/12] keys/mktme: Add a new key service type for memory
> > encryption keys
> >
> > MKTME (Multi-Key Total Memory Encryption) is a technology that allows
> > transparent memory encryption in upcoming Intel platforms. MKTME will
> > support mulitple encryption domains, each having their own key. The main use
> > case for the feature is virtual machine isolation. The API needs the flexibility to
> > work for a wide range of uses.
> >
> > The MKTME key service type manages the addition and removal of the memory
> > encryption keys. It maps software keys to hardware keyids and programs the
> > hardware with the user requested encryption options.
> >
> > The only supported encryption algorithm is AES-XTS 128.
> >
> > The MKTME key service is half of the MKTME API level solution. It pairs with a
> > new memory encryption system call: encrypt_mprotect() that uses the keys to
> > encrypt memory.
> >
Kai -
Splitting out responses by subject...
> > +cpumask_var_t mktme_cpumask; /* one cpu per pkg to program
> > keys */
>
> Oh the 'mktme_cpumask' is here. Sorry I didn't notice when replying to your patch 10. :)
>
> But I think you can just move what you did in patch 10 here and leave intel_pconfig.h unchanged. It's much clearer.
I'll try that out and see how it works.
> > +
> > + for_each_online_cpu(online_cpu) {
> > + online_pkgid = topology_physical_package_id(online_cpu);
> > +
> > + for_each_cpu(mktme_cpu, mktme_cpumask) {
> > + mktme_pkgid > > topology_physical_package_id(mktme_cpu);
> > + if (mktme_pkgid = online_pkgid)
> > + break;
> > + }
> > + if (mktme_pkgid != online_pkgid)
> > + cpumask_set_cpu(online_cpu, mktme_cpumask);
> > + }
>
> Could we use 'for_each_online_node', 'cpumask_first/next', etc to simplify the logic?
Sure - I'll look at those.
Thanks!
Alison
WARNING: multiple messages have this Message-ID (diff)
From: alison.schofield@intel.com (Alison Schofield)
To: linux-security-module@vger.kernel.org
Subject: [RFC 11/12] keys/mktme: Add a new key service type for memory encryption keys
Date: Mon, 10 Sep 2018 14:47:32 -0700 [thread overview]
Message-ID: <20180910214731.GA29337@alison-desk.jf.intel.com> (raw)
In-Reply-To: <105F7BF4D0229846AF094488D65A098935424C2D@PGSMSX112.gar.corp.intel.com>
On Sun, Sep 09, 2018 at 08:29:29PM -0700, Huang, Kai wrote:
> > -----Original Message-----
> > From: keyrings-owner at vger.kernel.org [mailto:keyrings-
> > owner at vger.kernel.org] On Behalf Of Alison Schofield
> > Sent: Saturday, September 8, 2018 10:39 AM
> > To: dhowells at redhat.com; tglx at linutronix.de
> > Cc: Huang, Kai <kai.huang@intel.com>; Nakajima, Jun
> > <jun.nakajima@intel.com>; Shutemov, Kirill <kirill.shutemov@intel.com>;
> > Hansen, Dave <dave.hansen@intel.com>; Sakkinen, Jarkko
> > <jarkko.sakkinen@intel.com>; jmorris at namei.org; keyrings at vger.kernel.org;
> > linux-security-module at vger.kernel.org; mingo at redhat.com; hpa at zytor.com;
> > x86 at kernel.org; linux-mm at kvack.org
> > Subject: [RFC 11/12] keys/mktme: Add a new key service type for memory
> > encryption keys
> >
> > MKTME (Multi-Key Total Memory Encryption) is a technology that allows
> > transparent memory encryption in upcoming Intel platforms. MKTME will
> > support mulitple encryption domains, each having their own key. The main use
> > case for the feature is virtual machine isolation. The API needs the flexibility to
> > work for a wide range of uses.
> >
> > The MKTME key service type manages the addition and removal of the memory
> > encryption keys. It maps software keys to hardware keyids and programs the
> > hardware with the user requested encryption options.
> >
> > The only supported encryption algorithm is AES-XTS 128.
> >
> > The MKTME key service is half of the MKTME API level solution. It pairs with a
> > new memory encryption system call: encrypt_mprotect() that uses the keys to
> > encrypt memory.
> >
Kai -
Splitting out responses by subject...
> > +cpumask_var_t mktme_cpumask; /* one cpu per pkg to program
> > keys */
>
> Oh the 'mktme_cpumask' is here. Sorry I didn't notice when replying to your patch 10. :)
>
> But I think you can just move what you did in patch 10 here and leave intel_pconfig.h unchanged. It's much clearer.
I'll try that out and see how it works.
> > +
> > + for_each_online_cpu(online_cpu) {
> > + online_pkgid = topology_physical_package_id(online_cpu);
> > +
> > + for_each_cpu(mktme_cpu, mktme_cpumask) {
> > + mktme_pkgid =
> > topology_physical_package_id(mktme_cpu);
> > + if (mktme_pkgid == online_pkgid)
> > + break;
> > + }
> > + if (mktme_pkgid != online_pkgid)
> > + cpumask_set_cpu(online_cpu, mktme_cpumask);
> > + }
>
> Could we use 'for_each_online_node', 'cpumask_first/next', etc to simplify the logic?
Sure - I'll look at those.
Thanks!
Alison
WARNING: multiple messages have this Message-ID (diff)
From: Alison Schofield <alison.schofield@intel.com>
To: "Huang, Kai" <kai.huang@intel.com>
Cc: "dhowells@redhat.com" <dhowells@redhat.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
"Shutemov, Kirill" <kirill.shutemov@intel.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
"Sakkinen, Jarkko" <jarkko.sakkinen@intel.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"x86@kernel.org" <x86@kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: [RFC 11/12] keys/mktme: Add a new key service type for memory encryption keys
Date: Mon, 10 Sep 2018 14:47:32 -0700 [thread overview]
Message-ID: <20180910214731.GA29337@alison-desk.jf.intel.com> (raw)
In-Reply-To: <105F7BF4D0229846AF094488D65A098935424C2D@PGSMSX112.gar.corp.intel.com>
On Sun, Sep 09, 2018 at 08:29:29PM -0700, Huang, Kai wrote:
> > -----Original Message-----
> > From: keyrings-owner@vger.kernel.org [mailto:keyrings-
> > owner@vger.kernel.org] On Behalf Of Alison Schofield
> > Sent: Saturday, September 8, 2018 10:39 AM
> > To: dhowells@redhat.com; tglx@linutronix.de
> > Cc: Huang, Kai <kai.huang@intel.com>; Nakajima, Jun
> > <jun.nakajima@intel.com>; Shutemov, Kirill <kirill.shutemov@intel.com>;
> > Hansen, Dave <dave.hansen@intel.com>; Sakkinen, Jarkko
> > <jarkko.sakkinen@intel.com>; jmorris@namei.org; keyrings@vger.kernel.org;
> > linux-security-module@vger.kernel.org; mingo@redhat.com; hpa@zytor.com;
> > x86@kernel.org; linux-mm@kvack.org
> > Subject: [RFC 11/12] keys/mktme: Add a new key service type for memory
> > encryption keys
> >
> > MKTME (Multi-Key Total Memory Encryption) is a technology that allows
> > transparent memory encryption in upcoming Intel platforms. MKTME will
> > support mulitple encryption domains, each having their own key. The main use
> > case for the feature is virtual machine isolation. The API needs the flexibility to
> > work for a wide range of uses.
> >
> > The MKTME key service type manages the addition and removal of the memory
> > encryption keys. It maps software keys to hardware keyids and programs the
> > hardware with the user requested encryption options.
> >
> > The only supported encryption algorithm is AES-XTS 128.
> >
> > The MKTME key service is half of the MKTME API level solution. It pairs with a
> > new memory encryption system call: encrypt_mprotect() that uses the keys to
> > encrypt memory.
> >
Kai -
Splitting out responses by subject...
> > +cpumask_var_t mktme_cpumask; /* one cpu per pkg to program
> > keys */
>
> Oh the 'mktme_cpumask' is here. Sorry I didn't notice when replying to your patch 10. :)
>
> But I think you can just move what you did in patch 10 here and leave intel_pconfig.h unchanged. It's much clearer.
I'll try that out and see how it works.
> > +
> > + for_each_online_cpu(online_cpu) {
> > + online_pkgid = topology_physical_package_id(online_cpu);
> > +
> > + for_each_cpu(mktme_cpu, mktme_cpumask) {
> > + mktme_pkgid =
> > topology_physical_package_id(mktme_cpu);
> > + if (mktme_pkgid == online_pkgid)
> > + break;
> > + }
> > + if (mktme_pkgid != online_pkgid)
> > + cpumask_set_cpu(online_cpu, mktme_cpumask);
> > + }
>
> Could we use 'for_each_online_node', 'cpumask_first/next', etc to simplify the logic?
Sure - I'll look at those.
Thanks!
Alison
next prev parent reply other threads:[~2018-09-10 21:47 UTC|newest]
Thread overview: 159+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 22:23 [RFC 00/12] Multi-Key Total Memory Encryption API (MKTME) Alison Schofield
2018-09-07 22:23 ` Alison Schofield
2018-09-07 22:23 ` Alison Schofield
2018-09-07 22:34 ` [RFC 01/12] docs/x86: Document the Multi-Key Total Memory Encryption API Alison Schofield
2018-09-08 18:44 ` Randy Dunlap
2018-09-08 18:44 ` Randy Dunlap
2018-09-08 18:44 ` Randy Dunlap
2018-09-10 1:28 ` Huang, Kai
2018-09-10 1:28 ` Huang, Kai
2018-09-10 1:28 ` Huang, Kai
2018-09-11 0:13 ` Alison Schofield
2018-09-11 0:13 ` Alison Schofield
2018-09-11 0:13 ` Alison Schofield
2018-09-11 0:33 ` Huang, Kai
2018-09-11 0:33 ` Huang, Kai
2018-09-11 0:33 ` Huang, Kai
2018-09-11 0:45 ` Alison Schofield
2018-09-11 0:45 ` Alison Schofield
2018-09-11 0:45 ` Alison Schofield
2018-09-11 1:14 ` Huang, Kai
2018-09-11 1:14 ` Huang, Kai
2018-09-11 1:14 ` Huang, Kai
2018-09-11 0:14 ` Huang, Kai
2018-09-11 0:14 ` Huang, Kai
2018-09-11 0:14 ` Huang, Kai
2018-09-10 17:32 ` Sakkinen, Jarkko
2018-09-10 17:32 ` Sakkinen, Jarkko
2018-09-10 17:32 ` Sakkinen, Jarkko
2018-09-11 0:19 ` Alison Schofield
2018-09-11 0:19 ` Alison Schofield
2018-09-11 0:19 ` Alison Schofield
2018-09-07 22:34 ` [RFC 02/12] mm: Generalize the mprotect implementation to support extensions Alison Schofield
2018-09-07 22:34 ` Alison Schofield
2018-09-07 22:34 ` Alison Schofield
2018-09-10 10:12 ` Jarkko Sakkinen
2018-09-10 10:12 ` Jarkko Sakkinen
2018-09-10 10:12 ` Jarkko Sakkinen
2018-09-11 0:34 ` Alison Schofield
2018-09-11 0:34 ` Alison Schofield
2018-09-11 0:34 ` Alison Schofield
2018-09-07 22:34 ` [RFC 03/12] syscall/x86: Wire up a new system call for memory encryption keys Alison Schofield
2018-09-07 22:34 ` Alison Schofield
2018-09-07 22:34 ` Alison Schofield
2018-09-07 22:36 ` [RFC 04/12] x86/mm: Add helper functions to manage " Alison Schofield
2018-09-07 22:36 ` Alison Schofield
2018-09-07 22:36 ` Alison Schofield
2018-09-10 2:56 ` Huang, Kai
2018-09-10 2:56 ` Huang, Kai
2018-09-10 2:56 ` Huang, Kai
2018-09-10 23:37 ` Huang, Kai
2018-09-10 23:37 ` Huang, Kai
2018-09-10 23:37 ` Huang, Kai
2018-09-10 23:41 ` Alison Schofield
2018-09-10 23:41 ` Alison Schofield
2018-09-10 23:41 ` Alison Schofield
2018-09-10 17:37 ` Sakkinen, Jarkko
2018-09-07 22:36 ` [RFC 05/12] x86/mm: Add a helper function to set keyid bits in encrypted VMA's Alison Schofield
2018-09-07 22:36 ` Alison Schofield
2018-09-07 22:36 ` Alison Schofield
2018-09-10 17:57 ` Sakkinen, Jarkko
2018-09-10 17:57 ` Sakkinen, Jarkko
2018-09-10 17:57 ` Sakkinen, Jarkko
2018-09-07 22:36 ` [RFC 06/12] mm: Add the encrypt_mprotect() system call Alison Schofield
2018-09-10 18:02 ` Jarkko Sakkinen
2018-09-10 18:02 ` Jarkko Sakkinen
2018-09-10 18:02 ` Jarkko Sakkinen
2018-09-11 2:15 ` Alison Schofield
2018-09-11 2:15 ` Alison Schofield
2018-09-11 2:15 ` Alison Schofield
2018-09-07 22:37 ` [RFC 07/12] x86/mm: Add helper functions to track encrypted VMA's Alison Schofield
2018-09-07 22:37 ` Alison Schofield
2018-09-07 22:37 ` Alison Schofield
2018-09-10 3:17 ` Huang, Kai
2018-09-10 3:17 ` Huang, Kai
2018-09-07 22:37 ` [RFC 08/12] mm: Track VMA's in use for each memory encryption keyid Alison Schofield
2018-09-07 22:37 ` Alison Schofield
2018-09-07 22:37 ` Alison Schofield
2018-09-10 18:20 ` Jarkko Sakkinen
2018-09-10 18:20 ` Jarkko Sakkinen
2018-09-10 18:20 ` Jarkko Sakkinen
2018-09-11 2:39 ` Alison Schofield
2018-09-11 2:39 ` Alison Schofield
2018-09-11 2:39 ` Alison Schofield
2018-09-07 22:37 ` [RFC 09/12] mm: Restrict memory encryption to anonymous VMA's Alison Schofield
2018-09-07 22:37 ` Alison Schofield
2018-09-07 22:37 ` Alison Schofield
2018-09-10 18:21 ` Sakkinen, Jarkko
2018-09-10 18:21 ` Sakkinen, Jarkko
2018-09-10 18:21 ` Sakkinen, Jarkko
2018-09-10 18:57 ` Dave Hansen
2018-09-10 18:57 ` Dave Hansen
2018-09-10 18:57 ` Dave Hansen
2018-09-10 21:07 ` Jarkko Sakkinen
2018-09-10 21:07 ` Jarkko Sakkinen
2018-09-10 21:07 ` Jarkko Sakkinen
2018-09-10 21:09 ` Dave Hansen
2018-09-10 21:09 ` Dave Hansen
2018-09-10 21:09 ` Dave Hansen
2018-09-07 22:38 ` [RFC 10/12] x86/pconfig: Program memory encryption keys on a system-wide basis Alison Schofield
2018-09-07 22:38 ` Alison Schofield
2018-09-07 22:38 ` Alison Schofield
2018-09-10 1:46 ` Huang, Kai
2018-09-10 1:46 ` Huang, Kai
2018-09-10 18:24 ` Sakkinen, Jarkko
2018-09-10 18:24 ` Sakkinen, Jarkko
2018-09-10 18:24 ` Sakkinen, Jarkko
2018-09-11 2:46 ` Alison Schofield
2018-09-11 2:46 ` Alison Schofield
2018-09-11 2:46 ` Alison Schofield
2018-09-11 14:31 ` Jarkko Sakkinen
2018-09-11 14:31 ` Jarkko Sakkinen
2018-09-11 14:31 ` Jarkko Sakkinen
2018-09-07 22:38 ` [RFC 11/12] keys/mktme: Add a new key service type for memory encryption keys Alison Schofield
2018-09-07 22:38 ` Alison Schofield
2018-09-07 22:38 ` Alison Schofield
2018-09-10 3:29 ` Huang, Kai
2018-09-10 3:29 ` Huang, Kai
2018-09-10 3:29 ` Huang, Kai
2018-09-10 21:47 ` Alison Schofield [this message]
2018-09-10 21:47 ` Alison Schofield
2018-09-10 21:47 ` Alison Schofield
2018-09-15 0:06 ` Alison Schofield
2018-09-15 0:06 ` Alison Schofield
2018-09-15 0:06 ` Alison Schofield
2018-09-17 10:48 ` Huang, Kai
2018-09-17 10:48 ` Huang, Kai
2018-09-17 10:48 ` Huang, Kai
2018-09-17 22:34 ` Huang, Kai
2018-09-17 22:34 ` Huang, Kai
2018-09-17 22:34 ` Huang, Kai
2018-09-07 22:39 ` [RFC 12/12] keys/mktme: Do not revoke in use " Alison Schofield
2018-09-07 22:39 ` Alison Schofield
2018-09-07 22:39 ` Alison Schofield
2018-09-10 1:10 ` [RFC 00/12] Multi-Key Total Memory Encryption API (MKTME) Huang, Kai
2018-09-10 1:10 ` Huang, Kai
2018-09-10 19:10 ` Alison Schofield
2018-09-10 19:10 ` Alison Schofield
2018-09-10 19:10 ` Alison Schofield
2018-09-11 3:15 ` Huang, Kai
2018-09-11 3:15 ` Huang, Kai
2018-09-11 3:15 ` Huang, Kai
2018-09-10 17:29 ` Sakkinen, Jarkko
2018-09-10 17:29 ` Sakkinen, Jarkko
2018-09-10 17:29 ` Sakkinen, Jarkko
2018-09-11 22:03 ` [RFC 11/12] keys/mktme: Add a new key service type for memory encryption keys David Howells
2018-09-11 22:03 ` David Howells
2018-09-11 22:03 ` David Howells
2018-09-11 22:39 ` Alison Schofield
2018-09-11 22:39 ` Alison Schofield
2018-09-11 22:39 ` Alison Schofield
2018-09-11 23:01 ` David Howells
2018-09-11 23:01 ` David Howells
2018-09-11 23:01 ` David Howells
2018-09-11 22:56 ` [RFC 04/12] x86/mm: Add helper functions to manage " David Howells
2018-09-11 22:56 ` David Howells
2018-09-11 22:56 ` David Howells
2018-09-12 11:12 ` [RFC 12/12] keys/mktme: Do not revoke in use " David Howells
2018-09-12 11:12 ` David Howells
2018-09-12 11:12 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180910214731.GA29337@alison-desk.jf.intel.com \
--to=alison.schofield@intel.com \
--cc=dave.hansen@intel.com \
--cc=dhowells@redhat.com \
--cc=hpa@zytor.com \
--cc=jarkko.sakkinen@intel.com \
--cc=jmorris@namei.org \
--cc=jun.nakajima@intel.com \
--cc=kai.huang@intel.com \
--cc=keyrings@vger.kernel.org \
--cc=kirill.shutemov@intel.com \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.