From: Steven Price <steven.price@arm.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Haibo Xu <haibo.xu@linaro.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
Juan Quintela <quintela@redhat.com>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 15:45:40 +0000 [thread overview]
Message-ID: <b975422f-14fd-13b3-c8ca-e8b1a68c0837@arm.com> (raw)
In-Reply-To: <CAFEAcA_Q8RSB-zcS8+cEfvWz_0U5GLzmsf12m_7BFjX8h-1hrA@mail.gmail.com>
On 07/12/2020 15:27, Peter Maydell wrote:
> On Mon, 7 Dec 2020 at 14:48, Steven Price <steven.price@arm.com> wrote:
>> Sounds like you are making good progress - thanks for the update. Have
>> you thought about how the PROT_MTE mappings might work if QEMU itself
>> were to use MTE? My worry is that we end up with MTE in a guest
>> preventing QEMU from using MTE itself (because of the PROT_MTE
>> mappings). I'm hoping QEMU can wrap its use of guest memory in a
>> sequence which disables tag checking (something similar will be needed
>> for the "protected VM" use case anyway), but this isn't something I've
>> looked into.
>
> It's not entirely the same as the "protected VM" case. For that
> the patches currently on list basically special case "this is a
> debug access (eg from gdbstub/monitor)" which then either gets
> to go via "decrypt guest RAM for debug" or gets failed depending
> on whether the VM has a debug-is-ok flag enabled. For an MTE
> guest the common case will be guests doing standard DMA operations
> to or from guest memory. The ideal API for that from QEMU's
> point of view would be "accesses to guest RAM don't do tag
> checks, even if tag checks are enabled for accesses QEMU does to
> memory it has allocated itself as a normal userspace program".
Sorry, I know I simplified it rather by saying it's similar to protected
VM. Basically as I see it there are three types of memory access:
1) Debug case - has to go via a special case for decryption or ignoring
the MTE tag value. Hopefully this can be abstracted in the same way.
2) Migration - for a protected VM there's likely to be a special method
to allow the VMM access to the encrypted memory (AFAIK memory is usually
kept inaccessible to the VMM). For MTE this again has to be special
cased as we actually want both the data and the tag values.
3) Device DMA - for a protected VM it's usual to unencrypt a small area
of memory (with the permission of the guest) and use that as a bounce
buffer. This is possible with MTE: have an area the VMM purposefully
maps with PROT_MTE. The issue is that this has a performance overhead
and we can do better with MTE because it's trivial for the VMM to
disable the protection for any memory.
The part I'm unsure on is how easy it is for QEMU to deal with (3)
without the overhead of bounce buffers. Ideally there'd already be a
wrapper for guest memory accesses and that could just be wrapped with
setting TCO during the access. I suspect the actual situation is more
complex though, and I'm hoping Haibo's investigations will help us
understand this.
Thanks,
Steve
WARNING: multiple messages have this Message-ID (diff)
From: Steven Price <steven.price@arm.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Juan Quintela <quintela@redhat.com>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Haibo Xu <haibo.xu@linaro.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 15:45:40 +0000 [thread overview]
Message-ID: <b975422f-14fd-13b3-c8ca-e8b1a68c0837@arm.com> (raw)
In-Reply-To: <CAFEAcA_Q8RSB-zcS8+cEfvWz_0U5GLzmsf12m_7BFjX8h-1hrA@mail.gmail.com>
On 07/12/2020 15:27, Peter Maydell wrote:
> On Mon, 7 Dec 2020 at 14:48, Steven Price <steven.price@arm.com> wrote:
>> Sounds like you are making good progress - thanks for the update. Have
>> you thought about how the PROT_MTE mappings might work if QEMU itself
>> were to use MTE? My worry is that we end up with MTE in a guest
>> preventing QEMU from using MTE itself (because of the PROT_MTE
>> mappings). I'm hoping QEMU can wrap its use of guest memory in a
>> sequence which disables tag checking (something similar will be needed
>> for the "protected VM" use case anyway), but this isn't something I've
>> looked into.
>
> It's not entirely the same as the "protected VM" case. For that
> the patches currently on list basically special case "this is a
> debug access (eg from gdbstub/monitor)" which then either gets
> to go via "decrypt guest RAM for debug" or gets failed depending
> on whether the VM has a debug-is-ok flag enabled. For an MTE
> guest the common case will be guests doing standard DMA operations
> to or from guest memory. The ideal API for that from QEMU's
> point of view would be "accesses to guest RAM don't do tag
> checks, even if tag checks are enabled for accesses QEMU does to
> memory it has allocated itself as a normal userspace program".
Sorry, I know I simplified it rather by saying it's similar to protected
VM. Basically as I see it there are three types of memory access:
1) Debug case - has to go via a special case for decryption or ignoring
the MTE tag value. Hopefully this can be abstracted in the same way.
2) Migration - for a protected VM there's likely to be a special method
to allow the VMM access to the encrypted memory (AFAIK memory is usually
kept inaccessible to the VMM). For MTE this again has to be special
cased as we actually want both the data and the tag values.
3) Device DMA - for a protected VM it's usual to unencrypt a small area
of memory (with the permission of the guest) and use that as a bounce
buffer. This is possible with MTE: have an area the VMM purposefully
maps with PROT_MTE. The issue is that this has a performance overhead
and we can do better with MTE because it's trivial for the VMM to
disable the protection for any memory.
The part I'm unsure on is how easy it is for QEMU to deal with (3)
without the overhead of bounce buffers. Ideally there'd already be a
wrapper for guest memory accesses and that could just be wrapped with
setting TCO during the access. I suspect the actual situation is more
complex though, and I'm hoping Haibo's investigations will help us
understand this.
Thanks,
Steve
WARNING: multiple messages have this Message-ID (diff)
From: Steven Price <steven.price@arm.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Juan Quintela <quintela@redhat.com>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 15:45:40 +0000 [thread overview]
Message-ID: <b975422f-14fd-13b3-c8ca-e8b1a68c0837@arm.com> (raw)
In-Reply-To: <CAFEAcA_Q8RSB-zcS8+cEfvWz_0U5GLzmsf12m_7BFjX8h-1hrA@mail.gmail.com>
On 07/12/2020 15:27, Peter Maydell wrote:
> On Mon, 7 Dec 2020 at 14:48, Steven Price <steven.price@arm.com> wrote:
>> Sounds like you are making good progress - thanks for the update. Have
>> you thought about how the PROT_MTE mappings might work if QEMU itself
>> were to use MTE? My worry is that we end up with MTE in a guest
>> preventing QEMU from using MTE itself (because of the PROT_MTE
>> mappings). I'm hoping QEMU can wrap its use of guest memory in a
>> sequence which disables tag checking (something similar will be needed
>> for the "protected VM" use case anyway), but this isn't something I've
>> looked into.
>
> It's not entirely the same as the "protected VM" case. For that
> the patches currently on list basically special case "this is a
> debug access (eg from gdbstub/monitor)" which then either gets
> to go via "decrypt guest RAM for debug" or gets failed depending
> on whether the VM has a debug-is-ok flag enabled. For an MTE
> guest the common case will be guests doing standard DMA operations
> to or from guest memory. The ideal API for that from QEMU's
> point of view would be "accesses to guest RAM don't do tag
> checks, even if tag checks are enabled for accesses QEMU does to
> memory it has allocated itself as a normal userspace program".
Sorry, I know I simplified it rather by saying it's similar to protected
VM. Basically as I see it there are three types of memory access:
1) Debug case - has to go via a special case for decryption or ignoring
the MTE tag value. Hopefully this can be abstracted in the same way.
2) Migration - for a protected VM there's likely to be a special method
to allow the VMM access to the encrypted memory (AFAIK memory is usually
kept inaccessible to the VMM). For MTE this again has to be special
cased as we actually want both the data and the tag values.
3) Device DMA - for a protected VM it's usual to unencrypt a small area
of memory (with the permission of the guest) and use that as a bounce
buffer. This is possible with MTE: have an area the VMM purposefully
maps with PROT_MTE. The issue is that this has a performance overhead
and we can do better with MTE because it's trivial for the VMM to
disable the protection for any memory.
The part I'm unsure on is how easy it is for QEMU to deal with (3)
without the overhead of bounce buffers. Ideally there'd already be a
wrapper for guest memory accesses and that could just be wrapped with
setting TCO during the access. I suspect the actual situation is more
complex though, and I'm hoping Haibo's investigations will help us
understand this.
Thanks,
Steve
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Steven Price <steven.price@arm.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Juan Quintela <quintela@redhat.com>,
Marc Zyngier <maz@kernel.org>,
Richard Henderson <richard.henderson@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>,
lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>,
arm-mail-list <linux-arm-kernel@lists.infradead.org>,
Haibo Xu <haibo.xu@linaro.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Will Deacon <will@kernel.org>,
kvmarm <kvmarm@lists.cs.columbia.edu>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Dave Martin <Dave.Martin@arm.com>
Subject: Re: [PATCH v5 0/2] MTE support for KVM guest
Date: Mon, 7 Dec 2020 15:45:40 +0000 [thread overview]
Message-ID: <b975422f-14fd-13b3-c8ca-e8b1a68c0837@arm.com> (raw)
In-Reply-To: <CAFEAcA_Q8RSB-zcS8+cEfvWz_0U5GLzmsf12m_7BFjX8h-1hrA@mail.gmail.com>
On 07/12/2020 15:27, Peter Maydell wrote:
> On Mon, 7 Dec 2020 at 14:48, Steven Price <steven.price@arm.com> wrote:
>> Sounds like you are making good progress - thanks for the update. Have
>> you thought about how the PROT_MTE mappings might work if QEMU itself
>> were to use MTE? My worry is that we end up with MTE in a guest
>> preventing QEMU from using MTE itself (because of the PROT_MTE
>> mappings). I'm hoping QEMU can wrap its use of guest memory in a
>> sequence which disables tag checking (something similar will be needed
>> for the "protected VM" use case anyway), but this isn't something I've
>> looked into.
>
> It's not entirely the same as the "protected VM" case. For that
> the patches currently on list basically special case "this is a
> debug access (eg from gdbstub/monitor)" which then either gets
> to go via "decrypt guest RAM for debug" or gets failed depending
> on whether the VM has a debug-is-ok flag enabled. For an MTE
> guest the common case will be guests doing standard DMA operations
> to or from guest memory. The ideal API for that from QEMU's
> point of view would be "accesses to guest RAM don't do tag
> checks, even if tag checks are enabled for accesses QEMU does to
> memory it has allocated itself as a normal userspace program".
Sorry, I know I simplified it rather by saying it's similar to protected
VM. Basically as I see it there are three types of memory access:
1) Debug case - has to go via a special case for decryption or ignoring
the MTE tag value. Hopefully this can be abstracted in the same way.
2) Migration - for a protected VM there's likely to be a special method
to allow the VMM access to the encrypted memory (AFAIK memory is usually
kept inaccessible to the VMM). For MTE this again has to be special
cased as we actually want both the data and the tag values.
3) Device DMA - for a protected VM it's usual to unencrypt a small area
of memory (with the permission of the guest) and use that as a bounce
buffer. This is possible with MTE: have an area the VMM purposefully
maps with PROT_MTE. The issue is that this has a performance overhead
and we can do better with MTE because it's trivial for the VMM to
disable the protection for any memory.
The part I'm unsure on is how easy it is for QEMU to deal with (3)
without the overhead of bounce buffers. Ideally there'd already be a
wrapper for guest memory accesses and that could just be wrapped with
setting TCO during the access. I suspect the actual situation is more
complex though, and I'm hoping Haibo's investigations will help us
understand this.
Thanks,
Steve
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-12-07 15:46 UTC|newest]
Thread overview: 152+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-19 15:38 [PATCH v5 0/2] MTE support for KVM guest Steven Price
2020-11-19 15:38 ` Steven Price
2020-11-19 15:38 ` Steven Price
2020-11-19 15:38 ` Steven Price
2020-11-19 15:39 ` [PATCH v5 1/2] arm64: kvm: Save/restore MTE registers Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` [PATCH v5 2/2] arm64: kvm: Introduce MTE VCPU feature Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:39 ` Steven Price
2020-11-19 15:45 ` [PATCH v5 0/2] MTE support for KVM guest Peter Maydell
2020-11-19 15:45 ` Peter Maydell
2020-11-19 15:45 ` Peter Maydell
2020-11-19 15:45 ` Peter Maydell
2020-11-19 15:57 ` Steven Price
2020-11-19 15:57 ` Steven Price
2020-11-19 15:57 ` Steven Price
2020-11-19 15:57 ` Steven Price
2020-11-19 16:39 ` Peter Maydell
2020-11-19 16:39 ` Peter Maydell
2020-11-19 16:39 ` Peter Maydell
2020-11-19 16:39 ` Peter Maydell
2020-11-19 18:42 ` Andrew Jones
2020-11-19 18:42 ` Andrew Jones
2020-11-19 18:42 ` Andrew Jones
2020-11-19 18:42 ` Andrew Jones
2020-11-19 19:11 ` Marc Zyngier
2020-11-19 19:11 ` Marc Zyngier
2020-11-19 19:11 ` Marc Zyngier
2020-11-19 19:11 ` Marc Zyngier
2020-11-20 9:50 ` Steven Price
2020-11-20 9:50 ` Steven Price
2020-11-20 9:50 ` Steven Price
2020-11-20 9:50 ` Steven Price
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:56 ` Marc Zyngier
2020-11-20 9:58 ` Steven Price
2020-11-20 9:58 ` Steven Price
2020-11-20 9:58 ` Steven Price
2020-11-20 9:58 ` Steven Price
2020-12-04 8:25 ` Haibo Xu
2020-12-04 8:25 ` Haibo Xu
2020-12-04 8:25 ` Haibo Xu
2020-12-04 8:25 ` Haibo Xu
2020-12-07 14:48 ` Steven Price
2020-12-07 14:48 ` Steven Price
2020-12-07 14:48 ` Steven Price
2020-12-07 14:48 ` Steven Price
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:27 ` Peter Maydell
2020-12-07 15:45 ` Steven Price [this message]
2020-12-07 15:45 ` Steven Price
2020-12-07 15:45 ` Steven Price
2020-12-07 15:45 ` Steven Price
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:05 ` Marc Zyngier
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 16:34 ` Catalin Marinas
2020-12-07 19:03 ` Marc Zyngier
2020-12-07 19:03 ` Marc Zyngier
2020-12-07 19:03 ` Marc Zyngier
2020-12-07 19:03 ` Marc Zyngier
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 17:21 ` Catalin Marinas
2020-12-08 18:21 ` Marc Zyngier
2020-12-08 18:21 ` Marc Zyngier
2020-12-08 18:21 ` Marc Zyngier
2020-12-08 18:21 ` Marc Zyngier
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 12:44 ` Catalin Marinas
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 13:25 ` Marc Zyngier
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 15:27 ` Catalin Marinas
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:27 ` Richard Henderson
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 18:39 ` Catalin Marinas
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:13 ` Richard Henderson
2020-12-09 20:20 ` Peter Maydell
2020-12-09 20:20 ` Peter Maydell
2020-12-09 20:20 ` Peter Maydell
2020-12-09 20:20 ` Peter Maydell
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 16:44 ` Dr. David Alan Gilbert
2020-12-07 17:10 ` Peter Maydell
2020-12-07 17:10 ` Peter Maydell
2020-12-07 17:10 ` Peter Maydell
2020-12-07 17:10 ` Peter Maydell
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-07 17:44 ` Dr. David Alan Gilbert
2020-12-08 10:05 ` Haibo Xu
2020-12-08 10:05 ` Haibo Xu
2020-12-08 10:05 ` Haibo Xu
2020-12-08 10:05 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 9:51 ` Haibo Xu
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:01 ` Marc Zyngier
2020-12-08 10:10 ` Haibo Xu
2020-12-08 10:10 ` Haibo Xu
2020-12-08 10:10 ` Haibo Xu
2020-12-08 10:10 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 7:31 ` Haibo Xu
2020-12-16 10:22 ` Steven Price
2020-12-16 10:22 ` Steven Price
2020-12-16 10:22 ` Steven Price
2020-12-16 10:22 ` Steven Price
2020-12-17 1:47 ` Haibo Xu
2020-12-17 1:47 ` Haibo Xu
2020-12-17 1:47 ` Haibo Xu
2020-12-17 1:47 ` Haibo Xu
2020-11-23 12:16 ` Dr. David Alan Gilbert
2020-11-23 12:16 ` Dr. David Alan Gilbert
2020-11-23 12:16 ` Dr. David Alan Gilbert
2020-11-23 12:16 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b975422f-14fd-13b3-c8ca-e8b1a68c0837@arm.com \
--to=steven.price@arm.com \
--cc=Dave.Martin@arm.com \
--cc=catalin.marinas@arm.com \
--cc=dgilbert@redhat.com \
--cc=haibo.xu@linaro.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=richard.henderson@linaro.org \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.