qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Laszlo Ersek <lersek@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	qemu-arm <qemu-arm@nongnu.org>,
	QEMU Developers <qemu-devel@nongnu.org>,
	Markus Armbruster <armbru@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/4] virt: provide secure-only RAM and first flash
Date: Wed, 9 Mar 2016 15:06:05 +0100	[thread overview]
Message-ID: <56E02DCD.5060008@redhat.com> (raw)
In-Reply-To: <56DECE5F.6000207@redhat.com>

On 03/08/16 14:06, Paolo Bonzini wrote:
> On 08/03/2016 13:50, Ard Biesheuvel wrote:
>> Note that, for KVM, it is unlikely that we will ever support all of
>> this inside the guest. It makes *much* more sense to lock down the
>> emulated flash, and implement the UEFI Runtime Services using a thin
>> layer in UEFI that hooks up to interfaces exposed to the guest by
>> QEMU.
> 
> Well, it makes a bit less sense if the SMM code is already there for you
> to use. :)  More seriously, implementing secure boot on x86 KVM was
> "just" a matter of reading the architecture manual and chipset
> datasheets, and implementing what they said.  Likewise, the firmware
> work can reuse a large part of the work done for bare-metal hardware.
> Laszlo would kill me for saying this, :) but in terms of sheer SLOC his
> platform enablement patches were dwarfed by the SMM code that Intel
> contributed.  The SMM code in turn is _exactly_ the same on bare-metal
> and virt.

Your statement about the SLOC proportions is correct. And, while I could
try to depict (again) the challenges that regardless surfaced in the
platform enablement, this is not the right forum, so I'll save it. :)

However: despite reusing the core SMM code identically in the guest,
there is at least one stark behavioral difference: in QEMU the SMI is
raised only on the processor that triggers it. This exercises paths in
the core SMM code where processors have to count down timeouts and bring
each other in, and these busy loops are very visible to an interactive
user in certain circumstances.

For example, Windows installers seem to be absolutely crazy about
massaging UEFI variables -- the rotating animation rather crawls than
rotates for a minute. I traced KVM just the other day while the
installer was in this phase, and 2 VCPUs together produced about 30-50
"(entering|leaving) SMM" messages per second.

Laszlo

> Designing good PV interfaces is hard, designing secure PV interfaces is
> harder; reading a spec is easy.  To me, the only reason to do it in PV
> interfaces is that the hardware doesn't allow virtualization of EL3.
> 
> If the hardware makes you jump through extra hoops, sometimes it's
> necessary, sometimes it's not.  If it's not, rationalizing it is bad.  I
> cannot think of a good reason for hardware not to let you virtualize
> hypervisor or secure mode, or to force the hypervisor to use two-level
> page translation.
> 
> Paolo
> 

  parent reply	other threads:[~2016-03-09 14:06 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-12 14:45 [Qemu-devel] [PATCH 0/4] virt: provide secure-only RAM and first flash Peter Maydell
2016-02-12 14:45 ` [Qemu-devel] [PATCH 1/4] hw/arm/virt: Provide a secure-only RAM if booting in Secure mode Peter Maydell
2016-02-12 14:45 ` [Qemu-devel] [PATCH 2/4] loader: Add load_image_mr() to load ROM image to a MemoryRegion Peter Maydell
2016-03-03 16:46   ` Paolo Bonzini
2016-03-04  7:42     ` Michael S. Tsirkin
2016-02-12 14:46 ` [Qemu-devel] [PATCH 3/4] hw/arm/virt: Load bios image to MemoryRegion, not physaddr Peter Maydell
2016-02-12 14:46 ` [Qemu-devel] [PATCH 4/4] hw/arm/virt: Make first flash device Secure-only if booting secure Peter Maydell
2016-02-12 22:54 ` [Qemu-devel] [PATCH 0/4] virt: provide secure-only RAM and first flash Mark Cave-Ayland
2016-02-25 16:47 ` Peter Maydell
2016-03-07 15:20 ` Paolo Bonzini
2016-03-07 23:34   ` Peter Maydell
2016-03-08 12:02     ` Paolo Bonzini
2016-03-08 12:10       ` Ard Biesheuvel
2016-03-08 12:13         ` Ard Biesheuvel
2016-03-08 12:14           ` Paolo Bonzini
2016-03-08 12:16             ` Ard Biesheuvel
2016-03-08 12:41               ` Paolo Bonzini
2016-03-08 12:50                 ` Ard Biesheuvel
2016-03-08 13:06                   ` Paolo Bonzini
2016-03-08 13:46                     ` Peter Maydell
2016-03-09 14:06                     ` Laszlo Ersek [this message]
2016-03-09 14:07                       ` Paolo Bonzini
2016-03-09 14:21                         ` Laszlo Ersek
2016-03-08 13:49               ` Peter Maydell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56E02DCD.5060008@redhat.com \
    --to=lersek@redhat.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=armbru@redhat.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-arm@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).