All of lore.kernel.org
 help / color / mirror / Atom feed
From: Joerg Roedel <jroedel@suse.de>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: David Rientjes <rientjes@google.com>,
	Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
	Sean Christopherson <seanjc@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Vlastimil Babka <vbabka@suse.cz>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Andi Kleen <ak@linux.intel.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Jon Grimm <jon.grimm@amd.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Ingo Molnar <mingo@redhat.com>,
	"Kaplan, David" <David.Kaplan@amd.com>,
	Varad Gautam <varad.gautam@suse.com>,
	Dario Faggioli <dfaggioli@suse.com>,
	x86@kernel.org, linux-mm@kvack.org, linux-coco@lists.linux.dev
Subject: Re: Runtime Memory Validation in Intel-TDX and AMD-SNP
Date: Wed, 21 Jul 2021 11:25:25 +0200	[thread overview]
Message-ID: <YPfoBZ+ezF2dN1d6@suse.de> (raw)
In-Reply-To: <20210720173004.ucrliup5o7l3jfq3@box.shutemov.name>

Hi Kirill,

On Tue, Jul 20, 2021 at 08:30:04PM +0300, Kirill A. Shutemov wrote:
> On Mon, Jul 19, 2021 at 02:58:22PM +0200, Joerg Roedel wrote:
> We use EFI unaccepted memory type to pass this information between
> firmware and kernel. In my WIP patch I translate it to a new E820 memory
> type: E820_TYPE_UNACCEPTED.

Yeah, that is what I meant with a new E820 entry type.

> E820 can also be used during early boot for tracking what memory got
> accepted by kernel too.

Won't this get very fragmented? How do you handle overlaps with other
E820 regions?

> For now, I debug with 256MiB accepted by firmware. It allows to avoid
> dealing with decompression code at this stage of the project. I plan to
> lower the number later.

Yes, this can be experimented with, the proposal allows a custom amount
of memory to be pre-validated/accepted.

> I would argue for per-range, not per-page, tracking of accepted/validated
> memory for decompresser and early boot code, until page allocator is fully
> functional. I have reasonable success with this approach so far.

What do you mean by 'reasonable' success? Especially, how robust is that
against unrelated changes to the boot code? As with SEV-SNP, I guess
there will be no broad testing of unrelated kernel changes in a TDX
environment, so some robustness is key to keep things working.

> During early boot I treat unaccepted memory as a usable RAM. It only
> requires special treatment on memblock_reserve(), which used for early
> memory allocation: unaccepted usable RAM has to be accepted, before
> reserving.

What happens before memblock is active, say in the decompressor. Will
unaccepted memory be considered for KASLR placement?

> For fine-grained accepting/validation tracking I use PageOffline() flags
> (it's encoded into mapcount): before adding an unaccepted page to free
> list I set the PageOffline() to indicate that the page has to be accepted
> before returning from the page allocator. Currently, we never have
> PageOffline() set for pages on free lists, so we won't have confusion with
> ballooning or memory hotplug.

Okay, I think that could also easily break with unrelated memory
management changes, but should work for now in TDX.

> I try to keep pages accepted in 2M or 4M chunks (pageblock_order or
> MAX_ORDER). It is reasonable compromise on speed/latency.

Makes sense, SEV-SNP will likely do something similar.

> I'm not sure a bitmap is needed. I hope we can use E820 for early
> tracking. But let's see if it works.

We should find a solution which works for TDX and SNP, given that the
required changes are intrusive and that it is much easier to just
support one way to handle this.

That said, the Validation Bitmap has a clear benefit for SEV-SNP in that
it makes it trivial to support kexec/kdump scenarios. Further the
bitmap makes it trivial to transport the information through the whole
boot process. It also won't be big, SNP (and I think TDX too) would
be okay with one bit per 4k page, so the bitmap would need 32kb of
memory per GB of guest RAM.

And keeping the information separate from struct page will make the code
more robust against unrelated code changes.

Regards,

	Joerg

  parent reply	other threads:[~2021-07-21  9:25 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-19 12:58 Runtime Memory Validation in Intel-TDX and AMD-SNP Joerg Roedel
2021-07-19 13:07 ` Matthew Wilcox
2021-07-19 15:02   ` Joerg Roedel
2021-07-19 20:39 ` Andi Kleen
2021-07-20  8:55   ` Joerg Roedel
2021-07-20  9:34     ` Dr. David Alan Gilbert
2021-07-20 11:50       ` Joerg Roedel
2021-07-20  0:26 ` Andy Lutomirski
2021-07-20  1:51   ` Erdem Aktas
2021-07-20  2:00     ` Erdem Aktas
2021-07-20  3:30     ` Andy Lutomirski
2021-07-20 19:54       ` Erdem Aktas
2021-07-20 22:01         ` Andi Kleen
2021-07-20 23:55           ` Erdem Aktas
2021-07-21  0:35             ` Andi Kleen
2021-07-21  8:51           ` Joerg Roedel
2021-07-20  5:17     ` Andi Kleen
2021-07-20  9:11       ` Joerg Roedel
2021-07-20 17:32         ` Andi Kleen
2021-07-20 23:09       ` Erdem Aktas
2021-07-21  0:38         ` Andi Kleen
2021-07-22 17:31       ` Marc Orr
2021-07-26 18:55         ` Joerg Roedel
2021-07-20  8:44   ` Joerg Roedel
2021-07-20 14:14   ` Dave Hansen
2021-07-20 17:30 ` Kirill A. Shutemov
2021-07-21  9:20   ` Mike Rapoport
2021-07-21 10:02     ` Kirill A. Shutemov
2021-07-21 10:22       ` Mike Rapoport
2021-07-21 10:53       ` Joerg Roedel
2021-07-21  9:25   ` Joerg Roedel [this message]
2021-07-21 10:25     ` Kirill A. Shutemov
2021-07-21 10:48       ` Joerg Roedel
2021-07-22 15:46   ` David Hildenbrand
2021-07-26 19:02     ` Joerg Roedel
2021-07-27  9:34       ` David Hildenbrand
2021-08-02 10:19         ` Joerg Roedel
2021-08-02 18:47           ` David Hildenbrand
2021-07-22 15:57 ` David Hildenbrand
2021-07-22 19:51 ` Kirill A. Shutemov
2021-07-23 15:23   ` Mike Rapoport
2021-07-23 16:29     ` Kirill A. Shutemov
2021-07-25  9:16       ` Mike Rapoport
2021-07-25 18:28         ` Kirill A. Shutemov
2021-07-26 10:00           ` Mike Rapoport
2021-07-26 11:53             ` Kirill A. Shutemov
2021-07-26 19:13   ` Joerg Roedel
2021-07-26 23:02   ` Erdem Aktas
2021-07-26 23:54     ` Kirill A. Shutemov
2021-07-27  1:35       ` Erdem Aktas
2021-07-23 11:04 ` Varad Gautam
2021-07-23 14:34   ` Kaplan, David

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YPfoBZ+ezF2dN1d6@suse.de \
    --to=jroedel@suse.de \
    --cc=David.Kaplan@amd.com \
    --cc=ak@linux.intel.com \
    --cc=akpm@linux-foundation.org \
    --cc=bp@alien8.de \
    --cc=brijesh.singh@amd.com \
    --cc=dfaggioli@suse.com \
    --cc=jon.grimm@amd.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=kirill@shutemov.name \
    --cc=linux-coco@lists.linux.dev \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rientjes@google.com \
    --cc=seanjc@google.com \
    --cc=tglx@linutronix.de \
    --cc=thomas.lendacky@amd.com \
    --cc=varad.gautam@suse.com \
    --cc=vbabka@suse.cz \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.