From: David Hildenbrand <david@redhat.com>
To: Joerg Roedel <joro@8bytes.org>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>,
Joerg Roedel <jroedel@suse.de>,
David Rientjes <rientjes@google.com>,
Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Sean Christopherson <seanjc@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Vlastimil Babka <vbabka@suse.cz>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Andi Kleen <ak@linux.intel.com>,
Brijesh Singh <brijesh.singh@amd.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Jon Grimm <jon.grimm@amd.com>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
"Kaplan, David" <David.Kaplan@amd.com>,
Varad Gautam <varad.gautam@suse.com>,
Dario Faggioli <dfaggioli@suse.com>,
x86@kernel.org, linux-mm@kvack.org, linux-coco@lists.linux.dev
Subject: Re: Runtime Memory Validation in Intel-TDX and AMD-SNP
Date: Mon, 2 Aug 2021 20:47:33 +0200 [thread overview]
Message-ID: <470865dc-64dc-713e-c8df-99a9067a19ba@redhat.com> (raw)
In-Reply-To: <YQfGo2rVgW0wkLnv@8bytes.org>
On 02.08.21 12:19, Joerg Roedel wrote:
> On Tue, Jul 27, 2021 at 11:34:47AM +0200, David Hildenbrand wrote:
>> What makes you think that? I already heard people express desires for memory
>> hot(un)plug, especially in the context of running containers inside
>> encrypted VMs. And static bitmaps are naturally a bad choice for changing
>> memory layouts.
>
> In the worst case some memory in the bitmap is wasted when memory is
> hot-unplugged. The amount depends on how much memory one bit covers, but
> I don't see this as a show stopper.
Devil's in the details when you want to hotplug later; for example,
before parsing SRAT, we have no clue how much memory we might have at
one point at runtime later. And you'd have to prepare for that by
allocating the bitmap accordingly. And as I said, it's not a sparse data
structure, so you will at least waste some memory.
>> I'm wondering, why exactly would a kdump kernel (not touching memory of the
>> old kernel while booting up) need access to the bitmap? Just wondering, for
>> ACPI tables and such? I can understand why makedumpfile would need that
>> information when actually dumping memory of the old kernel, but it would
>> have access to the memmap of the old kernel to obtain that information.
>
> The kdump kernel needs the bitmap to detect when the Hypervisor is doing
> something malicious, well, at least on its own memory. The kdump kernel
> has full access to the previous kernels memory and could also be tricked
> by the Hypervisor to reveal secrets.
That's an interesting thought. But this raises many questions, how and
what to dump in context of encrypted VMs at all. I'd love to see some
writeup of what we actually want to dump, with which tools, and to which
(encrypted?) locations.
The kdump kernel has access to the memmap of the old kernel. The memmap
of the old kernel would contain information regarding encrypted pages.
The kdump kernel and the tools (makedumpfile) running in the VM cannot
be tampered with by the hypervisor. The memmap of the old kernel cannot
be tampered with, as it resides on encrypted memory. Are my assumptions
correct?
I'd be interested how a hypervisor could trigger revealing secrets.
>
>> Mirroring is a good point. But I'd suggest using the bitmap only during
>> early boot if really necessary and after syncing it to the bitmap, get rid
>> of it. Sure, kexec is more challenging, but at least it's a clean design. We
>> can always try expressing the state of validated memory in the e820 map we
>> present to the kexec kernel.
>
> It depends on how fragmented the validated/unvalidated regions will get
> over time. I think currently it is not very fragmented, the biggest
> shared regions are the .bss_decrypted section and the DMA bounce buffer.
> But there are also a couple of page-size regions which need to be
> shared. For kexec these regions can be validated again when tearing down
> the APs, but for kdump it would be too fragile to do such extensive
> stuff before jumping the the kdump kernel.
Right, I don't really see a blocker for kexec, just needs some proper
creation/update of the e820 map. For kdump, I am not sure if we really
need it, but most probably if we would have a complete picture of kdump
for encrypted VMs it would get much clearer what we actually have to
care about.
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2021-08-02 18:47 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 12:58 Runtime Memory Validation in Intel-TDX and AMD-SNP Joerg Roedel
2021-07-19 13:07 ` Matthew Wilcox
2021-07-19 15:02 ` Joerg Roedel
2021-07-19 20:39 ` Andi Kleen
2021-07-20 8:55 ` Joerg Roedel
2021-07-20 9:34 ` Dr. David Alan Gilbert
2021-07-20 11:50 ` Joerg Roedel
2021-07-20 0:26 ` Andy Lutomirski
[not found] ` <CAAYXXYwFzrf8uY-PFkMRSG28+HztfGdJft8kB3Y3keWCx9K8TQ@mail.gmail.com>
2021-07-20 2:00 ` Erdem Aktas
2021-07-20 5:17 ` Andi Kleen
2021-07-20 9:11 ` Joerg Roedel
2021-07-20 17:32 ` Andi Kleen
2021-07-20 23:09 ` Erdem Aktas
2021-07-21 0:38 ` Andi Kleen
2021-07-22 17:31 ` Marc Orr
2021-07-26 18:55 ` Joerg Roedel
[not found] ` <eacb9c1f-2c61-4a7f-b5a3-7bf579e6cbf6@www.fastmail.com>
2021-07-20 19:54 ` Erdem Aktas
2021-07-20 22:01 ` Andi Kleen
2021-07-20 23:55 ` Erdem Aktas
2021-07-21 0:35 ` Andi Kleen
2021-07-21 8:51 ` Joerg Roedel
2021-07-20 8:44 ` Joerg Roedel
2021-07-20 14:14 ` Dave Hansen
2021-07-20 17:30 ` Kirill A. Shutemov
2021-07-21 9:20 ` Mike Rapoport
2021-07-21 10:02 ` Kirill A. Shutemov
2021-07-21 10:22 ` Mike Rapoport
2021-07-21 10:53 ` Joerg Roedel
2021-07-21 9:25 ` Joerg Roedel
2021-07-21 10:25 ` Kirill A. Shutemov
2021-07-21 10:48 ` Joerg Roedel
2021-07-22 15:46 ` David Hildenbrand
2021-07-26 19:02 ` Joerg Roedel
2021-07-27 9:34 ` David Hildenbrand
2021-08-02 10:19 ` Joerg Roedel
2021-08-02 18:47 ` David Hildenbrand [this message]
2021-07-22 15:57 ` David Hildenbrand
2021-07-22 19:51 ` Kirill A. Shutemov
2021-07-23 15:23 ` Mike Rapoport
2021-07-23 16:29 ` Kirill A. Shutemov
2021-07-25 9:16 ` Mike Rapoport
2021-07-25 18:28 ` Kirill A. Shutemov
2021-07-26 10:00 ` Mike Rapoport
2021-07-26 11:53 ` Kirill A. Shutemov
2021-07-26 19:13 ` Joerg Roedel
2021-07-26 23:02 ` Erdem Aktas
2021-07-26 23:54 ` Kirill A. Shutemov
2021-07-27 1:35 ` Erdem Aktas
2021-07-23 11:04 ` Varad Gautam
2021-07-23 14:34 ` Kaplan, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=470865dc-64dc-713e-c8df-99a9067a19ba@redhat.com \
--to=david@redhat.com \
--cc=David.Kaplan@amd.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=brijesh.singh@amd.com \
--cc=dfaggioli@suse.com \
--cc=jon.grimm@amd.com \
--cc=joro@8bytes.org \
--cc=jroedel@suse.de \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-coco@lists.linux.dev \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=varad.gautam@suse.com \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).