From: David Hildenbrand <david@redhat.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>,
Joerg Roedel <jroedel@suse.de>
Cc: David Rientjes <rientjes@google.com>,
Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Sean Christopherson <seanjc@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Vlastimil Babka <vbabka@suse.cz>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Andi Kleen <ak@linux.intel.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Jon Grimm <jon.grimm@amd.com>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
"Kaplan, David" <David.Kaplan@amd.com>,
Varad Gautam <varad.gautam@suse.com>,
Dario Faggioli <dfaggioli@suse.com>,
x86@kernel.org, linux-mm@kvack.org, linux-coco@lists.linux.dev
Subject: Re: Runtime Memory Validation in Intel-TDX and AMD-SNP
Date: Thu, 22 Jul 2021 17:46:13 +0200 [thread overview]
Message-ID: <fa38e74e-e7ca-39f3-f2db-f0a0de152edb@redhat.com> (raw)
In-Reply-To: <20210720173004.ucrliup5o7l3jfq3@box.shutemov.name>
>>
>> 8. When memory is returned to the memblock or page allocators,
>> it is _not_ invalidated. In fact, all memory which is freed
>> need to be valid. If it was marked invalid in the meantime
>> (e.g. if it the memory was used for DMA buffers), the code
>> owning the memory needs to validate it again before freeing
>> it.
>>
>> The benefit of doing memory validation at allocation time is
>> that it keeps the exception handler for invalid memory
>> simple, because no exceptions of this kind are expected under
>> normal operation.
>
> During early boot I treat unaccepted memory as a usable RAM. It only
> requires special treatment on memblock_reserve(), which used for early
> memory allocation: unaccepted usable RAM has to be accepted, before
> reserving.
>
> For fine-grained accepting/validation tracking I use PageOffline() flags
> (it's encoded into mapcount): before adding an unaccepted page to free
> list I set the PageOffline() to indicate that the page has to be accepted
> before returning from the page allocator. Currently, we never have
> PageOffline() set for pages on free lists, so we won't have confusion with
> ballooning or memory hotplug.
I was just about to propose something similar. Something like that
sounds like the best approach to me
1. Sync e820 to memblock
2. Sync memblock to memmap
3. Let the page allocator deal with validation once initializing/handing
out memory
PageOffline() does exactly what you want, just be aware that
PageBuddy()+PageOffline() won't be recognized by crash anymore, as it
tests for a single memmap value. Can be fixed with makedumpfile updates
once that applies.
Alternatively, you could use any other page flag that is yet unsued
combined with PageBuddy.
Sure, there might be obstacles, but it certainly sounds like a clean
approach to me.
>
> I try to keep pages accepted in 2M or 4M chunks (pageblock_order or
> MAX_ORDER). It is reasonable compromise on speed/latency.
>
> I still debugging the code, but hopefully will get working PoC this week.
>
[...]
>
> I'm not sure a bitmap is needed. I hope we can use E820 for early
> tracking. But let's see if it works.
+1, this smells like an anti-patter. I'm absolutely not in favor of a
bitmap, we have the sparse memory model for a reason.
Also, I am not convinced that kexec/kdump is actually easy to realize
with the bitmap? Who will forward that bitmap? Where will it reside? Who
says it's not corrupted? Just take a look at how we don't even have
access to memmap of the oldkernel in the newkernel -- and have to locate
and decipher it in constantly-to-be-updated user space makedumpfile. Any
time you'd change anything about the bitmap ("hey, let's use larger
chunks", "hey, let's split it up") you'd break the old_kernel <->
new_kernel agreement.
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2021-07-22 15:46 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 12:58 Runtime Memory Validation in Intel-TDX and AMD-SNP Joerg Roedel
2021-07-19 13:07 ` Matthew Wilcox
2021-07-19 15:02 ` Joerg Roedel
2021-07-19 20:39 ` Andi Kleen
2021-07-20 8:55 ` Joerg Roedel
2021-07-20 9:34 ` Dr. David Alan Gilbert
2021-07-20 11:50 ` Joerg Roedel
2021-07-20 0:26 ` Andy Lutomirski
2021-07-20 1:51 ` Erdem Aktas
2021-07-20 2:00 ` Erdem Aktas
2021-07-20 3:30 ` Andy Lutomirski
2021-07-20 19:54 ` Erdem Aktas
2021-07-20 22:01 ` Andi Kleen
2021-07-20 23:55 ` Erdem Aktas
2021-07-21 0:35 ` Andi Kleen
2021-07-21 8:51 ` Joerg Roedel
2021-07-20 5:17 ` Andi Kleen
2021-07-20 9:11 ` Joerg Roedel
2021-07-20 17:32 ` Andi Kleen
2021-07-20 23:09 ` Erdem Aktas
2021-07-21 0:38 ` Andi Kleen
2021-07-22 17:31 ` Marc Orr
2021-07-26 18:55 ` Joerg Roedel
2021-07-20 8:44 ` Joerg Roedel
2021-07-20 14:14 ` Dave Hansen
2021-07-20 17:30 ` Kirill A. Shutemov
2021-07-21 9:20 ` Mike Rapoport
2021-07-21 10:02 ` Kirill A. Shutemov
2021-07-21 10:22 ` Mike Rapoport
2021-07-21 10:53 ` Joerg Roedel
2021-07-21 9:25 ` Joerg Roedel
2021-07-21 10:25 ` Kirill A. Shutemov
2021-07-21 10:48 ` Joerg Roedel
2021-07-22 15:46 ` David Hildenbrand [this message]
2021-07-26 19:02 ` Joerg Roedel
2021-07-27 9:34 ` David Hildenbrand
2021-08-02 10:19 ` Joerg Roedel
2021-08-02 18:47 ` David Hildenbrand
2021-07-22 15:57 ` David Hildenbrand
2021-07-22 19:51 ` Kirill A. Shutemov
2021-07-23 15:23 ` Mike Rapoport
2021-07-23 16:29 ` Kirill A. Shutemov
2021-07-25 9:16 ` Mike Rapoport
2021-07-25 18:28 ` Kirill A. Shutemov
2021-07-26 10:00 ` Mike Rapoport
2021-07-26 11:53 ` Kirill A. Shutemov
2021-07-26 19:13 ` Joerg Roedel
2021-07-26 23:02 ` Erdem Aktas
2021-07-26 23:54 ` Kirill A. Shutemov
2021-07-27 1:35 ` Erdem Aktas
2021-07-23 11:04 ` Varad Gautam
2021-07-23 14:34 ` Kaplan, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fa38e74e-e7ca-39f3-f2db-f0a0de152edb@redhat.com \
--to=david@redhat.com \
--cc=David.Kaplan@amd.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dfaggioli@suse.com \
--cc=jon.grimm@amd.com \
--cc=jroedel@suse.de \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-coco@lists.linux.dev \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=varad.gautam@suse.com \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.