From: David Gibson <david@gibson.dropbear.id.au>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
pair@us.ibm.com, brijesh.singh@amd.com, frankja@linux.ibm.com,
kvm@vger.kernel.org, david@redhat.com, cohuck@redhat.com,
qemu-devel@nongnu.org, "Eduardo Habkost" <ehabkost@redhat.com>,
dgilbert@redhat.com, pasic@linux.ibm.com, qemu-s390x@nongnu.org,
qemu-ppc@nongnu.org, pbonzini@redhat.com,
"Richard Henderson" <rth@twiddle.net>,
mdroth@linux.vnet.ibm.com
Subject: Re: [PATCH v3 9/9] host trust limitation: Alter virtio default properties for protected guests
Date: Thu, 25 Jun 2020 14:57:38 +1000 [thread overview]
Message-ID: <20200625045738.GA172395@umbus.fritz.box> (raw)
In-Reply-To: <20200624034932-mutt-send-email-mst@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 4470 bytes --]
On Wed, Jun 24, 2020 at 03:55:59AM -0400, Michael S. Tsirkin wrote:
> On Fri, Jun 19, 2020 at 01:16:38PM +0100, Daniel P. Berrangé wrote:
> > On Fri, Jun 19, 2020 at 07:47:20AM -0400, Michael S. Tsirkin wrote:
> > > On Fri, Jun 19, 2020 at 07:46:14AM -0400, Michael S. Tsirkin wrote:
> > > > On Fri, Jun 19, 2020 at 11:12:45AM +0100, Daniel P. Berrang̮̩ wrote:
> > > > > On Fri, Jun 19, 2020 at 12:06:02PM +1000, David Gibson wrote:
> > > > > > The default behaviour for virtio devices is not to use the platforms normal
> > > > > > DMA paths, but instead to use the fact that it's running in a hypervisor
> > > > > > to directly access guest memory. That doesn't work if the guest's memory
> > > > > > is protected from hypervisor access, such as with AMD's SEV or POWER's PEF.
> > > > > >
> > > > > > So, if a host trust limitation mechanism is enabled, then apply the
> > > > > > iommu_platform=on option so it will go through normal DMA mechanisms.
> > > > > > Those will presumably have some way of marking memory as shared with the
> > > > > > hypervisor or hardware so that DMA will work.
> > > > > >
> > > > > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > > > > > ---
> > > > > > hw/core/machine.c | 11 +++++++++++
> > > > > > 1 file changed, 11 insertions(+)
> > > > > >
> > > > > > diff --git a/hw/core/machine.c b/hw/core/machine.c
> > > > > > index a71792bc16..8dfc1bb3f8 100644
> > > > > > --- a/hw/core/machine.c
> > > > > > +++ b/hw/core/machine.c
> > > > > > @@ -28,6 +28,8 @@
> > > > > > #include "hw/mem/nvdimm.h"
> > > > > > #include "migration/vmstate.h"
> > > > > > #include "exec/host-trust-limitation.h"
> > > > > > +#include "hw/virtio/virtio.h"
> > > > > > +#include "hw/virtio/virtio-pci.h"
> > > > > >
> > > > > > GlobalProperty hw_compat_5_0[] = {
> > > > > > { "virtio-balloon-device", "page-poison", "false" },
> > > > > > @@ -1165,6 +1167,15 @@ void machine_run_board_init(MachineState *machine)
> > > > > > * areas.
> > > > > > */
> > > > > > machine_set_mem_merge(OBJECT(machine), false, &error_abort);
> > > > > > +
> > > > > > + /*
> > > > > > + * Virtio devices can't count on directly accessing guest
> > > > > > + * memory, so they need iommu_platform=on to use normal DMA
> > > > > > + * mechanisms. That requires disabling legacy virtio support
> > > > > > + * for virtio pci devices
> > > > > > + */
> > > > > > + object_register_sugar_prop(TYPE_VIRTIO_PCI, "disable-legacy", "on");
> > > > > > + object_register_sugar_prop(TYPE_VIRTIO_DEVICE, "iommu_platform", "on");
> > > > > > }
> > > > >
> > > > > Silently changing the user's request configuration like this is a bad idea.
> > > > > The "disable-legacy" option in particular is undesirable as that switches
> > > > > the device to virtio-1.0 only mode, which exposes a different PCI ID to
> > > > > the guest.
> > > > >
> > > > > If some options are incompatible with encryption, then we should raise a
> > > > > fatal error at startup, so applications/admins are aware that their requested
> > > > > config is broken.
> > > >
> > > > Agreed - my suggestion is an on/off/auto property, auto value
> > > > changes automatically, on/off is validated.
> > >
> > > In fact should we extend all bit properties to allow an auto value?
> >
> > If "auto" was made the default that creates a similar headache, as to
> > preserve existing configuration semantics we expose to apps, libvirt
> > would need to find all the properties changed to use "auto" and manually
> > set them back to on/off explicitly.
> >
> > Regards,
> > Daniel
>
> It's QEMU's job to try and have more or less consistent semantics across
> versions. QEMU does not guarantee not to change any option defaults
> though.
>
> My point is to add ability to differentiate between property values
> set by user and ones set by machine type for compatibility.
At which point are you looking to differentiate these? The use of
sugar_prop() in my draft code accomplishes this already for the
purposes of resolving a final property value within qemu (an explicit
user set one takes precedence).
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2020-06-25 5:47 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 2:05 [PATCH v3 0/9] Generalize memory encryption models David Gibson
2020-06-19 2:05 ` [PATCH v3 1/9] host trust limitation: Introduce new host trust limitation interface David Gibson
2020-06-26 11:01 ` Dr. David Alan Gilbert
2020-07-14 19:26 ` Richard Henderson
2020-06-19 2:05 ` [PATCH v3 2/9] host trust limitation: Handle memory encryption via interface David Gibson
2020-06-19 2:05 ` [PATCH v3 3/9] host trust limitation: Move side effect out of machine_set_memory_encryption() David Gibson
2020-06-19 2:05 ` [PATCH v3 4/9] host trust limitation: Rework the "memory-encryption" property David Gibson
2020-07-14 19:36 ` Richard Henderson
2020-06-19 2:05 ` [PATCH v3 5/9] host trust limitation: Decouple kvm_memcrypt_*() helpers from KVM David Gibson
2020-06-19 2:05 ` [PATCH v3 6/9] host trust limitation: Add Error ** to HostTrustLimitation::kvm_init David Gibson
2020-06-19 2:06 ` [PATCH v3 7/9] spapr: Add PEF based host trust limitation David Gibson
2020-06-19 2:06 ` [PATCH v3 8/9] spapr: PEF: block migration David Gibson
2020-06-26 10:33 ` Dr. David Alan Gilbert
2020-07-05 7:38 ` David Gibson
2020-06-19 2:06 ` [PATCH v3 9/9] host trust limitation: Alter virtio default properties for protected guests David Gibson
2020-06-19 10:12 ` Daniel P. Berrangé
2020-06-19 11:46 ` Michael S. Tsirkin
2020-06-19 11:47 ` Michael S. Tsirkin
2020-06-19 12:16 ` Daniel P. Berrangé
2020-06-19 20:04 ` Halil Pasic
2020-06-24 7:55 ` Michael S. Tsirkin
2020-06-25 4:57 ` David Gibson [this message]
2020-06-25 5:02 ` David Gibson
2020-06-19 14:45 ` David Gibson
2020-06-19 15:05 ` Daniel P. Berrangé
2020-06-20 8:24 ` David Gibson
2020-06-22 9:09 ` Daniel P. Berrangé
2020-06-25 5:06 ` David Gibson
2020-06-19 2:42 ` [PATCH v3 0/9] Generalize memory encryption models no-reply
2020-06-19 8:28 ` David Hildenbrand
2020-06-19 9:45 ` Cornelia Huck
2020-06-19 9:56 ` David Hildenbrand
2020-06-19 10:05 ` Cornelia Huck
2020-06-19 10:10 ` David Hildenbrand
2020-06-22 12:02 ` Cornelia Huck
2020-06-25 5:25 ` David Gibson
2020-06-25 7:06 ` David Hildenbrand
2020-06-26 4:42 ` David Gibson
2020-06-26 6:53 ` David Hildenbrand
2020-06-26 9:01 ` Janosch Frank
2020-06-26 9:32 ` Daniel P. Berrangé
2020-06-26 9:49 ` Janosch Frank
2020-06-26 10:29 ` Dr. David Alan Gilbert
2020-06-26 10:58 ` Daniel P. Berrangé
2020-06-26 12:49 ` Janosch Frank
2020-07-01 11:59 ` Halil Pasic
2020-06-19 9:48 ` David Gibson
2020-06-19 10:04 ` David Hildenbrand
2020-06-25 5:42 ` David Gibson
2020-06-25 6:59 ` David Hildenbrand
2020-06-25 9:49 ` Cornelia Huck
2020-06-22 14:27 ` Christian Borntraeger
2020-06-24 7:06 ` Cornelia Huck
2020-06-25 5:47 ` David Gibson
2020-06-25 5:48 ` David Gibson
2020-06-25 5:44 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200625045738.GA172395@umbus.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pair@us.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).