From: "Cédric Le Goater" <clg@fr.ibm.com>
To: Ram Pai <linuxram@us.ibm.com>,
David Gibson <david@gibson.dropbear.id.au>
Cc: aik@ozlabs.ru, andmike@linux.ibm.com, Greg Kurz <groug@kaod.org>,
kvm-ppc@vger.kernel.org, sukadev@linux.vnet.ibm.com,
linuxppc-dev@lists.ozlabs.org, bauerman@linux.ibm.com
Subject: RE: [RFC PATCH v1] powerpc/prom_init: disable XIVE in Secure VM.
Date: Thu, 5 Mar 2020 16:36:03 +0100 [thread overview]
Message-ID: <e4bb44b1-2bf6-6488-0a4d-ed95ac944e71@fr.ibm.com> (raw)
In-Reply-To: <20200305151530.GJ5416@oc0525413822.ibm.com>
On 3/5/20 4:15 PM, Ram Pai wrote:
> On Thu, Mar 05, 2020 at 10:55:45AM +1100, David Gibson wrote:
>> On Wed, Mar 04, 2020 at 04:56:09PM +0100, Cédric Le Goater wrote:
>>> [ ... ]
>>>
>>>> (1) applied the patch which shares the EQ-page with the hypervisor.
>>>> (2) set "kernel_irqchip=off"
>>>> (3) set "ic-mode=xive"
>>>
>>> you don't have to set the interrupt mode. xive should be negotiated
>>> by default.
>>>
>>>> (4) set "svm=on" on the kernel command line.
>>>> (5) no changes to the hypervisor and ultravisor.
>>>>
>>>> And Boom it works!. So you were right.
>>>
>>> Excellent.
>>>
>>>> I am sending out the patch for (1) above ASAP.
>>>
>>> Next step, could you please try to do the same with the TIMA and ESB pfn ?
>>> and use KVM.
>>
>> I'm a bit confused by this. Aren't the TIMA and ESB pages essentially
>> IO pages, rather than memory pages from the guest's point of view? I
>> assume only memory pages are protected with PEF - I can't even really
>> see what protecting an IO page would even mean.
>
> It means, that the hypervisor and qemu cannot access the addresses used
> to access the I/O pages. It can only be accessed by Ultravisor and the
> SVM.
>
> As it stands today, those pages are accessible from the hypervisor
> and not from the SVM or the ultravisor.
>
> To make it work, we need to enable acccess to those pages from the SVM
> and from the ultravisor. One thing I am not clear is should we block
> access to those pages from the hypervisor. If yes, than there is no> good way to do that, without hardware help. If no, than those GPA pages
> can be shared, so that hypervisor/ultravisor/qemu/SVM can all access
> those pages.
They are shared.
KVM will also access them, at interrupt creation, device reset and
passthrough. QEMU will use them to mask on/off the interrupts in
case of guest migration or machine stop/continue.
C.
WARNING: multiple messages have this Message-ID (diff)
From: "Cédric Le Goater" <clg@fr.ibm.com>
To: Ram Pai <linuxram@us.ibm.com>,
David Gibson <david@gibson.dropbear.id.au>
Cc: aik@ozlabs.ru, andmike@linux.ibm.com, Greg Kurz <groug@kaod.org>,
kvm-ppc@vger.kernel.org, sukadev@linux.vnet.ibm.com,
linuxppc-dev@lists.ozlabs.org, bauerman@linux.ibm.com
Subject: RE: [RFC PATCH v1] powerpc/prom_init: disable XIVE in Secure VM.
Date: Thu, 05 Mar 2020 15:36:03 +0000 [thread overview]
Message-ID: <e4bb44b1-2bf6-6488-0a4d-ed95ac944e71@fr.ibm.com> (raw)
In-Reply-To: <20200305151530.GJ5416@oc0525413822.ibm.com>
On 3/5/20 4:15 PM, Ram Pai wrote:
> On Thu, Mar 05, 2020 at 10:55:45AM +1100, David Gibson wrote:
>> On Wed, Mar 04, 2020 at 04:56:09PM +0100, Cédric Le Goater wrote:
>>> [ ... ]
>>>
>>>> (1) applied the patch which shares the EQ-page with the hypervisor.
>>>> (2) set "kernel_irqchip=off"
>>>> (3) set "ic-mode=xive"
>>>
>>> you don't have to set the interrupt mode. xive should be negotiated
>>> by default.
>>>
>>>> (4) set "svm=on" on the kernel command line.
>>>> (5) no changes to the hypervisor and ultravisor.
>>>>
>>>> And Boom it works!. So you were right.
>>>
>>> Excellent.
>>>
>>>> I am sending out the patch for (1) above ASAP.
>>>
>>> Next step, could you please try to do the same with the TIMA and ESB pfn ?
>>> and use KVM.
>>
>> I'm a bit confused by this. Aren't the TIMA and ESB pages essentially
>> IO pages, rather than memory pages from the guest's point of view? I
>> assume only memory pages are protected with PEF - I can't even really
>> see what protecting an IO page would even mean.
>
> It means, that the hypervisor and qemu cannot access the addresses used
> to access the I/O pages. It can only be accessed by Ultravisor and the
> SVM.
>
> As it stands today, those pages are accessible from the hypervisor
> and not from the SVM or the ultravisor.
>
> To make it work, we need to enable acccess to those pages from the SVM
> and from the ultravisor. One thing I am not clear is should we block
> access to those pages from the hypervisor. If yes, than there is no> good way to do that, without hardware help. If no, than those GPA pages
> can be shared, so that hypervisor/ultravisor/qemu/SVM can all access
> those pages.
They are shared.
KVM will also access them, at interrupt creation, device reset and
passthrough. QEMU will use them to mask on/off the interrupts in
case of guest migration or machine stop/continue.
C.
next prev parent reply other threads:[~2020-03-05 15:38 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-29 7:54 [RFC PATCH v1] powerpc/prom_init: disable XIVE in Secure VM Ram Pai
2020-02-29 7:54 ` Ram Pai
2020-02-29 8:27 ` Cédric Le Goater
2020-02-29 8:27 ` Cédric Le Goater
2020-02-29 22:51 ` Ram Pai
2020-02-29 22:51 ` Ram Pai
2020-03-02 7:34 ` Cédric Le Goater
2020-03-02 7:34 ` Cédric Le Goater
2020-03-02 20:54 ` Greg Kurz
2020-03-02 20:54 ` Greg Kurz
2020-03-02 23:32 ` David Gibson
2020-03-02 23:32 ` David Gibson
2020-03-03 6:50 ` Cédric Le Goater
2020-03-03 6:50 ` Cédric Le Goater
2020-03-03 17:02 ` Ram Pai
2020-03-03 17:02 ` Ram Pai
2020-03-03 17:45 ` Greg Kurz
2020-03-03 17:45 ` Greg Kurz
2020-03-03 18:56 ` Ram Pai
2020-03-03 18:56 ` Ram Pai
2020-03-04 10:59 ` Greg Kurz
2020-03-04 10:59 ` Greg Kurz
2020-03-04 15:13 ` Ram Pai
2020-03-04 15:13 ` Ram Pai
2020-03-04 15:37 ` Ram Pai
2020-03-04 15:37 ` Ram Pai
2020-03-04 15:56 ` Cédric Le Goater
2020-03-04 15:56 ` Cédric Le Goater
2020-03-04 23:55 ` David Gibson
2020-03-04 23:55 ` David Gibson
2020-03-05 7:15 ` Cédric Le Goater
2020-03-05 7:15 ` Cédric Le Goater
2020-03-05 15:15 ` Ram Pai
2020-03-05 15:15 ` Ram Pai
2020-03-05 15:36 ` Cédric Le Goater [this message]
2020-03-05 15:36 ` Cédric Le Goater
2020-03-03 19:18 ` [EXTERNAL] " Cédric Le Goater
2020-03-03 19:18 ` Cédric Le Goater
2020-03-04 8:34 ` Greg Kurz
2020-03-04 8:34 ` Greg Kurz
2020-03-03 19:08 ` Cédric Le Goater
2020-03-03 19:08 ` Cédric Le Goater
2020-03-03 20:29 ` Ram Pai
2020-03-03 20:29 ` Ram Pai
2020-03-05 11:41 ` Cédric Le Goater
2020-03-05 11:41 ` Cédric Le Goater
-- strict thread matches above, loose matches on Subject: below --
2020-02-29 7:27 Ram Pai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e4bb44b1-2bf6-6488-0a4d-ed95ac944e71@fr.ibm.com \
--to=clg@fr.ibm.com \
--cc=aik@ozlabs.ru \
--cc=andmike@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=david@gibson.dropbear.id.au \
--cc=groug@kaod.org \
--cc=kvm-ppc@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=linuxram@us.ibm.com \
--cc=sukadev@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.