From: Julien Grall <julien@xen.org>
To: Demi Marie Obenour <demi@invisiblethingslab.com>,
"Smith, Jackson" <rsmith@riversideresearch.org>
Cc: "Brookes, Scott" <sbrookes@riversideresearch.org>,
Xen-devel <xen-devel@lists.xenproject.org>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"bertrand.marquis@arm.com" <bertrand.marquis@arm.com>,
"jbeulich@suse.com" <jbeulich@suse.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Roger Pau Monné" <roger.pau@citrix.com>,
"George Dunlap" <george.dunlap@citrix.com>,
"Daniel P. Smith" <dpsmith@apertussolutions.com>,
"christopher.w.clark@gmail.com" <christopher.w.clark@gmail.com>
Subject: Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
Date: Tue, 13 Dec 2022 23:05:49 +0000 [thread overview]
Message-ID: <901d2088-49e7-634f-f55b-e4ea2e706fed@xen.org> (raw)
In-Reply-To: <Y5j7KQ9g5Yb/ufn+@itl-email>
Hi Demi,
On 13/12/2022 22:22, Demi Marie Obenour wrote:
> On Tue, Dec 13, 2022 at 08:55:28PM +0000, Julien Grall wrote:
>> On 13/12/2022 19:48, Smith, Jackson wrote:
>>> Hi Xen Developers,
>>
>> Hi Jackson,
>>
>> Thanks for sharing the prototype with the community. Some questions/remarks
>> below.
>
> [snip]
>
>>> With this technique, we protect the integrity and confidentiality of
>>> guest memory. However, a compromised hypervisor can still read/write
>>> register state during traps, or refuse to schedule a guest, denying
>>> service. We also recognize that because this technique precludes
>>> modifying Xen's page tables after startup, it may not be compatible
>>> with all of Xen's potential use cases. On the other hand, there are
>>> some uses cases (in particular statically defined embedded systems)
>>> where our technique could be adopted with minimal friction.
>>
>> From what you wrote, this sounds very much like the project Citrix and
>> Amazon worked on called "Secret-free hypervisor" with a twist. In your case,
>> you want to prevent the hypervisor to map/unmap the guest memory.
>>
>> You can find some details in [1]. The code is x86 only, but I don't see any
>> major blocker to port it on arm64.
>
> Is there any way the secret-free hypervisor code could be upstreamed?
This has been in my todo list for more than year but didn't yet find
anyone to finish the work.
I need to have a look how much left the original work it is left to do.
Would you be interested to contribute?
> My understanding is that it would enable guests to use SMT without
> risking the host, which would be amazing.
>
>>> Virtualized MMIO on arm needs to decode certain load/store
>>> instructions
>>
>> On Arm, this can be avoided of the guest OS is not using such instruction.
>> In fact they were only added to cater "broken" guest OS.
>>
>> Also, this will probably be a lot more difficult on x86 as, AFAIK, there is
>> no instruction syndrome. So you will need to decode the instruction in order
>> to emulate the access.
>
> Is requiring the guest to emulate such instructions itself an option?
> μXen, SEV-SNP, and TDX all do this.
I am not very familiar with this. So a few questions:
* Does this mean the OS needs to be modified?
* What happen for emulated device?
Cheers,
--
Julien Grall
next prev parent reply other threads:[~2022-12-13 23:06 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-13 19:48 [RFC 0/4] Adding Virtual Memory Fuses to Xen Smith, Jackson
2022-12-13 19:50 ` [RFC 1/4] Add VMF Hypercall Smith, Jackson
2022-12-14 9:29 ` Jan Beulich
2022-12-13 19:53 ` [RFC 2/4] Add VMF tool Smith, Jackson
2022-12-13 19:54 ` [RFC 3/4] Add xen superpage splitting support to arm Smith, Jackson
2022-12-13 21:15 ` Julien Grall
2022-12-13 22:17 ` Demi Marie Obenour
2022-12-13 23:07 ` Julien Grall
2022-12-14 1:38 ` Demi Marie Obenour
2022-12-14 9:09 ` Julien Grall
2022-12-13 19:55 ` [RFC 4/4] Implement VMF for arm64 Smith, Jackson
2022-12-13 20:55 ` [RFC 0/4] Adding Virtual Memory Fuses to Xen Julien Grall
2022-12-13 22:22 ` Demi Marie Obenour
2022-12-13 23:05 ` Julien Grall [this message]
2022-12-14 1:28 ` Demi Marie Obenour
2022-12-14 14:06 ` Julien Grall
2022-12-16 11:58 ` Julien Grall
2022-12-15 19:27 ` Smith, Jackson
2022-12-15 22:00 ` Julien Grall
2022-12-16 1:46 ` Stefano Stabellini
2022-12-16 8:38 ` Julien Grall
2022-12-20 22:17 ` Smith, Jackson
2022-12-20 22:30 ` Demi Marie Obenour
2022-12-22 0:53 ` Stefano Stabellini
2022-12-22 4:33 ` Demi Marie Obenour
2022-12-22 9:31 ` Julien Grall
2022-12-22 21:28 ` Stefano Stabellini
2023-01-08 16:30 ` Julien Grall
2022-12-22 0:38 ` Stefano Stabellini
2022-12-22 9:52 ` Julien Grall
2022-12-22 10:14 ` Demi Marie Obenour
2022-12-22 10:21 ` Julien Grall
2022-12-22 10:28 ` Demi Marie Obenour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=901d2088-49e7-634f-f55b-e4ea2e706fed@xen.org \
--to=julien@xen.org \
--cc=andrew.cooper3@citrix.com \
--cc=bertrand.marquis@arm.com \
--cc=christopher.w.clark@gmail.com \
--cc=demi@invisiblethingslab.com \
--cc=dpsmith@apertussolutions.com \
--cc=george.dunlap@citrix.com \
--cc=jbeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=rsmith@riversideresearch.org \
--cc=sbrookes@riversideresearch.org \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.