* [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions
@ 2024-02-22 19:06 Sean Christopherson
2024-02-22 19:06 ` [PATCH 1/5] KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY Sean Christopherson
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Sean Christopherson @ 2024-02-22 19:06 UTC (permalink / raw)
To: Paolo Bonzini, Sean Christopherson
Cc: kvm, linux-kernel, Fuad Tabba, Michael Roth, Isaku Yamahata,
Yu Zhang, Chao Peng
A few minor-ish fixes related to GUEST_MEMFD that I am hoping to squeeze
into 6.8 as the they affect KVM's ABI (especially patch 1).
Sean Christopherson (5):
KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY
KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a
WIP
KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU
KVM: selftests: Create GUEST_MEMFD for relevant invalid flags
testcases
KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are
exclusive
Documentation/virt/kvm/api.rst | 5 +++++
arch/x86/kvm/Kconfig | 7 ++++---
arch/x86/kvm/x86.c | 2 +-
tools/testing/selftests/kvm/set_memory_region_test.c | 12 +++++++++++-
virt/kvm/kvm_main.c | 8 +++++++-
5 files changed, 28 insertions(+), 6 deletions(-)
base-commit: 21dbc438dde69ff630b3264c54b94923ee9fcdcf
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/5] KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY
2024-02-22 19:06 [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
@ 2024-02-22 19:06 ` Sean Christopherson
2024-02-22 19:06 ` [PATCH 2/5] KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a WIP Sean Christopherson
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2024-02-22 19:06 UTC (permalink / raw)
To: Paolo Bonzini, Sean Christopherson
Cc: kvm, linux-kernel, Fuad Tabba, Michael Roth, Isaku Yamahata,
Yu Zhang, Chao Peng
Disallow creating read-only memslots that support GUEST_MEMFD, as
GUEST_MEMFD is fundamentally incompatible with KVM's semantics for
read-only memslots. Read-only memslots allow the userspace VMM to emulate
option ROMs by filling the backing memory with readable, executable code
and data, while triggering emulated MMIO on writes. GUEST_MEMFD doesn't
currently support writes from userspace and KVM doesn't support emulated
MMIO on private accesses, i.e. the guest can only ever read zeros, and
writes will always be treated as errors.
Cc: Fuad Tabba <tabba@google.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Isaku Yamahata <isaku.yamahata@gmail.com>
Cc: Yu Zhang <yu.c.zhang@linux.intel.com>
Cc: Chao Peng <chao.p.peng@linux.intel.com>
Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory")
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
virt/kvm/kvm_main.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index eb0dfcd157f4..0f9f78f4f7cf 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1617,7 +1617,13 @@ static int check_memory_region_flags(struct kvm *kvm,
valid_flags &= ~KVM_MEM_LOG_DIRTY_PAGES;
#ifdef CONFIG_HAVE_KVM_READONLY_MEM
- valid_flags |= KVM_MEM_READONLY;
+ /*
+ * GUEST_MEMFD is incompatible with read-only memslots, as writes to
+ * read-only memslots have emulated MMIO, not page fault, semantics,
+ * and KVM doesn't allow emulated MMIO for private memory.
+ */
+ if (!(mem->flags & KVM_MEM_GUEST_MEMFD))
+ valid_flags |= KVM_MEM_READONLY;
#endif
if (mem->flags & ~valid_flags)
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/5] KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a WIP
2024-02-22 19:06 [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
2024-02-22 19:06 ` [PATCH 1/5] KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY Sean Christopherson
@ 2024-02-22 19:06 ` Sean Christopherson
2024-02-22 19:06 ` [PATCH 3/5] KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU Sean Christopherson
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2024-02-22 19:06 UTC (permalink / raw)
To: Paolo Bonzini, Sean Christopherson
Cc: kvm, linux-kernel, Fuad Tabba, Michael Roth, Isaku Yamahata,
Yu Zhang, Chao Peng
Rewrite the help message for KVM_SW_PROTECTED_VM to make it clear that
software-protected VMs are a development and testing vehicle for
guest_memfd(), and that attempting to use KVM_SW_PROTECTED_VM for anything
remotely resembling a "real" VM will fail. E.g. any memory accesses from
KVM will incorrectly access shared memory, nested TDP is wildly broken,
and so on and so forth.
Update KVM's API documentation with similar warnings to discourage anyone
from attempting to run anything but selftests with KVM_X86_SW_PROTECTED_VM.
Fixes: 89ea60c2c7b5 ("KVM: x86: Add support for "protected VMs" that can utilize private memory")
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
Documentation/virt/kvm/api.rst | 5 +++++
arch/x86/kvm/Kconfig | 7 ++++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.rst
index bd93cafd3e4e..0b5a33ee71ee 100644
--- a/Documentation/virt/kvm/api.rst
+++ b/Documentation/virt/kvm/api.rst
@@ -8820,6 +8820,11 @@ means the VM type with value @n is supported. Possible values of @n are::
#define KVM_X86_DEFAULT_VM 0
#define KVM_X86_SW_PROTECTED_VM 1
+Note, KVM_X86_SW_PROTECTED_VM is currently only for development and testing.
+Do not use KVM_X86_SW_PROTECTED_VM for "real" VMs, and especially not in
+production. The behavior and effective ABI for software-protected VMs is
+unstable.
+
9. Known KVM API problems
=========================
diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
index 5895aee5dfef..4336b3fff0cf 100644
--- a/arch/x86/kvm/Kconfig
+++ b/arch/x86/kvm/Kconfig
@@ -81,9 +81,10 @@ config KVM_SW_PROTECTED_VM
depends on KVM && X86_64
select KVM_GENERIC_PRIVATE_MEM
help
- Enable support for KVM software-protected VMs. Currently "protected"
- means the VM can be backed with memory provided by
- KVM_CREATE_GUEST_MEMFD.
+ Enable support for KVM software-protected VMs. Currently, software-
+ protected VMs are purely a development and testing vehicle for
+ KVM_CREATE_GUEST_MEMFD. Attempting to run a "real" VM workload as a
+ software-protected VM will fail miserably.
If unsure, say "N".
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU
2024-02-22 19:06 [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
2024-02-22 19:06 ` [PATCH 1/5] KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY Sean Christopherson
2024-02-22 19:06 ` [PATCH 2/5] KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a WIP Sean Christopherson
@ 2024-02-22 19:06 ` Sean Christopherson
2024-02-22 19:06 ` [PATCH 4/5] KVM: selftests: Create GUEST_MEMFD for relevant invalid flags testcases Sean Christopherson
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2024-02-22 19:06 UTC (permalink / raw)
To: Paolo Bonzini, Sean Christopherson
Cc: kvm, linux-kernel, Fuad Tabba, Michael Roth, Isaku Yamahata,
Yu Zhang, Chao Peng
Advertise and support software-protected VMs if and only if the TDP MMU is
enabled, i.e. disallow KVM_SW_PROTECTED_VM if TDP is enabled for KVM's
legacy/shadow MMU. TDP support for the shadow MMU is maintenance-only,
e.g. support for TDX and SNP will also be restricted to the TDP MMU.
Fixes: 89ea60c2c7b5 ("KVM: x86: Add support for "protected VMs" that can utilize private memory")
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
arch/x86/kvm/x86.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 86d88bc7a6d0..1e0cc1906232 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4580,7 +4580,7 @@ static bool kvm_is_vm_type_supported(unsigned long type)
{
return type == KVM_X86_DEFAULT_VM ||
(type == KVM_X86_SW_PROTECTED_VM &&
- IS_ENABLED(CONFIG_KVM_SW_PROTECTED_VM) && tdp_enabled);
+ IS_ENABLED(CONFIG_KVM_SW_PROTECTED_VM) && tdp_mmu_enabled);
}
int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] KVM: selftests: Create GUEST_MEMFD for relevant invalid flags testcases
2024-02-22 19:06 [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
` (2 preceding siblings ...)
2024-02-22 19:06 ` [PATCH 3/5] KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU Sean Christopherson
@ 2024-02-22 19:06 ` Sean Christopherson
2024-02-22 19:06 ` [PATCH 5/5] KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are exclusive Sean Christopherson
2024-02-23 1:35 ` [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
5 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2024-02-22 19:06 UTC (permalink / raw)
To: Paolo Bonzini, Sean Christopherson
Cc: kvm, linux-kernel, Fuad Tabba, Michael Roth, Isaku Yamahata,
Yu Zhang, Chao Peng
Actually create a GUEST_MEMFD instance and pass it to KVM when doing
negative tests for KVM_SET_USER_MEMORY_REGION2 + KVM_MEM_GUEST_MEMFD.
Without a valid GUEST_MEMFD file descriptor, KVM_SET_USER_MEMORY_REGION2
will always fail with -EINVAL, resulting in false passes for any and all
tests of illegal combinations of KVM_MEM_GUEST_MEMFD and other flags.
Fixes: 5d74316466f4 ("KVM: selftests: Add a memory region subtest to validate invalid flags")
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
tools/testing/selftests/kvm/set_memory_region_test.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/kvm/set_memory_region_test.c b/tools/testing/selftests/kvm/set_memory_region_test.c
index 40337f566eeb..9df4b61116bc 100644
--- a/tools/testing/selftests/kvm/set_memory_region_test.c
+++ b/tools/testing/selftests/kvm/set_memory_region_test.c
@@ -367,11 +367,15 @@ static void test_invalid_memory_region_flags(void)
}
if (supported_flags & KVM_MEM_GUEST_MEMFD) {
+ int guest_memfd = vm_create_guest_memfd(vm, MEM_REGION_SIZE, 0);
+
r = __vm_set_user_memory_region2(vm, 0,
KVM_MEM_LOG_DIRTY_PAGES | KVM_MEM_GUEST_MEMFD,
- 0, MEM_REGION_SIZE, NULL, 0, 0);
+ 0, MEM_REGION_SIZE, NULL, guest_memfd, 0);
TEST_ASSERT(r && errno == EINVAL,
"KVM_SET_USER_MEMORY_REGION2 should have failed, dirty logging private memory is unsupported");
+
+ close(guest_memfd);
}
}
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are exclusive
2024-02-22 19:06 [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
` (3 preceding siblings ...)
2024-02-22 19:06 ` [PATCH 4/5] KVM: selftests: Create GUEST_MEMFD for relevant invalid flags testcases Sean Christopherson
@ 2024-02-22 19:06 ` Sean Christopherson
2024-02-23 1:35 ` [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
5 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2024-02-22 19:06 UTC (permalink / raw)
To: Paolo Bonzini, Sean Christopherson
Cc: kvm, linux-kernel, Fuad Tabba, Michael Roth, Isaku Yamahata,
Yu Zhang, Chao Peng
Extend set_memory_region_test's invalid flags subtest to verify that
GUEST_MEMFD is incompatible with READONLY. GUEST_MEMFD doesn't currently
support writes from userspace and KVM doesn't support emulated MMIO on
private accesses, and so KVM is supposed to reject the GUEST_MEMFD+READONLY
in order to avoid configuration that KVM can't support.
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
tools/testing/selftests/kvm/set_memory_region_test.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/kvm/set_memory_region_test.c b/tools/testing/selftests/kvm/set_memory_region_test.c
index 9df4b61116bc..06b43ed23580 100644
--- a/tools/testing/selftests/kvm/set_memory_region_test.c
+++ b/tools/testing/selftests/kvm/set_memory_region_test.c
@@ -375,6 +375,12 @@ static void test_invalid_memory_region_flags(void)
TEST_ASSERT(r && errno == EINVAL,
"KVM_SET_USER_MEMORY_REGION2 should have failed, dirty logging private memory is unsupported");
+ r = __vm_set_user_memory_region2(vm, 0,
+ KVM_MEM_READONLY | KVM_MEM_GUEST_MEMFD,
+ 0, MEM_REGION_SIZE, NULL, guest_memfd, 0);
+ TEST_ASSERT(r && errno == EINVAL,
+ "KVM_SET_USER_MEMORY_REGION2 should have failed, read-only GUEST_MEMFD memslots are unsupported");
+
close(guest_memfd);
}
}
--
2.44.0.rc0.258.g7320e95886-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions
2024-02-22 19:06 [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
` (4 preceding siblings ...)
2024-02-22 19:06 ` [PATCH 5/5] KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are exclusive Sean Christopherson
@ 2024-02-23 1:35 ` Sean Christopherson
5 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2024-02-23 1:35 UTC (permalink / raw)
To: Sean Christopherson, Paolo Bonzini
Cc: kvm, linux-kernel, Fuad Tabba, Michael Roth, Isaku Yamahata,
Yu Zhang, Chao Peng
On Thu, 22 Feb 2024 11:06:07 -0800, Sean Christopherson wrote:
> A few minor-ish fixes related to GUEST_MEMFD that I am hoping to squeeze
> into 6.8 as the they affect KVM's ABI (especially patch 1).
>
> Sean Christopherson (5):
> KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY
> KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a
> WIP
> KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU
> KVM: selftests: Create GUEST_MEMFD for relevant invalid flags
> testcases
> KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are
> exclusive
>
> [...]
Applied ridiculously quickly to kvm-x86 guest_memfd_fixes, so as to get these
into -next before the weekend. I purposely put these in a separate branch so
that I can squash fixes, reviews, etc., or drop the branch outright if Paolo
swoops in and grabs 'em.
[1/5] KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY
https://github.com/kvm-x86/linux/commit/e563592224e0
[2/5] KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a WIP
https://github.com/kvm-x86/linux/commit/422692098c4c
[3/5] KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU
https://github.com/kvm-x86/linux/commit/a1176ef5c92a
[4/5] KVM: selftests: Create GUEST_MEMFD for relevant invalid flags testcases
https://github.com/kvm-x86/linux/commit/63e5c5a10559
[5/5] KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are exclusive
https://github.com/kvm-x86/linux/commit/2dfd23830344
--
https://github.com/kvm-x86/linux/tree/next
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-02-23 1:36 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-22 19:06 [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
2024-02-22 19:06 ` [PATCH 1/5] KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY Sean Christopherson
2024-02-22 19:06 ` [PATCH 2/5] KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a WIP Sean Christopherson
2024-02-22 19:06 ` [PATCH 3/5] KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU Sean Christopherson
2024-02-22 19:06 ` [PATCH 4/5] KVM: selftests: Create GUEST_MEMFD for relevant invalid flags testcases Sean Christopherson
2024-02-22 19:06 ` [PATCH 5/5] KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are exclusive Sean Christopherson
2024-02-23 1:35 ` [PATCH 0/5] KVM: GUEST_MEMFD fixes/restrictions Sean Christopherson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.