From: Chao Peng <chao.p.peng@linux.intel.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Sean Christopherson <seanjc@google.com>,
Quentin Perret <qperret@google.com>,
Steven Price <steven.price@arm.com>,
kvm list <kvm@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
Linux API <linux-api@vger.kernel.org>,
qemu-devel@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>,
Jonathan Corbet <corbet@lwn.net>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
the arch/x86 maintainers <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>, Hugh Dickins <hughd@google.com>,
Jeff Layton <jlayton@kernel.org>,
"J . Bruce Fields" <bfields@fieldses.org>,
Andrew Morton <akpm@linux-foundation.org>,
Mike Rapoport <rppt@kernel.org>,
"Maciej S . Szmigiero" <mail@maciej.szmigiero.name>,
Vlastimil Babka <vbabka@suse.cz>,
Vishal Annapurve <vannapurve@google.com>,
Yu Zhang <yu.c.zhang@linux.intel.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
"Nakajima, Jun" <jun.nakajima@intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Andi Kleen <ak@linux.intel.com>,
David Hildenbrand <david@redhat.com>,
Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>
Subject: Re: [PATCH v5 00/13] KVM: mm: fd-based approach for supporting KVM guest private memory
Date: Mon, 25 Apr 2022 21:40:51 +0800 [thread overview]
Message-ID: <20220425134051.GA175928@chaop.bj.intel.com> (raw)
In-Reply-To: <3b99f157-0f30-4b30-8399-dd659250ab8d@www.fastmail.com>
On Sun, Apr 24, 2022 at 09:59:37AM -0700, Andy Lutomirski wrote:
>
>
> On Fri, Apr 22, 2022, at 3:56 AM, Chao Peng wrote:
> > On Tue, Apr 05, 2022 at 06:03:21PM +0000, Sean Christopherson wrote:
> >> On Tue, Apr 05, 2022, Quentin Perret wrote:
> >> > On Monday 04 Apr 2022 at 15:04:17 (-0700), Andy Lutomirski wrote:
> > Only when the register succeeds, the fd is
> > converted into a private fd, before that, the fd is just a normal (shared)
> > one. During this conversion, the previous data is preserved so you can put
> > some initial data in guest pages (whether the architecture allows this is
> > architecture-specific and out of the scope of this patch).
>
> I think this can be made to work, but it will be awkward. On TDX, for example, what exactly are the semantics supposed to be? An error code if the memory isn't all zero? An error code if it has ever been written?
>
> Fundamentally, I think this is because your proposed lifecycle for these memfiles results in a lightweight API but is awkward for the intended use cases. You're proposing, roughly:
>
> 1. Create a memfile.
>
> Now it's in a shared state with an unknown virt technology. It can be read and written. Let's call this state BRAND_NEW.
>
> 2. Bind to a VM.
>
> Now it's an a bound state. For TDX, for example, let's call the new state BOUND_TDX. In this state, the TDX rules are followed (private memory can't be converted, etc).
>
> The problem here is that the BOUND_NEW state allows things that are nonsensical in TDX, and the binding step needs to invent some kind of semantics for what happens when binding a nonempty memfile.
>
>
> So I would propose a somewhat different order:
>
> 1. Create a memfile. It's in the UNBOUND state and no operations whatsoever are allowed except binding or closing.
OK, so we need invent new user API to indicate UNBOUND state. For memfd
based, it can be a new feature-neutral flag at creation time.
>
> 2. Bind the memfile to a VM (or at least to a VM technology). Now it's in the initial state appropriate for that VM.
>
> For TDX, this completely bypasses the cases where the data is prepopulated and TDX can't handle it cleanly. For SEV, it bypasses a situation in which data might be written to the memory before we find out whether that data will be unreclaimable or unmovable.
This sounds a more strict rule to avoid semantics unclear.
So userspace needs to know what excatly happens for a 'bind' operation.
This is different when binds to different technologies. E.g. for SEV, it
may imply after this call, the memfile can be accessed (through mmap or
what ever) from userspace, while for current TDX this should be not allowed.
And I feel we still need a third flow/operation to indicate the
completion of the initialization on the memfile before the guest's
first-time launch. SEV needs to check previous mmap-ed areas are munmap-ed
and prevent future userspace access. After this point, then the memfile
becomes truely private fd.
>
>
> ----------------------------------------------
>
> Now I have a question, since I don't think anyone has really answered it: how does this all work with SEV- or pKVM-like technologies in which private and shared pages share the same address space? I sounds like you're proposing to have a big memfile that contains private and shared pages and to use that same memfile as pages are converted back and forth. IO and even real physical DMA could be done on that memfile. Am I understanding correctly?
For TDX case, and probably SEV as well, this memfile contains private memory
only. But this design at least makes it possible for usage cases like
pKVM which wants both private/shared memory in the same memfile and rely
on other ways like mmap/munmap or mprotect to toggle private/shared instead
of fallocate/hole punching.
>
> If so, I think this makes sense, but I'm wondering if the actual memslot setup should be different. For TDX, private memory lives in a logically separate memslot space. For SEV and pKVM, it doesn't. I assume the API can reflect this straightforwardly.
I believe so. The flow should be similar but we do need pass different
flags during the 'bind' to the backing store for different usages. That
should be some new flags for pKVM but the callbacks (API here) between
memfile_notifile and its consumers can be reused.
>
> And the corresponding TDX question: is the intent still that shared pages aren't allowed at all in a TDX memfile? If so, that would be the most direct mapping to what the hardware actually does.
Exactly. TDX will still use fallocate/hole punching to turn on/off the
private page. Once off, the traditional shared page will become
effective in KVM.
Chao
>
> --Andy
next prev parent reply other threads:[~2022-04-25 13:44 UTC|newest]
Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 14:08 [PATCH v5 00/13] KVM: mm: fd-based approach for supporting KVM guest private memory Chao Peng
2022-03-10 14:08 ` [PATCH v5 01/13] mm/memfd: Introduce MFD_INACCESSIBLE flag Chao Peng
2022-04-11 15:10 ` Kirill A. Shutemov
2022-04-12 13:11 ` Chao Peng
2022-04-23 5:43 ` Vishal Annapurve
2022-04-24 8:15 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 02/13] mm: Introduce memfile_notifier Chao Peng
2022-03-29 18:45 ` Sean Christopherson
2022-04-08 12:54 ` Chao Peng
[not found] ` <20220412143654.6313-1-hdanton@sina.com>
2022-04-13 6:47 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 03/13] mm/shmem: Support memfile_notifier Chao Peng
2022-03-10 23:08 ` Dave Chinner
2022-03-11 8:42 ` Chao Peng
2022-04-11 15:26 ` Kirill A. Shutemov
2022-04-12 13:12 ` Chao Peng
2022-04-19 22:40 ` Vishal Annapurve
2022-04-20 3:24 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 04/13] mm/shmem: Restrict MFD_INACCESSIBLE memory against RLIMIT_MEMLOCK Chao Peng
2022-04-07 16:05 ` Sean Christopherson
2022-04-07 17:09 ` Andy Lutomirski
2022-04-08 17:56 ` Sean Christopherson
2022-04-08 18:54 ` David Hildenbrand
2022-04-12 14:36 ` Jason Gunthorpe
2022-04-12 21:27 ` Andy Lutomirski
2022-04-13 16:30 ` David Hildenbrand
2022-04-13 16:24 ` David Hildenbrand
2022-04-13 17:52 ` Jason Gunthorpe
2022-04-25 14:07 ` David Hildenbrand
2022-04-08 13:02 ` Chao Peng
2022-04-11 15:34 ` Kirill A. Shutemov
2022-04-12 5:14 ` Hugh Dickins
2022-04-11 15:32 ` Kirill A. Shutemov
2022-04-12 13:39 ` Chao Peng
2022-04-12 19:28 ` Kirill A. Shutemov
2022-04-13 9:15 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 05/13] KVM: Extend the memslot to support fd-based private memory Chao Peng
2022-03-28 21:27 ` Sean Christopherson
2022-04-08 13:21 ` Chao Peng
2022-03-28 21:56 ` Sean Christopherson
2022-04-08 13:46 ` Chao Peng
2022-04-08 17:45 ` Sean Christopherson
2022-03-10 14:09 ` [PATCH v5 06/13] KVM: Use kvm_userspace_memory_region_ext Chao Peng
2022-03-28 22:26 ` Sean Christopherson
2022-04-08 13:58 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 07/13] KVM: Add KVM_EXIT_MEMORY_ERROR exit Chao Peng
2022-03-28 22:33 ` Sean Christopherson
2022-04-08 13:59 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 08/13] KVM: Use memfile_pfn_ops to obtain pfn for private pages Chao Peng
2022-03-28 23:56 ` Sean Christopherson
2022-04-08 14:07 ` Chao Peng
2022-04-28 12:37 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 09/13] KVM: Handle page fault for private memory Chao Peng
2022-03-29 1:07 ` Sean Christopherson
2022-04-12 12:10 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 10/13] KVM: Register private memslot to memory backing store Chao Peng
2022-03-29 19:01 ` Sean Christopherson
2022-04-12 12:40 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 11/13] KVM: Zap existing KVM mappings when pages changed in the private fd Chao Peng
2022-03-29 19:23 ` Sean Christopherson
2022-04-12 12:43 ` Chao Peng
2022-04-05 23:45 ` Michael Roth
2022-04-08 3:06 ` Sean Christopherson
2022-04-19 22:43 ` Vishal Annapurve
2022-04-20 3:17 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 12/13] KVM: Expose KVM_MEM_PRIVATE Chao Peng
2022-03-29 19:13 ` Sean Christopherson
2022-04-12 12:56 ` Chao Peng
2022-03-10 14:09 ` [PATCH v5 13/13] memfd_create.2: Describe MFD_INACCESSIBLE flag Chao Peng
2022-03-24 15:51 ` [PATCH v5 00/13] KVM: mm: fd-based approach for supporting KVM guest private memory Quentin Perret
2022-03-28 17:13 ` Sean Christopherson
2022-03-28 18:00 ` Quentin Perret
2022-03-28 18:58 ` Sean Christopherson
2022-03-29 17:01 ` Quentin Perret
2022-03-30 8:58 ` Steven Price
2022-03-30 10:39 ` Quentin Perret
2022-03-30 17:58 ` Sean Christopherson
2022-03-31 16:04 ` Andy Lutomirski
2022-04-01 14:59 ` Quentin Perret
2022-04-01 17:14 ` Sean Christopherson
2022-04-01 18:03 ` Quentin Perret
2022-04-01 18:24 ` Sean Christopherson
2022-04-01 19:56 ` Andy Lutomirski
2022-04-04 15:01 ` Quentin Perret
2022-04-04 17:06 ` Sean Christopherson
2022-04-04 22:04 ` Andy Lutomirski
2022-04-05 10:36 ` Quentin Perret
2022-04-05 17:51 ` Andy Lutomirski
2022-04-05 18:30 ` Sean Christopherson
2022-04-06 18:42 ` Andy Lutomirski
2022-04-06 13:05 ` Quentin Perret
2022-04-05 18:03 ` Sean Christopherson
2022-04-06 10:34 ` Quentin Perret
2022-04-22 10:56 ` Chao Peng
2022-04-22 11:06 ` Paolo Bonzini
2022-04-24 8:07 ` Chao Peng
2022-04-24 16:59 ` Andy Lutomirski
2022-04-25 13:40 ` Chao Peng [this message]
2022-04-25 14:52 ` Andy Lutomirski
2022-04-25 20:30 ` Sean Christopherson
2022-06-10 19:18 ` Andy Lutomirski
2022-06-10 19:27 ` Sean Christopherson
2022-04-28 12:29 ` Chao Peng
2022-05-03 11:12 ` Quentin Perret
2022-05-09 22:30 ` Michael Roth
2022-05-09 23:29 ` Sean Christopherson
2022-07-21 20:05 ` Gupta, Pankaj
2022-07-21 21:19 ` Sean Christopherson
2022-07-21 21:36 ` Gupta, Pankaj
2022-07-23 3:09 ` Andy Lutomirski
2022-07-25 9:19 ` Gupta, Pankaj
2022-03-30 16:18 ` Sean Christopherson
2022-03-28 20:16 ` Andy Lutomirski
2022-03-28 22:48 ` Nakajima, Jun
2022-03-29 0:04 ` Sean Christopherson
2022-04-08 21:35 ` Vishal Annapurve
2022-04-12 13:00 ` Chao Peng
2022-04-12 19:58 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220425134051.GA175928@chaop.bj.intel.com \
--to=chao.p.peng@linux.intel.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=bfields@fieldses.org \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=jlayton@kernel.org \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=jun.nakajima@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mail@maciej.szmigiero.name \
--cc=maz@kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qperret@google.com \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=steven.price@arm.com \
--cc=tglx@linutronix.de \
--cc=vannapurve@google.com \
--cc=vbabka@suse.cz \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=yu.c.zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).