From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F108C433E9 for ; Fri, 5 Mar 2021 19:04:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 453AE6509A for ; Fri, 5 Mar 2021 19:04:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229794AbhCETEP (ORCPT ); Fri, 5 Mar 2021 14:04:15 -0500 Received: from mail.kernel.org ([198.145.29.99]:33040 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229682AbhCETD6 (ORCPT ); Fri, 5 Mar 2021 14:03:58 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id F289965066; Fri, 5 Mar 2021 19:03:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614971037; bh=hGG9zCwfl02S8an8gLZvtH9jqKn5RF6pFf/w3LZ+zwM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bsWVFctl/HJV38I1lSfmtObYYDL6uszH3DnCnGmRGlWrPywDO6QV6B/Yg3HuApQTv L2szzwqFNsR+oFtzK5CQLNFIvGgMG1rvTwYW4tTPLr98pZFhUW/g+/DdElcQVubiwZ eFjeytiJC23BmyggvwyN6Avj02uDeeXRrjeWeJQa1qNHDKG+FICkL3KXPHolkbzhcw Bzk+9PmYMmwtTLSQRMQkcuiotpy8zOo/ZnJn+PGTLDSURox6Hm8PM6vBRGCQmRoyxC x+f+W9zphaUBYGla5Rg/NvWZ7yfduelYHxb37hh7vpkctMCgHPacbXzf9cd+N63emZ Ux6MiGhZavjBA== Date: Fri, 5 Mar 2021 19:03:51 +0000 From: Will Deacon To: Quentin Perret Cc: catalin.marinas@arm.com, maz@kernel.org, james.morse@arm.com, julien.thierry.kdev@gmail.com, suzuki.poulose@arm.com, android-kvm@google.com, linux-kernel@vger.kernel.org, kernel-team@android.com, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, tabba@google.com, mark.rutland@arm.com, dbrazdil@google.com, mate.toth-pal@arm.com, seanjc@google.com, robh+dt@kernel.org Subject: Re: [PATCH v3 26/32] KVM: arm64: Introduce PROT_NONE mappings for stage 2 Message-ID: <20210305190350.GB23633@willie-the-truck> References: <20210302150002.3685113-1-qperret@google.com> <20210302150002.3685113-27-qperret@google.com> <20210304200044.GF21950@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 05, 2021 at 09:52:12AM +0000, Quentin Perret wrote: > On Thursday 04 Mar 2021 at 20:00:45 (+0000), Will Deacon wrote: > > On Tue, Mar 02, 2021 at 02:59:56PM +0000, Quentin Perret wrote: > > > Once we start unmapping portions of memory from the host stage 2 (such > > > as e.g. the hypervisor memory sections, or pages that belong to > > > protected guests), we will need a way to track page ownership. And > > > given that all mappings in the host stage 2 will be identity-mapped, we > > > can use the host stage 2 page-table itself as a simplistic rmap. > > > > > > As a first step towards this, introduce a new protection attribute > > > in the stage 2 page table code, called KVM_PGTABLE_PROT_NONE, which > > > allows to annotate portions of the IPA space as inaccessible. For > > > simplicity, PROT_NONE mappings are created as invalid mappings with a > > > software bit set. > > > > Just as an observation, but given that they're invalid we can use any bit > > from [63:2] to indicate that it's a PROT_NONE mapping, and that way we > > can keep the real "software bits" for live mappings. > > > > But we can of course change that later when we need the bit for something > > else. > > Right, so I used this approach for consistency with the kernel's > PROT_NONE mappings: > > #define PTE_PROT_NONE (_AT(pteval_t, 1) << 58) /* only when !PTE_VALID */ > > And in fact now that I think about it, it might be worth re-using the > same bit in stage 2. > > But yes it would be pretty neat to use the other bits of invalid > mappings to add metadata about the pages. I could even drop the > PROT_NONE stuff straight away in favor of a more extensive mechanism for > tracking page ownership... > > Thinking about it, it should be relatively straightforward to construct > the host stage 2 with the following invariants: > > 1. everything is identity-mapped in the host stage 2; > > 2. all valid mappings imply the underlying PA range belongs to the > host; > > 3. bits [63:32] (say) of all invalid mappings are used to store a > unique identifier for the owner of the underlying PA range; > > 4. the host identifier is 0, such that it owns all of memory by > default at boot as its pgd is zeroed; > > And then I could replace my PROT_NONE permission stuff by an ownership > change. E.g. the hypervisor would have its own identifier, and I could > use it to mark the .hyp memory sections as owned by the hyp (which > implies inaccessible by the host). And that should scale quite easily > when we start running protected guests as we'll assign them their own > identifiers. Sharing pages between guests (or even worse, between host > and guests) is a bit trickier, but maybe that is for later. > > Thoughts? I think this sounds like a worthwhile generalisation to me, although virtio brings an immediate need for shared pages and so we'll still need a software bit for those so that we e.g. prevent the host from donating such a shared page to the hypervisor. Will From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1D46C433E0 for ; Fri, 5 Mar 2021 19:04:03 +0000 (UTC) Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by mail.kernel.org (Postfix) with ESMTP id 1C67465073 for ; Fri, 5 Mar 2021 19:04:03 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1C67465073 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvmarm-bounces@lists.cs.columbia.edu Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id A7A984B6AF; Fri, 5 Mar 2021 14:04:02 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@kernel.org Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 179CafFtnBX0; Fri, 5 Mar 2021 14:04:01 -0500 (EST) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 9666C4B3F2; Fri, 5 Mar 2021 14:04:01 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 35A7F4B3F2 for ; Fri, 5 Mar 2021 14:04:00 -0500 (EST) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XLNXDEZAYN3 for ; Fri, 5 Mar 2021 14:03:59 -0500 (EST) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id 085CD4B2AA for ; Fri, 5 Mar 2021 14:03:59 -0500 (EST) Received: by mail.kernel.org (Postfix) with ESMTPSA id F289965066; Fri, 5 Mar 2021 19:03:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614971037; bh=hGG9zCwfl02S8an8gLZvtH9jqKn5RF6pFf/w3LZ+zwM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bsWVFctl/HJV38I1lSfmtObYYDL6uszH3DnCnGmRGlWrPywDO6QV6B/Yg3HuApQTv L2szzwqFNsR+oFtzK5CQLNFIvGgMG1rvTwYW4tTPLr98pZFhUW/g+/DdElcQVubiwZ eFjeytiJC23BmyggvwyN6Avj02uDeeXRrjeWeJQa1qNHDKG+FICkL3KXPHolkbzhcw Bzk+9PmYMmwtTLSQRMQkcuiotpy8zOo/ZnJn+PGTLDSURox6Hm8PM6vBRGCQmRoyxC x+f+W9zphaUBYGla5Rg/NvWZ7yfduelYHxb37hh7vpkctMCgHPacbXzf9cd+N63emZ Ux6MiGhZavjBA== Date: Fri, 5 Mar 2021 19:03:51 +0000 From: Will Deacon To: Quentin Perret Subject: Re: [PATCH v3 26/32] KVM: arm64: Introduce PROT_NONE mappings for stage 2 Message-ID: <20210305190350.GB23633@willie-the-truck> References: <20210302150002.3685113-1-qperret@google.com> <20210302150002.3685113-27-qperret@google.com> <20210304200044.GF21950@willie-the-truck> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Cc: android-kvm@google.com, catalin.marinas@arm.com, mate.toth-pal@arm.com, seanjc@google.com, tabba@google.com, linux-kernel@vger.kernel.org, robh+dt@kernel.org, linux-arm-kernel@lists.infradead.org, maz@kernel.org, kernel-team@android.com, kvmarm@lists.cs.columbia.edu X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu On Fri, Mar 05, 2021 at 09:52:12AM +0000, Quentin Perret wrote: > On Thursday 04 Mar 2021 at 20:00:45 (+0000), Will Deacon wrote: > > On Tue, Mar 02, 2021 at 02:59:56PM +0000, Quentin Perret wrote: > > > Once we start unmapping portions of memory from the host stage 2 (such > > > as e.g. the hypervisor memory sections, or pages that belong to > > > protected guests), we will need a way to track page ownership. And > > > given that all mappings in the host stage 2 will be identity-mapped, we > > > can use the host stage 2 page-table itself as a simplistic rmap. > > > > > > As a first step towards this, introduce a new protection attribute > > > in the stage 2 page table code, called KVM_PGTABLE_PROT_NONE, which > > > allows to annotate portions of the IPA space as inaccessible. For > > > simplicity, PROT_NONE mappings are created as invalid mappings with a > > > software bit set. > > > > Just as an observation, but given that they're invalid we can use any bit > > from [63:2] to indicate that it's a PROT_NONE mapping, and that way we > > can keep the real "software bits" for live mappings. > > > > But we can of course change that later when we need the bit for something > > else. > > Right, so I used this approach for consistency with the kernel's > PROT_NONE mappings: > > #define PTE_PROT_NONE (_AT(pteval_t, 1) << 58) /* only when !PTE_VALID */ > > And in fact now that I think about it, it might be worth re-using the > same bit in stage 2. > > But yes it would be pretty neat to use the other bits of invalid > mappings to add metadata about the pages. I could even drop the > PROT_NONE stuff straight away in favor of a more extensive mechanism for > tracking page ownership... > > Thinking about it, it should be relatively straightforward to construct > the host stage 2 with the following invariants: > > 1. everything is identity-mapped in the host stage 2; > > 2. all valid mappings imply the underlying PA range belongs to the > host; > > 3. bits [63:32] (say) of all invalid mappings are used to store a > unique identifier for the owner of the underlying PA range; > > 4. the host identifier is 0, such that it owns all of memory by > default at boot as its pgd is zeroed; > > And then I could replace my PROT_NONE permission stuff by an ownership > change. E.g. the hypervisor would have its own identifier, and I could > use it to mark the .hyp memory sections as owned by the hyp (which > implies inaccessible by the host). And that should scale quite easily > when we start running protected guests as we'll assign them their own > identifiers. Sharing pages between guests (or even worse, between host > and guests) is a bit trickier, but maybe that is for later. > > Thoughts? I think this sounds like a worthwhile generalisation to me, although virtio brings an immediate need for shared pages and so we'll still need a software bit for those so that we e.g. prevent the host from donating such a shared page to the hypervisor. Will _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E544DC433E0 for ; Fri, 5 Mar 2021 19:05:36 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5E91E6509A for ; Fri, 5 Mar 2021 19:05:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5E91E6509A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=IwogMz/tmy1WzOgA93rDiXPIT6UdrdKzOtc7+dLDm+U=; b=Z+olXAigLSiTwWYu0WFSq3Dgx Yu9dnb8BV1h2ynHwdGFd757QkUOev9s4qECufo77hP4V+6cBwcJLBQel6J3qLsptj4MTrZ3IzBJM5 TvzMttJteNc6F6VBtEv/5QnuCO3alH6YqdR8q69gQvEdv+mDhnLCMds16bNOL1NeuiwF9miGP3a07 bz9o2dmNDs+6/2Jdm/cYDJQQYg0FhL3ridIngaOooe2qZ42NxJJfzz8Jvhtbw+3M5r+269ixkWZKN WKZW62lpK3MMVVC1d0gClZZ0ZOKlSluuyTmW5iT/pUD3bT3U9EXtz0T3hzil4ZFwMW1SswijO3120 2bnm6GGpA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lIFk7-00G6Ip-Ht; Fri, 05 Mar 2021 19:04:07 +0000 Received: from mail.kernel.org ([198.145.29.99]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lIFjz-00G6GJ-BS for linux-arm-kernel@lists.infradead.org; Fri, 05 Mar 2021 19:04:01 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id F289965066; Fri, 5 Mar 2021 19:03:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614971037; bh=hGG9zCwfl02S8an8gLZvtH9jqKn5RF6pFf/w3LZ+zwM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bsWVFctl/HJV38I1lSfmtObYYDL6uszH3DnCnGmRGlWrPywDO6QV6B/Yg3HuApQTv L2szzwqFNsR+oFtzK5CQLNFIvGgMG1rvTwYW4tTPLr98pZFhUW/g+/DdElcQVubiwZ eFjeytiJC23BmyggvwyN6Avj02uDeeXRrjeWeJQa1qNHDKG+FICkL3KXPHolkbzhcw Bzk+9PmYMmwtTLSQRMQkcuiotpy8zOo/ZnJn+PGTLDSURox6Hm8PM6vBRGCQmRoyxC x+f+W9zphaUBYGla5Rg/NvWZ7yfduelYHxb37hh7vpkctMCgHPacbXzf9cd+N63emZ Ux6MiGhZavjBA== Date: Fri, 5 Mar 2021 19:03:51 +0000 From: Will Deacon To: Quentin Perret Cc: catalin.marinas@arm.com, maz@kernel.org, james.morse@arm.com, julien.thierry.kdev@gmail.com, suzuki.poulose@arm.com, android-kvm@google.com, linux-kernel@vger.kernel.org, kernel-team@android.com, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, tabba@google.com, mark.rutland@arm.com, dbrazdil@google.com, mate.toth-pal@arm.com, seanjc@google.com, robh+dt@kernel.org Subject: Re: [PATCH v3 26/32] KVM: arm64: Introduce PROT_NONE mappings for stage 2 Message-ID: <20210305190350.GB23633@willie-the-truck> References: <20210302150002.3685113-1-qperret@google.com> <20210302150002.3685113-27-qperret@google.com> <20210304200044.GF21950@willie-the-truck> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210305_190359_876114_795D7210 X-CRM114-Status: GOOD ( 32.61 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Mar 05, 2021 at 09:52:12AM +0000, Quentin Perret wrote: > On Thursday 04 Mar 2021 at 20:00:45 (+0000), Will Deacon wrote: > > On Tue, Mar 02, 2021 at 02:59:56PM +0000, Quentin Perret wrote: > > > Once we start unmapping portions of memory from the host stage 2 (such > > > as e.g. the hypervisor memory sections, or pages that belong to > > > protected guests), we will need a way to track page ownership. And > > > given that all mappings in the host stage 2 will be identity-mapped, we > > > can use the host stage 2 page-table itself as a simplistic rmap. > > > > > > As a first step towards this, introduce a new protection attribute > > > in the stage 2 page table code, called KVM_PGTABLE_PROT_NONE, which > > > allows to annotate portions of the IPA space as inaccessible. For > > > simplicity, PROT_NONE mappings are created as invalid mappings with a > > > software bit set. > > > > Just as an observation, but given that they're invalid we can use any bit > > from [63:2] to indicate that it's a PROT_NONE mapping, and that way we > > can keep the real "software bits" for live mappings. > > > > But we can of course change that later when we need the bit for something > > else. > > Right, so I used this approach for consistency with the kernel's > PROT_NONE mappings: > > #define PTE_PROT_NONE (_AT(pteval_t, 1) << 58) /* only when !PTE_VALID */ > > And in fact now that I think about it, it might be worth re-using the > same bit in stage 2. > > But yes it would be pretty neat to use the other bits of invalid > mappings to add metadata about the pages. I could even drop the > PROT_NONE stuff straight away in favor of a more extensive mechanism for > tracking page ownership... > > Thinking about it, it should be relatively straightforward to construct > the host stage 2 with the following invariants: > > 1. everything is identity-mapped in the host stage 2; > > 2. all valid mappings imply the underlying PA range belongs to the > host; > > 3. bits [63:32] (say) of all invalid mappings are used to store a > unique identifier for the owner of the underlying PA range; > > 4. the host identifier is 0, such that it owns all of memory by > default at boot as its pgd is zeroed; > > And then I could replace my PROT_NONE permission stuff by an ownership > change. E.g. the hypervisor would have its own identifier, and I could > use it to mark the .hyp memory sections as owned by the hyp (which > implies inaccessible by the host). And that should scale quite easily > when we start running protected guests as we'll assign them their own > identifiers. Sharing pages between guests (or even worse, between host > and guests) is a bit trickier, but maybe that is for later. > > Thoughts? I think this sounds like a worthwhile generalisation to me, although virtio brings an immediate need for shared pages and so we'll still need a software bit for those so that we e.g. prevent the host from donating such a shared page to the hypervisor. Will _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel