All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Catangiu, Adrian Costin" <acatan@amazon.com>
To: Jann Horn <jannh@google.com>
Cc: "Graf (AWS), Alexander" <graf@amazon.de>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	"Jason A. Donenfeld" <Jason@zx2c4.com>, Willy Tarreau <w@1wt.eu>,
	"MacCarthaigh, Colm" <colmmacc@amazon.com>,
	Andy Lutomirski <luto@kernel.org>,
	"Theodore Y. Ts'o" <tytso@mit.edu>,
	Eric Biggers <ebiggers@kernel.org>,
	"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	"Woodhouse, David" <dwmw@amazon.co.uk>,
	"bonzini@gnu.org" <bonzini@gnu.org>,
	"Singh, Balbir" <sblbir@amazon.com>,
	"Weiss, Radu" <raduweis@amazon.com>,
	"oridgar@gmail.com" <oridgar@gmail.com>,
	"ghammer@redhat.com" <ghammer@redhat.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Qemu Developers <qemu-devel@nongnu.org>,
	KVM list <kvm@vger.kernel.org>, Michal Hocko <mhocko@kernel.org>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	Pavel Machek <pavel@ucw.cz>,
	Linux API <linux-api@vger.kernel.org>,
	"mpe@ellerman.id.au" <mpe@ellerman.id.au>,
	linux-s390 <linux-s390@vger.kernel.org>,
	"areber@redhat.com" <areber@redhat.com>,
	Pavel Emelyanov <ovzxemul@gmail.com>,
	Andrey Vagin <avagin@gmail.com>, Mike Rapoport <rppt@kernel.org>,
	Dmitry Safonov <0x7f454c46@gmail.com>,
	Pavel Tikhomirov <ptikhomirov@virtuozzo.com>,
	"gil@azul.com" <gil@azul.com>,
	"asmehra@redhat.com" <asmehra@redhat.com>,
	"dgunigun@redhat.com" <dgunigun@redhat.com>,
	"vijaysun@ca.ibm.com" <vijaysun@ca.ibm.com>
Subject: Re: [PATCH v2] drivers/virt: vmgenid: add vm generation id driver
Date: Fri, 27 Nov 2020 21:04:01 +0200	[thread overview]
Message-ID: <e4acbcdb-7ee4-5dfb-ffbf-19eb49cef9c6@amazon.com> (raw)
In-Reply-To: <CAG48ez13ZAAOVmA89PRKRqr9UezV2_bj8Q6_6sSPzcqfzbsuQQ@mail.gmail.com>

Sorry Jann for missing your original email.

On 27/11/2020 20:22, Jann Horn wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
>
>
>
> [resend in the hope that amazon will accept my mail this time instead
> of replying "550 Too many invalid recipients" again]
>
> On Fri, Nov 20, 2020 at 11:29 PM Jann Horn <jannh@google.com> wrote:
>> On Mon, Nov 16, 2020 at 4:35 PM Catangiu, Adrian Costin
>> <acatan@amazon.com> wrote:
>>> This patch is a driver that exposes a monotonic incremental Virtual
>>> Machine Generation u32 counter via a char-dev FS interface that
>>> provides sync and async VmGen counter updates notifications. It also
>>> provides VmGen counter retrieval and confirmation mechanisms.
>>>
>>> The hw provided UUID is not exposed to userspace, it is internally
>>> used by the driver to keep accounting for the exposed VmGen counter.
>>> The counter starts from zero when the driver is initialized and
>>> monotonically increments every time the hw UUID changes (the VM
>>> generation changes).
>>>
>>> On each hw UUID change, the new hypervisor-provided UUID is also fed
>>> to the kernel RNG.
>> As for v1:
>>
>> Is there a reasonable usecase for the "confirmation" mechanism? It
>> doesn't seem very useful to me.

I think it adds value in complex scenarios with multiple users of the
mechanism, potentially at varying layers of the stack, different
processes and/or runtime libraries.

The driver offers a natural place to handle minimal orchestration
support and offer visibility in system-wide status.

A high-level service that trusts all system components to properly use
the confirmation mechanism can actually block and wait patiently for the
system to adjust to the new world. Even if it doesn't trust all
components it can still do a best-effort, timeout block.

>>
>> How do you envision integrating this with libraries that have to work
>> in restrictive seccomp sandboxes? If this was in the vDSO, that would
>> be much easier.

Since this mechanism targets all of userspace stack, the usecase greatly
vary. I doubt we can have a single silver bullet interface.

For example, the mmap interface targets user space RNGs, where as fast
and as race free as possible is key. But there also higher level
applications that don't manage their own memory or don't have access to
low-level primitives so they can't use the mmap or even vDSO interfaces.
That's what the rest of the logic is there for, the read+poll interface
and all of the orchestration logic.

Like you correctly point out, there are also scenarios like tight
seccomp jails where even the FS interfaces is inaccessible. For cases
like this and others, I believe we will have to work incrementally to
build up the interface diversity to cater to all the user scenarios
diversity.


Thanks,

Adrian.





Amazon Development Center (Romania) S.R.L. registered office: 27A Sf. Lazar Street, UBC5, floor 2, Iasi, Iasi County, 700045, Romania. Registered in Romania. Registration number J22/2621/2005.

  reply	other threads:[~2020-11-27 19:08 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-16 15:34 [PATCH v2] drivers/virt: vmgenid: add vm generation id driver Catangiu, Adrian Costin
2020-11-18 10:30 ` Alexander Graf
2020-11-27 17:17   ` Catangiu, Adrian Costin
2020-12-07 13:23     ` Alexander Graf
2020-11-19 12:02 ` Christian Borntraeger
2020-11-19 12:02   ` Christian Borntraeger
2020-11-19 12:51   ` Alexander Graf
2020-11-19 13:09     ` Christian Borntraeger
2020-11-19 13:09       ` Christian Borntraeger
2020-11-19 17:38     ` Mike Rapoport
2020-11-19 17:38       ` Mike Rapoport
2020-11-19 18:36       ` Alexander Graf
2020-11-19 18:36         ` Alexander Graf
2020-11-20 21:18         ` Dmitry Safonov
2020-11-20 21:18           ` Dmitry Safonov
2020-11-20 21:18           ` Dmitry Safonov
2020-11-27 18:26           ` [PATCH v3] " Catangiu, Adrian Costin
2020-11-27 18:26             ` Catangiu, Adrian Costin
2020-11-28 10:16             ` Mike Rapoport
2020-11-28 10:16               ` Mike Rapoport
2020-11-28 10:16               ` Mike Rapoport
2020-12-01 18:00             ` Eric W. Biederman
2020-12-01 18:00               ` Eric W. Biederman
2020-12-01 18:00               ` Eric W. Biederman
2020-12-07 13:11             ` Alexander Graf
2020-12-07 13:11               ` Alexander Graf
2021-01-11  7:35               ` Catangiu, Adrian Costin via
2020-11-20 22:29 ` [PATCH v2] " Jann Horn
2020-11-20 22:29   ` Jann Horn
2020-11-27 18:22   ` Jann Horn
2020-11-27 18:22     ` Jann Horn
2020-11-27 19:04     ` Catangiu, Adrian Costin [this message]
2020-11-27 20:20       ` Jann Horn
2020-11-27 20:20         ` Jann Horn
2020-12-07 14:22         ` Alexander Graf
2020-12-07 14:22           ` Alexander Graf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e4acbcdb-7ee4-5dfb-ffbf-19eb49cef9c6@amazon.com \
    --to=acatan@amazon.com \
    --cc=0x7f454c46@gmail.com \
    --cc=Jason@zx2c4.com \
    --cc=areber@redhat.com \
    --cc=asmehra@redhat.com \
    --cc=avagin@gmail.com \
    --cc=bonzini@gnu.org \
    --cc=borntraeger@de.ibm.com \
    --cc=colmmacc@amazon.com \
    --cc=corbet@lwn.net \
    --cc=dgunigun@redhat.com \
    --cc=dwmw@amazon.co.uk \
    --cc=ebiggers@kernel.org \
    --cc=ghammer@redhat.com \
    --cc=gil@azul.com \
    --cc=graf@amazon.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=jannh@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mhocko@kernel.org \
    --cc=mpe@ellerman.id.au \
    --cc=mst@redhat.com \
    --cc=oridgar@gmail.com \
    --cc=ovzxemul@gmail.com \
    --cc=pavel@ucw.cz \
    --cc=ptikhomirov@virtuozzo.com \
    --cc=qemu-devel@nongnu.org \
    --cc=raduweis@amazon.com \
    --cc=rafael@kernel.org \
    --cc=rppt@kernel.org \
    --cc=sblbir@amazon.com \
    --cc=tytso@mit.edu \
    --cc=vijaysun@ca.ibm.com \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.