From: Jason Gunthorpe <jgg@nvidia.com>
To: Alex Williamson <alex.williamson@redhat.com>
Cc: "Avihai Horon" <avihaih@nvidia.com>,
qemu-devel@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>,
"Peter Xu" <peterx@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Eduardo Habkost" <eduardo@habkost.net>,
"David Hildenbrand" <david@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Yishai Hadas" <yishaih@nvidia.com>,
"Maor Gottlieb" <maorg@nvidia.com>,
"Kirti Wankhede" <kwankhede@nvidia.com>,
"Tarun Gupta" <targupta@nvidia.com>,
"Joao Martins" <joao.m.martins@oracle.com>
Subject: Re: [PATCH 01/18] vfio/migration: Add VFIO migration pre-copy support
Date: Wed, 1 Feb 2023 16:10:50 -0400 [thread overview]
Message-ID: <Y9rHSlnWAxj3Zm40@nvidia.com> (raw)
In-Reply-To: <20230201114246.12d659d3.alex.williamson@redhat.com>
On Wed, Feb 01, 2023 at 11:42:46AM -0700, Alex Williamson wrote:
> > 'p2p off' is a valuable option in its own right because this stuff
> > doesn't work reliably and is actively dangerous. Did you know you can
> > hard crash the bare metal from a guest on some platforms with P2P
> > operations? Yikes. If you don't need to use it turn it off and don't
> > take the risk.
>
> If we're honest, there are a number of cases of non-exceptional faults
> that an assigned device can generate that the platform might escalate
> to fatal errors.
What I understand is that is true on some commodity hardware, but
engineered systems to run as cloud hypervisors have these problems
solved and VFIO is made safe.
Unfortunately there is no way to know if you have a safe or unsafe
system from the OS.
> > Arguably for this reason 'p2p off' should trend toward the default as
> > it is much safer.
>
> Safety in the hands of the userspace to protect the host though?
> Shouldn't the opt-in be at the kernel level whether to allow p2p
> mappings?
I haven't seen anyone interested in doing this kind of work. The
expectation seems to be that places seriously concerned about security
either don't include VFIO at all in their environments or have
engineered their platforms to make it safe.
Where this leaves the enterprise space, I don't know. I think they end
up with systems that functionally work but possibly have DOS problems.
So, given this landscape I think a user option in qemu is the best we
can do at the moment.
> I don't have an issue if QEMU were to mirror this by
> creating a RAM-only AddressSpace for devices which would be used when
> p2p is disable (it'd save us some headaches for various unaligned
> devices as well), but we shouldn't pretend that actually protects the
> host. OTOH, QEMU could feel confident supporting migration of devices
> w/o support of the migration P2P states with that restriction.
It protects the host from a hostile VM, it does not fully protect the
host from a compromised qemu. That is still an improvement.
> > I think multi-device will likely have some use cases, so I'd like to
> > see a path to have support for them. For this series I think it is
> > probably fine since it is already 18 patches.
>
> It might be fine for this series because it hasn't yet proposed to make
> migration non-experimental, but it's unclear where the goal post is
> that we can actually make that transition.
IMHO non-experimental just means the solution works with whatever
configuration limitations it comes with. It shouldn't mean every
device or every configuration combination works.
So if you want to do single device, or just hard require P2P for now,
those are both reasonable temporary choices IMHO.
But they are temporary and we should come with a remedy to allow
non-P2P migration devices to work as well.
Given we merged a non-P2P kernel driver I prefer the single device
option as it is more logically consistent with the kernel situation.
Jason
next prev parent reply other threads:[~2023-02-01 20:11 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-26 18:49 [PATCH 00/18] vfio: Add migration pre-copy support and device dirty tracking Avihai Horon
2023-01-26 18:49 ` [PATCH 01/18] vfio/migration: Add VFIO migration pre-copy support Avihai Horon
2023-01-26 23:52 ` Alex Williamson
2023-01-31 12:44 ` Avihai Horon
2023-01-31 22:43 ` Alex Williamson
2023-01-31 23:29 ` Jason Gunthorpe
2023-02-01 4:15 ` Alex Williamson
2023-02-01 17:28 ` Jason Gunthorpe
2023-02-01 18:42 ` Alex Williamson
2023-02-01 20:10 ` Jason Gunthorpe [this message]
2023-01-26 18:49 ` [PATCH 02/18] vfio/common: Fix error reporting in vfio_get_dirty_bitmap() Avihai Horon
2023-02-15 9:21 ` Cédric Le Goater
2023-01-26 18:49 ` [PATCH 03/18] vfio/common: Fix wrong %m usages Avihai Horon
2023-02-15 9:21 ` Cédric Le Goater
2023-01-26 18:49 ` [PATCH 04/18] vfio/common: Abort migration if dirty log start/stop/sync fails Avihai Horon
2023-02-15 9:41 ` Cédric Le Goater
2023-01-26 18:49 ` [PATCH 05/18] vfio/common: Add VFIOBitmap and (de)alloc functions Avihai Horon
2023-01-27 21:11 ` Alex Williamson
2023-02-12 15:36 ` Avihai Horon
2023-02-14 21:28 ` Alex Williamson
2023-01-26 18:49 ` [PATCH 06/18] util: Add iova_tree_nnodes() Avihai Horon
2023-02-09 22:21 ` Peter Xu
2023-01-26 18:49 ` [PATCH 07/18] util: Extend iova_tree_foreach() to take data argument Avihai Horon
2023-02-09 22:21 ` Peter Xu
2023-01-26 18:49 ` [PATCH 08/18] vfio/common: Record DMA mapped IOVA ranges Avihai Horon
2023-01-27 21:42 ` Alex Williamson
2023-02-12 15:40 ` Avihai Horon
2023-02-13 15:25 ` Alex Williamson
2023-01-26 18:49 ` [PATCH 09/18] vfio/common: Add device dirty page tracking start/stop Avihai Horon
2023-01-26 18:49 ` [PATCH 10/18] vfio/common: Extract code from vfio_get_dirty_bitmap() to new function Avihai Horon
2023-01-26 18:49 ` [PATCH 11/18] vfio/common: Add device dirty page bitmap sync Avihai Horon
2023-01-27 23:37 ` Alex Williamson
2023-02-12 15:49 ` Avihai Horon
2023-01-26 18:49 ` [PATCH 12/18] vfio/common: Extract vIOMMU code from vfio_sync_dirty_bitmap() Avihai Horon
2023-01-26 18:49 ` [PATCH 13/18] memory/iommu: Add IOMMU_ATTR_MAX_IOVA attribute Avihai Horon
2023-02-09 22:16 ` Peter Xu
2023-01-26 18:49 ` [PATCH 14/18] intel-iommu: Implement get_attr() method Avihai Horon
2023-02-09 22:18 ` Peter Xu
2023-01-26 18:49 ` [PATCH 15/18] vfio/common: Support device dirty page tracking with vIOMMU Avihai Horon
2023-01-26 18:49 ` [PATCH 16/18] vfio/common: Optimize " Avihai Horon
2023-01-26 18:49 ` [PATCH 17/18] vfio/migration: Query device dirty page tracking support Avihai Horon
2023-01-26 18:49 ` [PATCH 18/18] docs/devel: Document VFIO device dirty page tracking Avihai Horon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9rHSlnWAxj3Zm40@nvidia.com \
--to=jgg@nvidia.com \
--cc=alex.williamson@redhat.com \
--cc=avihaih@nvidia.com \
--cc=david@redhat.com \
--cc=eduardo@habkost.net \
--cc=jasowang@redhat.com \
--cc=joao.m.martins@oracle.com \
--cc=kwankhede@nvidia.com \
--cc=maorg@nvidia.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=targupta@nvidia.com \
--cc=yishaih@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.