From: David Gibson <david@gibson.dropbear.id.au>
To: David Hildenbrand <david@redhat.com>
Cc: Cornelia Huck <cohuck@redhat.com>,
qemu-devel@nongnu.org, brijesh.singh@amd.com, pair@us.ibm.com,
pbonzini@redhat.com, dgilbert@redhat.com, frankja@linux.ibm.com,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
kvm@vger.kernel.org, qemu-ppc@nongnu.org, mst@redhat.com,
mdroth@linux.vnet.ibm.com, Richard Henderson <rth@twiddle.net>,
pasic@linux.ibm.com, Eduardo Habkost <ehabkost@redhat.com>,
qemu-s390x@nongnu.org
Subject: Re: [PATCH v3 0/9] Generalize memory encryption models
Date: Fri, 26 Jun 2020 14:42:59 +1000 [thread overview]
Message-ID: <20200626044259.GK172395@umbus.fritz.box> (raw)
In-Reply-To: <025fb54b-60b7-a58b-e3d7-1bbaad152c5c@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 4333 bytes --]
On Thu, Jun 25, 2020 at 09:06:05AM +0200, David Hildenbrand wrote:
> >> Still unsure how to bring this new machine property and the cpu feature
> >> together. Would be great to have the same interface everywhere, but
> >> having two distinct command line objects depend on each other sucks.
> >
> > Kinda, but the reality is that hardware - virtual and otherwise -
> > frequently doesn't have entirely orthogonal configuration for each of
> > its components. This is by no means new in that regard.
> >
> >> Automatically setting the feature bit if pv is supported complicates
> >> things further.
> >
> > AIUI, on s390 the "unpack" feature is available by default on recent
> > models. In that case you could do this:
> >
> > * Don't modify either cpu or HTL options based on each other
> > * Bail out if the user specifies a non "unpack" secure CPU along with
> > the HTL option
> >
> > Cases of note:
> > - User specifies an old CPU model + htl
> > or explicitly sets unpack=off + htl
> > => fails with an error, correctly
> > - User specifies modern/default cpu + htl, with secure aware guest
> > => works as a secure guest
> > - User specifies modern/default cpu + htl, with non secure aware guest
> > => works, though not secure (and maybe slower than neccessary)
> > - User specifies modern/default cpu, no htl, with non-secure guest
> > => works, "unpack" feature is present but unused
> > - User specifies modern/default cpu, no htl, secure guest
> > => this is the worst one. It kind of works by accident if
> > you've also manually specified whatever virtio (and
> > anything else) options are necessary. Ugly, but no
> > different from the situation right now, IIUC
> >
> >> (Is there any requirement that the machine object has been already set
> >> up before the cpu features are processed? Or the other way around?)
> >
> > CPUs are usually created by the machine, so I believe we can count on
> > the machine object being there first.
>
> CPU model initialization is one of the first things machine
> initialization code does on s390x.
As it is for most platforms, but still, the values of machine
properties are available to you at this point.
> static void ccw_init(MachineState *machine)
> {
> [... memory init ...]
> s390_sclp_init();
> s390_memory_init(machine->ram);
> /* init CPUs (incl. CPU model) early so s390_has_feature() works */
> s390_init_cpus(machine);
> [...]
> }
>
> >
> >> Does this have any implications when probing with the 'none' machine?
> >
> > I'm not sure. In your case, I guess the cpu bit would still show up
> > as before, so it would tell you base feature availability, but not
> > whether you can use the new configuration option.
> >
> > Since the HTL option is generic, you could still set it on the "none"
> > machine, though it wouldn't really have any effect. That is, if you
> > could create a suitable object to point it at, which would depend on
> > ... details.
> >
>
> The important point is that we never want the (expanded) host cpu model
> look different when either specifying or not specifying the HTL
> property.
Ah, yes, I see your point. So my current suggestion will satisfy
that, basically it is:
cpu has unpack (inc. by default) && htl specified
=> works (allowing secure), as expected
!cpu has unpack && htl specified
=> bails out with an error
!cpu has unpack && !htl specified
=> works for a non-secure guest, as expected
=> guest will fail if it attempts to go secure
cpu has unpack && !htl specified
=> works as expected for a non-secure guest (unpack feature is
present, but unused)
=> secure guest may work "by accident", but only if all virtio
properties have the right values, which is the user's
problem
That last case is kinda ugly, but I think it's tolerable.
> We don't want to run into issues where libvirt probes and gets
> host model X, but when using that probed model (automatically) for a
> guest domain, we suddenly cannot run X anymore.
>
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2020-06-26 5:42 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 2:05 [PATCH v3 0/9] Generalize memory encryption models David Gibson
2020-06-19 2:05 ` [PATCH v3 1/9] host trust limitation: Introduce new host trust limitation interface David Gibson
2020-06-26 11:01 ` Dr. David Alan Gilbert
2020-07-14 19:26 ` Richard Henderson
2020-06-19 2:05 ` [PATCH v3 2/9] host trust limitation: Handle memory encryption via interface David Gibson
2020-06-19 2:05 ` [PATCH v3 3/9] host trust limitation: Move side effect out of machine_set_memory_encryption() David Gibson
2020-06-19 2:05 ` [PATCH v3 4/9] host trust limitation: Rework the "memory-encryption" property David Gibson
2020-07-14 19:36 ` Richard Henderson
2020-06-19 2:05 ` [PATCH v3 5/9] host trust limitation: Decouple kvm_memcrypt_*() helpers from KVM David Gibson
2020-06-19 2:05 ` [PATCH v3 6/9] host trust limitation: Add Error ** to HostTrustLimitation::kvm_init David Gibson
2020-06-19 2:06 ` [PATCH v3 7/9] spapr: Add PEF based host trust limitation David Gibson
2020-06-19 2:06 ` [PATCH v3 8/9] spapr: PEF: block migration David Gibson
2020-06-26 10:33 ` Dr. David Alan Gilbert
2020-07-05 7:38 ` David Gibson
2020-06-19 2:06 ` [PATCH v3 9/9] host trust limitation: Alter virtio default properties for protected guests David Gibson
2020-06-19 10:12 ` Daniel P. Berrangé
2020-06-19 11:46 ` Michael S. Tsirkin
2020-06-19 11:47 ` Michael S. Tsirkin
2020-06-19 12:16 ` Daniel P. Berrangé
2020-06-19 20:04 ` Halil Pasic
2020-06-24 7:55 ` Michael S. Tsirkin
2020-06-25 4:57 ` David Gibson
2020-06-25 5:02 ` David Gibson
2020-06-19 14:45 ` David Gibson
2020-06-19 15:05 ` Daniel P. Berrangé
2020-06-20 8:24 ` David Gibson
2020-06-22 9:09 ` Daniel P. Berrangé
2020-06-25 5:06 ` David Gibson
2020-06-19 2:42 ` [PATCH v3 0/9] Generalize memory encryption models no-reply
2020-06-19 8:28 ` David Hildenbrand
2020-06-19 9:45 ` Cornelia Huck
2020-06-19 9:56 ` David Hildenbrand
2020-06-19 10:05 ` Cornelia Huck
2020-06-19 10:10 ` David Hildenbrand
2020-06-22 12:02 ` Cornelia Huck
2020-06-25 5:25 ` David Gibson
2020-06-25 7:06 ` David Hildenbrand
2020-06-26 4:42 ` David Gibson [this message]
2020-06-26 6:53 ` David Hildenbrand
2020-06-26 9:01 ` Janosch Frank
2020-06-26 9:32 ` Daniel P. Berrangé
2020-06-26 9:49 ` Janosch Frank
2020-06-26 10:29 ` Dr. David Alan Gilbert
2020-06-26 10:58 ` Daniel P. Berrangé
2020-06-26 12:49 ` Janosch Frank
2020-07-01 11:59 ` Halil Pasic
2020-06-19 9:48 ` David Gibson
2020-06-19 10:04 ` David Hildenbrand
2020-06-25 5:42 ` David Gibson
2020-06-25 6:59 ` David Hildenbrand
2020-06-25 9:49 ` Cornelia Huck
2020-06-22 14:27 ` Christian Borntraeger
2020-06-24 7:06 ` Cornelia Huck
2020-06-25 5:47 ` David Gibson
2020-06-25 5:48 ` David Gibson
2020-06-25 5:44 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200626044259.GK172395@umbus.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=brijesh.singh@amd.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pair@us.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).