From: Benjamin Herrenschmidt <benh@kernel.crashing.org> To: "Michael S. Tsirkin" <mst@redhat.com> Cc: Christoph Hellwig <hch@infradead.org>, Will Deacon <will.deacon@arm.com>, Anshuman Khandual <khandual@linux.vnet.ibm.com>, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, aik@ozlabs.ru, robh@kernel.org, joe@perches.com, elfring@users.sourceforge.net, david@gibson.dropbear.id.au, jasowang@redhat.com, mpe@ellerman.id.au, linuxram@us.ibm.com, haren@linux.vnet.ibm.com, paulus@samba.org, srikar@linux.vnet.ibm.com, robin.murphy@arm.com, jean-philippe.brucker@arm.com, marc.zyngier@arm.com Subject: Re: [RFC 0/4] Virtio uses DMA API for all devices Date: Tue, 07 Aug 2018 05:56:59 +1000 [thread overview] Message-ID: <ef6d5d7c7b812bd797a1c3fd6bc7a26d0074020f.camel@kernel.crashing.org> (raw) In-Reply-To: <20180806164106-mutt-send-email-mst@kernel.org> On Mon, 2018-08-06 at 16:46 +0300, Michael S. Tsirkin wrote: > > > Right, we'll need some quirk to disable balloons in the guest I > > suppose. > > > > Passing something from libvirt is cumbersome because the end user may > > not even need to know about secure VMs. There are use cases where the > > security is a contract down to some special application running inside > > the secure VM, the sysadmin knows nothing about. > > > > Also there's repercussions all the way to admin tools, web UIs etc... > > so it's fairly wide ranging. > > > > So as long as we only need to quirk a couple of devices, it's much > > better contained that way. > > So just the balloon thing already means that yes management and all the > way to the user tools must know this is going on. Otherwise > user will try to inflate the balloon and wonder why this does not work. There is *dozens* of management systems out there, not even all open source, we won't ever be able to see the end of the tunnel if we need to teach every single of them, including end users, about platform specific new VM flags like that. .../... > Here's another example: you can't migrate a secure vm to hypervisor > which doesn't support this feature. Again management tools above libvirt > need to know otherwise they will try. There will have to be a new machine type for that I suppose, yes, though it's not just the hypervisor that needs to know about the modified migration stream, it's also the need to have a compatible ultravisor with the right keys on the other side. So migration is going to be special and require extra admin work in all cases yes. But not all secure VMs are meant to be migratable. In any case, back to the problem at hand. What a qemu flag gives us is just a way to force iommu at VM creation time. This is rather sub-optimal, we don't really want the iommu in the way, so it's at best a "workaround", and it's not really solving the real problem. As I said replying to Christoph, we are "leaking" into the interface something here that is really what's the VM is doing to itself, which is to stash its memory away in an inaccessible place. Cheers, Ben.
WARNING: multiple messages have this Message-ID (diff)
From: Benjamin Herrenschmidt <benh@kernel.crashing.org> To: "Michael S. Tsirkin" <mst@redhat.com> Cc: robh@kernel.org, srikar@linux.vnet.ibm.com, mpe@ellerman.id.au, Will Deacon <will.deacon@arm.com>, linux-kernel@vger.kernel.org, linuxram@us.ibm.com, virtualization@lists.linux-foundation.org, Christoph Hellwig <hch@infradead.org>, jean-philippe.brucker@arm.com, paulus@samba.org, marc.zyngier@arm.com, joe@perches.com, robin.murphy@arm.com, david@gibson.dropbear.id.au, linuxppc-dev@lists.ozlabs.org, elfring@users.sourceforge.net, haren@linux.vnet.ibm.com, Anshuman Khandual <khandual@linux.vnet.ibm.com> Subject: Re: [RFC 0/4] Virtio uses DMA API for all devices Date: Tue, 07 Aug 2018 05:56:59 +1000 [thread overview] Message-ID: <ef6d5d7c7b812bd797a1c3fd6bc7a26d0074020f.camel@kernel.crashing.org> (raw) In-Reply-To: <20180806164106-mutt-send-email-mst@kernel.org> On Mon, 2018-08-06 at 16:46 +0300, Michael S. Tsirkin wrote: > > > Right, we'll need some quirk to disable balloons in the guest I > > suppose. > > > > Passing something from libvirt is cumbersome because the end user may > > not even need to know about secure VMs. There are use cases where the > > security is a contract down to some special application running inside > > the secure VM, the sysadmin knows nothing about. > > > > Also there's repercussions all the way to admin tools, web UIs etc... > > so it's fairly wide ranging. > > > > So as long as we only need to quirk a couple of devices, it's much > > better contained that way. > > So just the balloon thing already means that yes management and all the > way to the user tools must know this is going on. Otherwise > user will try to inflate the balloon and wonder why this does not work. There is *dozens* of management systems out there, not even all open source, we won't ever be able to see the end of the tunnel if we need to teach every single of them, including end users, about platform specific new VM flags like that. .../... > Here's another example: you can't migrate a secure vm to hypervisor > which doesn't support this feature. Again management tools above libvirt > need to know otherwise they will try. There will have to be a new machine type for that I suppose, yes, though it's not just the hypervisor that needs to know about the modified migration stream, it's also the need to have a compatible ultravisor with the right keys on the other side. So migration is going to be special and require extra admin work in all cases yes. But not all secure VMs are meant to be migratable. In any case, back to the problem at hand. What a qemu flag gives us is just a way to force iommu at VM creation time. This is rather sub-optimal, we don't really want the iommu in the way, so it's at best a "workaround", and it's not really solving the real problem. As I said replying to Christoph, we are "leaking" into the interface something here that is really what's the VM is doing to itself, which is to stash its memory away in an inaccessible place. Cheers, Ben.
next prev parent reply other threads:[~2018-08-06 19:58 UTC|newest] Thread overview: 240+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-07-20 3:59 [RFC 0/4] Virtio uses DMA API for all devices Anshuman Khandual 2018-07-20 3:59 ` [RFC 1/4] virtio: Define virtio_direct_dma_ops structure Anshuman Khandual 2018-07-20 3:59 ` Anshuman Khandual 2018-07-30 9:24 ` Christoph Hellwig 2018-07-30 9:24 ` Christoph Hellwig 2018-07-31 4:01 ` Anshuman Khandual 2018-07-31 4:01 ` Anshuman Khandual 2018-07-20 3:59 ` [RFC 2/4] virtio: Override device's DMA OPS with virtio_direct_dma_ops selectively Anshuman Khandual 2018-07-20 3:59 ` Anshuman Khandual 2018-07-28 8:56 ` Anshuman Khandual 2018-07-28 8:56 ` Anshuman Khandual 2018-07-28 21:16 ` Michael S. Tsirkin 2018-07-30 4:15 ` Anshuman Khandual 2018-07-30 4:15 ` Anshuman Khandual 2018-07-30 9:30 ` Christoph Hellwig 2018-07-31 6:39 ` Anshuman Khandual 2018-07-31 6:39 ` Anshuman Khandual 2018-07-30 9:30 ` Christoph Hellwig 2018-07-28 21:16 ` Michael S. Tsirkin 2018-07-30 9:25 ` Christoph Hellwig 2018-07-31 7:00 ` Anshuman Khandual 2018-07-31 7:00 ` Anshuman Khandual 2018-07-30 9:25 ` Christoph Hellwig 2018-07-20 3:59 ` [RFC 3/4] virtio: Force virtio core to use DMA API callbacks for all virtio devices Anshuman Khandual 2018-07-20 3:59 ` Anshuman Khandual 2018-07-20 3:59 ` [RFC 4/4] virtio: Add platform specific DMA API translation for virito devices Anshuman Khandual 2018-07-20 13:15 ` Michael S. Tsirkin 2018-07-20 13:15 ` Michael S. Tsirkin 2018-07-23 2:16 ` Anshuman Khandual 2018-07-23 2:16 ` Anshuman Khandual 2018-07-25 4:30 ` Anshuman Khandual 2018-07-25 4:30 ` Anshuman Khandual 2018-07-25 13:31 ` Michael S. Tsirkin 2018-07-25 13:31 ` Michael S. Tsirkin 2018-07-20 3:59 ` Anshuman Khandual 2018-07-20 13:16 ` [RFC 0/4] Virtio uses DMA API for all devices Michael S. Tsirkin 2018-07-20 13:16 ` Michael S. Tsirkin 2018-07-23 6:28 ` Anshuman Khandual 2018-07-23 9:08 ` Michael S. Tsirkin 2018-07-23 9:08 ` Michael S. Tsirkin 2018-07-25 3:26 ` Anshuman Khandual 2018-07-27 11:31 ` Michael S. Tsirkin 2018-07-27 11:31 ` Michael S. Tsirkin 2018-07-28 8:37 ` Anshuman Khandual 2018-07-28 8:37 ` Anshuman Khandual 2018-07-25 3:26 ` Anshuman Khandual 2018-07-23 6:28 ` Anshuman Khandual 2018-07-27 9:58 ` Will Deacon 2018-07-27 9:58 ` Will Deacon 2018-07-27 9:58 ` Will Deacon 2018-07-27 10:58 ` Anshuman Khandual 2018-07-27 10:58 ` Anshuman Khandual 2018-07-30 9:34 ` Christoph Hellwig 2018-07-30 9:34 ` Christoph Hellwig 2018-07-30 10:28 ` Michael S. Tsirkin 2018-07-30 10:28 ` Michael S. Tsirkin 2018-07-30 11:18 ` Christoph Hellwig 2018-07-30 11:18 ` Christoph Hellwig 2018-07-30 13:26 ` Michael S. Tsirkin 2018-07-30 13:26 ` Michael S. Tsirkin 2018-07-31 17:30 ` Christoph Hellwig 2018-07-31 17:30 ` Christoph Hellwig 2018-07-31 20:36 ` Benjamin Herrenschmidt 2018-07-31 20:36 ` Benjamin Herrenschmidt 2018-08-01 8:16 ` Will Deacon 2018-08-01 8:16 ` Will Deacon 2018-08-01 8:36 ` Christoph Hellwig 2018-08-01 8:36 ` Christoph Hellwig 2018-08-01 8:36 ` Christoph Hellwig 2018-08-01 9:05 ` Will Deacon 2018-08-01 9:05 ` Will Deacon 2018-08-01 22:41 ` Michael S. Tsirkin 2018-08-01 22:41 ` Michael S. Tsirkin 2018-08-01 22:35 ` Michael S. Tsirkin 2018-08-01 22:35 ` Michael S. Tsirkin 2018-08-02 15:24 ` Benjamin Herrenschmidt 2018-08-02 15:24 ` Benjamin Herrenschmidt 2018-08-02 15:41 ` Michael S. Tsirkin 2018-08-02 15:41 ` Michael S. Tsirkin 2018-08-02 16:01 ` Benjamin Herrenschmidt 2018-08-02 16:01 ` Benjamin Herrenschmidt 2018-08-02 17:19 ` Michael S. Tsirkin 2018-08-02 17:19 ` Michael S. Tsirkin 2018-08-02 17:53 ` Benjamin Herrenschmidt 2018-08-02 17:53 ` Benjamin Herrenschmidt 2018-08-02 20:52 ` Michael S. Tsirkin 2018-08-02 20:52 ` Michael S. Tsirkin 2018-08-02 21:13 ` Benjamin Herrenschmidt 2018-08-02 21:13 ` Benjamin Herrenschmidt 2018-08-02 21:51 ` Michael S. Tsirkin 2018-08-02 21:51 ` Michael S. Tsirkin 2018-08-03 7:05 ` Christoph Hellwig 2018-08-03 7:05 ` Christoph Hellwig 2018-08-03 15:58 ` Benjamin Herrenschmidt 2018-08-03 15:58 ` Benjamin Herrenschmidt 2018-08-03 16:02 ` Christoph Hellwig 2018-08-03 16:02 ` Christoph Hellwig 2018-08-03 18:58 ` Benjamin Herrenschmidt 2018-08-03 18:58 ` Benjamin Herrenschmidt 2018-08-04 8:21 ` Christoph Hellwig 2018-08-04 8:21 ` Christoph Hellwig 2018-08-05 1:10 ` Benjamin Herrenschmidt 2018-08-05 1:10 ` Benjamin Herrenschmidt 2018-08-05 1:10 ` Benjamin Herrenschmidt 2018-08-05 7:29 ` Christoph Hellwig 2018-08-05 7:29 ` Christoph Hellwig 2018-08-05 21:16 ` Benjamin Herrenschmidt 2018-08-05 21:16 ` Benjamin Herrenschmidt 2018-08-05 21:30 ` Benjamin Herrenschmidt 2018-08-05 21:30 ` Benjamin Herrenschmidt 2018-08-06 9:42 ` Christoph Hellwig 2018-08-06 9:42 ` Christoph Hellwig 2018-08-06 19:52 ` Benjamin Herrenschmidt 2018-08-06 19:52 ` Benjamin Herrenschmidt 2018-08-07 6:21 ` Christoph Hellwig 2018-08-07 6:42 ` Benjamin Herrenschmidt 2018-08-07 6:42 ` Benjamin Herrenschmidt 2018-08-07 13:55 ` Christoph Hellwig 2018-08-07 20:32 ` Benjamin Herrenschmidt 2018-08-07 20:32 ` Benjamin Herrenschmidt 2018-08-08 6:31 ` Christoph Hellwig 2018-08-08 6:31 ` Christoph Hellwig 2018-08-08 10:07 ` Benjamin Herrenschmidt 2018-08-08 10:07 ` Benjamin Herrenschmidt 2018-08-08 12:30 ` Christoph Hellwig 2018-08-08 13:18 ` Benjamin Herrenschmidt 2018-08-08 13:18 ` Benjamin Herrenschmidt 2018-08-08 20:31 ` Michael S. Tsirkin 2018-08-08 22:13 ` Benjamin Herrenschmidt 2018-08-08 22:13 ` Benjamin Herrenschmidt 2018-08-09 2:00 ` Benjamin Herrenschmidt 2018-08-09 2:00 ` Benjamin Herrenschmidt 2018-08-09 5:40 ` Christoph Hellwig 2018-08-09 5:40 ` Christoph Hellwig 2018-09-07 0:09 ` Jiandi An 2018-09-10 6:19 ` Christoph Hellwig 2018-09-10 6:19 ` Christoph Hellwig 2018-09-10 8:53 ` Gerd Hoffmann 2018-09-10 8:53 ` Gerd Hoffmann 2018-08-08 20:31 ` Michael S. Tsirkin 2018-08-08 12:30 ` Christoph Hellwig 2018-08-07 13:55 ` Christoph Hellwig 2018-08-07 6:21 ` Christoph Hellwig 2018-08-03 19:07 ` Michael S. Tsirkin 2018-08-03 19:07 ` Michael S. Tsirkin 2018-08-04 1:11 ` Benjamin Herrenschmidt 2018-08-04 1:11 ` Benjamin Herrenschmidt 2018-08-04 1:16 ` Benjamin Herrenschmidt 2018-08-04 1:16 ` Benjamin Herrenschmidt 2018-08-05 0:22 ` Michael S. Tsirkin 2018-08-05 4:52 ` Benjamin Herrenschmidt 2018-08-05 4:52 ` Benjamin Herrenschmidt 2018-08-06 13:46 ` Michael S. Tsirkin 2018-08-06 19:56 ` Benjamin Herrenschmidt [this message] 2018-08-06 19:56 ` Benjamin Herrenschmidt 2018-08-06 20:35 ` Michael S. Tsirkin 2018-08-06 21:26 ` Benjamin Herrenschmidt 2018-08-06 21:26 ` Benjamin Herrenschmidt 2018-08-06 21:46 ` Michael S. Tsirkin 2018-08-06 21:46 ` Michael S. Tsirkin 2018-08-06 22:13 ` Benjamin Herrenschmidt 2018-08-06 22:13 ` Benjamin Herrenschmidt 2018-08-06 23:16 ` Benjamin Herrenschmidt 2018-08-06 23:16 ` Benjamin Herrenschmidt 2018-08-06 23:45 ` Michael S. Tsirkin 2018-08-07 0:18 ` Benjamin Herrenschmidt 2018-08-07 0:18 ` Benjamin Herrenschmidt 2018-08-07 6:32 ` Christoph Hellwig 2018-08-07 6:32 ` Christoph Hellwig 2018-08-06 23:45 ` Michael S. Tsirkin 2018-08-07 6:27 ` Christoph Hellwig 2018-08-07 6:27 ` Christoph Hellwig 2018-08-07 6:44 ` Benjamin Herrenschmidt 2018-08-07 6:44 ` Benjamin Herrenschmidt 2018-08-07 6:18 ` Christoph Hellwig 2018-08-07 6:18 ` Christoph Hellwig 2018-08-07 6:16 ` Christoph Hellwig 2018-08-07 6:16 ` Christoph Hellwig 2018-08-06 23:18 ` Benjamin Herrenschmidt 2018-08-06 23:18 ` Benjamin Herrenschmidt 2018-08-07 6:12 ` Christoph Hellwig 2018-08-07 6:12 ` Christoph Hellwig 2018-08-06 20:35 ` Michael S. Tsirkin 2018-08-06 13:46 ` Michael S. Tsirkin 2018-08-05 0:22 ` Michael S. Tsirkin 2018-08-04 1:18 ` Benjamin Herrenschmidt 2018-08-04 1:18 ` Benjamin Herrenschmidt 2018-08-04 1:22 ` Benjamin Herrenschmidt 2018-08-04 1:22 ` Benjamin Herrenschmidt 2018-08-05 0:23 ` Michael S. Tsirkin 2018-08-05 0:23 ` Michael S. Tsirkin 2018-08-03 19:17 ` Michael S. Tsirkin 2018-08-03 19:17 ` Michael S. Tsirkin 2018-08-04 8:15 ` Christoph Hellwig 2018-08-04 8:15 ` Christoph Hellwig 2018-08-05 0:09 ` Michael S. Tsirkin 2018-08-05 0:09 ` Michael S. Tsirkin 2018-08-05 1:11 ` Benjamin Herrenschmidt 2018-08-05 1:11 ` Benjamin Herrenschmidt 2018-08-05 7:25 ` Christoph Hellwig 2018-08-05 7:25 ` Christoph Hellwig 2018-08-05 0:53 ` Benjamin Herrenschmidt 2018-08-05 0:53 ` Benjamin Herrenschmidt 2018-08-05 0:27 ` Michael S. Tsirkin 2018-08-05 0:27 ` Michael S. Tsirkin 2018-08-06 14:05 ` Will Deacon 2018-08-06 14:05 ` Will Deacon 2018-08-01 21:56 ` Michael S. Tsirkin 2018-08-01 21:56 ` Michael S. Tsirkin 2018-08-02 15:33 ` Benjamin Herrenschmidt 2018-08-02 15:33 ` Benjamin Herrenschmidt 2018-08-02 20:53 ` Michael S. Tsirkin 2018-08-03 7:06 ` Christoph Hellwig 2018-08-03 7:06 ` Christoph Hellwig 2018-08-02 20:53 ` Michael S. Tsirkin 2018-08-02 20:55 ` Michael S. Tsirkin 2018-08-02 20:55 ` Michael S. Tsirkin 2018-08-03 2:41 ` Jason Wang 2018-08-03 2:41 ` Jason Wang 2018-08-03 19:08 ` Michael S. Tsirkin 2018-08-04 1:21 ` Benjamin Herrenschmidt 2018-08-04 1:21 ` Benjamin Herrenschmidt 2018-08-05 0:24 ` Michael S. Tsirkin 2018-08-05 0:24 ` Michael S. Tsirkin 2018-08-06 9:02 ` Anshuman Khandual 2018-08-06 9:02 ` Anshuman Khandual 2018-08-06 13:36 ` Michael S. Tsirkin 2018-08-06 13:36 ` Michael S. Tsirkin 2018-08-06 15:24 ` Christoph Hellwig 2018-08-06 16:06 ` Michael S. Tsirkin 2018-08-06 16:06 ` Michael S. Tsirkin 2018-08-06 16:10 ` Christoph Hellwig 2018-08-06 16:10 ` Christoph Hellwig 2018-08-06 16:13 ` Michael S. Tsirkin 2018-08-06 16:13 ` Michael S. Tsirkin 2018-08-06 16:34 ` Christoph Hellwig 2018-08-06 16:34 ` Christoph Hellwig 2018-08-06 15:24 ` Christoph Hellwig 2018-08-03 19:08 ` Michael S. Tsirkin 2018-07-20 3:59 Anshuman Khandual
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=ef6d5d7c7b812bd797a1c3fd6bc7a26d0074020f.camel@kernel.crashing.org \ --to=benh@kernel.crashing.org \ --cc=aik@ozlabs.ru \ --cc=david@gibson.dropbear.id.au \ --cc=elfring@users.sourceforge.net \ --cc=haren@linux.vnet.ibm.com \ --cc=hch@infradead.org \ --cc=jasowang@redhat.com \ --cc=jean-philippe.brucker@arm.com \ --cc=joe@perches.com \ --cc=khandual@linux.vnet.ibm.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=linuxram@us.ibm.com \ --cc=marc.zyngier@arm.com \ --cc=mpe@ellerman.id.au \ --cc=mst@redhat.com \ --cc=paulus@samba.org \ --cc=robh@kernel.org \ --cc=robin.murphy@arm.com \ --cc=srikar@linux.vnet.ibm.com \ --cc=virtualization@lists.linux-foundation.org \ --cc=will.deacon@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.