On 2/26/20 3:59 PM, David Hildenbrand wrote: > On 26.02.20 13:20, Janosch Frank wrote: >> Ballooning in protected VMs can only be done when the guest shares the >> pages it gives to the host. Hence, until we have a solution for this >> in the guest kernel, we inhibit ballooning when switching into >> protected mode and reverse that once we move out of it. > > I don't understand what you mean here, sorry. zapping a page will mean > that a fresh one will be faulted in when accessed. And AFAIK, that means > it will be encrypted again when needed. Yes, as soon as the host alters non-shared memory we'll run into integrity issues. I've been talking to Halil after I sent this out and it looks like we'll rather try to automatically enable the IOMMU for all devices when switching into protected mode. He said that if the IOMMU is set the balloon code will do an early exit on feature negotiation. > > Is that more like the UV will detect this as an integrity issue and > crash the VM? > >> >> Signed-off-by: Janosch Frank >> --- >> hw/s390x/s390-virtio-ccw.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c >> index 9983165b05..0f4455d1df 100644 >> --- a/hw/s390x/s390-virtio-ccw.c >> +++ b/hw/s390x/s390-virtio-ccw.c >> @@ -41,6 +41,7 @@ >> #include "hw/qdev-properties.h" >> #include "hw/s390x/tod.h" >> #include "sysemu/sysemu.h" >> +#include "sysemu/balloon.h" >> #include "hw/s390x/pv.h" >> #include "migration/blocker.h" >> >> @@ -336,6 +337,7 @@ static void s390_machine_unprotect(S390CcwMachineState *ms) >> ms->pv = false; >> } >> migrate_del_blocker(pv_mig_blocker); >> + qemu_balloon_inhibit(false); >> } >> >> static int s390_machine_protect(S390CcwMachineState *ms) >> @@ -344,6 +346,7 @@ static int s390_machine_protect(S390CcwMachineState *ms) >> CPUState *t; >> int rc; >> >> + qemu_balloon_inhibit(true); >> if (!pv_mig_blocker) { >> error_setg(&pv_mig_blocker, >> "protected VMs are currently not migrateable."); >> > >