From: "Gowans, James" <jgowans@amazon.com>
To: "seanjc@google.com" <seanjc@google.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"Roy, Patrick" <roypat@amazon.co.uk>,
"chao.p.peng@linux.intel.com" <chao.p.peng@linux.intel.com>,
"Manwaring, Derek" <derekmn@amazon.com>,
"rppt@kernel.org" <rppt@kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"Woodhouse, David" <dwmw@amazon.co.uk>
Cc: "Kalyazin, Nikita" <kalyazin@amazon.co.uk>,
"lstoakes@gmail.com" <lstoakes@gmail.com>,
"Liam.Howlett@oracle.com" <Liam.Howlett@oracle.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
"kirill.shutemov@linux.intel.com"
<kirill.shutemov@linux.intel.com>,
"vbabka@suse.cz" <vbabka@suse.cz>,
"mst@redhat.com" <mst@redhat.com>,
"somlo@cmu.edu" <somlo@cmu.edu>, "Graf (AWS),
Alexander" <graf@amazon.de>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"linux-coco@lists.linux.dev" <linux-coco@lists.linux.dev>
Subject: Unmapping KVM Guest Memory from Host Kernel
Date: Fri, 8 Mar 2024 15:50:05 +0000 [thread overview]
Message-ID: <cc1bb8e9bc3e1ab637700a4d3defeec95b55060a.camel@amazon.com> (raw)
Hello KVM, MM and memfd_secret folks,
Currently when using anonymous memory for KVM guest RAM, the memory all
remains mapped into the kernel direct map. We are looking at options to
get KVM guest memory out of the kernel’s direct map as a principled
approach to mitigating speculative execution issues in the host kernel.
Our goal is to more completely address the class of issues whose leak
origin is categorized as "Mapped memory" [1].
We currently have downstream-only solutions to this, but we want to move
to purely upstream code.
So far we have been looking at using memfd_secret, which seems to be
designed exactly for usecases where it is undesirable to have some
memory range accessible through the kernel’s direct map.
However, memfd_secret doesn’t work out the box for KVM guest memory; the
main reason seems to be that the GUP path is intentionally disabled for
memfd_secret, so if we use a memfd_secret backed VMA for a memslot then
KVM is not able to fault the memory in. If it’s been pre-faulted in by
userspace then it seems to work.
There are a few other issues around when KVM accesses the guest memory.
For example the KVM PV clock code goes directly to the PFN via the
pfncache, and that also breaks if the PFN is not in the direct map, so
we’d need to change that sort of thing, perhaps going via userspace
addresses.
If we remove the memfd_secret check from the GUP path, and disable KVM’s
pvclock from userspace via KVM_CPUID_FEATURES, we are able to boot a
simple Linux initrd using a Firecracker VMM modified to use
memfd_secret.
We are also aware of ongoing work on guest_memfd. The current
implementation unmaps guest memory from VMM address space, but leaves it
in the kernel’s direct map. We’re not looking at unmapping from VMM
userspace yet; we still need guest RAM there for PV drivers like virtio
to continue to work. So KVM’s gmem doesn’t seem like the right solution?
With this in mind, what’s the best way to solve getting guest RAM out of
the direct map? Is memfd_secret integration with KVM the way to go, or
should we build a solution on top of guest_memfd, for example via some
flag that causes it to leave memory in the host userspace’s page tables,
but removes it from the direct map?
We are keen to help contribute to getting this working, we’re just
looking for guidance from maintainers on what the correct way to solve
this is.
Cheers,
James + colleagues Derek and Patrick
next reply other threads:[~2024-03-08 15:50 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AQHacXBJeX10YUH0O0SiQBg1zQLaEw==>
2024-03-08 15:50 ` Gowans, James [this message]
2024-03-08 16:25 ` Unmapping KVM Guest Memory from Host Kernel Brendan Jackman
2024-03-08 17:35 ` David Matlack
2024-03-08 17:45 ` David Woodhouse
2024-03-08 22:47 ` Sean Christopherson
2024-03-09 2:45 ` Manwaring, Derek
2024-03-18 14:11 ` Brendan Jackman
2024-03-08 23:22 ` Sean Christopherson
2024-03-09 11:14 ` Mike Rapoport
2024-05-13 10:31 ` Patrick Roy
2024-05-13 15:39 ` Sean Christopherson
2024-05-13 16:01 ` Gowans, James
2024-05-13 17:09 ` Sean Christopherson
2024-05-13 19:43 ` Gowans, James
2024-05-13 20:36 ` Sean Christopherson
2024-05-13 22:01 ` Manwaring, Derek
2024-03-14 21:45 ` Manwaring, Derek
2024-03-09 5:01 ` Matthew Wilcox
2024-03-08 21:05 Manwaring, Derek
2024-03-11 9:26 ` Fuad Tabba
2024-03-11 9:29 ` Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cc1bb8e9bc3e1ab637700a4d3defeec95b55060a.camel@amazon.com \
--to=jgowans@amazon.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=chao.p.peng@linux.intel.com \
--cc=derekmn@amazon.com \
--cc=dwmw@amazon.co.uk \
--cc=graf@amazon.de \
--cc=kalyazin@amazon.co.uk \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=linux-mm@kvack.org \
--cc=lstoakes@gmail.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=roypat@amazon.co.uk \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=somlo@cmu.edu \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.