From: Christian Borntraeger <borntraeger@de.ibm.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>,
"Boris Fiuczynski" <fiuczy@linux.ibm.com>,
"Bjoern Walk" <bwalk@linux.ibm.com>,
"Viktor Mihajlovski" <mihajlov@linux.ibm.com>
Cc: pair@us.ibm.com, Cornelia Huck <cohuck@redhat.com>,
brijesh.singh@amd.com, kvm@vger.kernel.org,
"Michael S. Tsirkin" <mst@redhat.com>,
Ram Pai <linuxram@us.ibm.com>,
qemu-devel@nongnu.org, frankja@linux.ibm.com, david@redhat.com,
mdroth@linux.vnet.ibm.com, Halil Pasic <pasic@linux.ibm.com>,
rth@twiddle.net, thuth@redhat.com,
Eduardo Habkost <ehabkost@redhat.com>,
Richard Henderson <richard.henderson@linaro.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Greg Kurz <groug@kaod.org>,
qemu-s390x@nongnu.org, David Gibson <david@gibson.dropbear.id.au>,
Marcelo Tosatti <mtosatti@redhat.com>,
qemu-ppc@nongnu.org, pbonzini@redhat.com
Subject: Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration
Date: Thu, 14 Jan 2021 16:25:21 +0100 [thread overview]
Message-ID: <e13aad37-97ba-de1b-f311-cd37044c1809@de.ibm.com> (raw)
In-Reply-To: <20210114141535.GJ1643043@redhat.com>
On 14.01.21 15:15, Daniel P. Berrangé wrote:
> On Thu, Jan 14, 2021 at 03:09:01PM +0100, Christian Borntraeger wrote:
>>
>>
>> On 14.01.21 15:04, Cornelia Huck wrote:
>>> On Thu, 14 Jan 2021 12:20:48 +0000
>>> Daniel P. Berrangé <berrange@redhat.com> wrote:
>>>
>>>> On Thu, Jan 14, 2021 at 12:50:12PM +0100, Christian Borntraeger wrote:
>>>>>
>>>>>
>>>>> On 14.01.21 12:45, Dr. David Alan Gilbert wrote:
>>>>>> * Cornelia Huck (cohuck@redhat.com) wrote:
>>>>>>> On Thu, 14 Jan 2021 11:52:11 +0100
>>>>>>> Christian Borntraeger <borntraeger@de.ibm.com> wrote:
>>>>>>>
>>>>>>>> On 14.01.21 11:36, Dr. David Alan Gilbert wrote:
>>>>>>>>> * Christian Borntraeger (borntraeger@de.ibm.com) wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 13.01.21 13:42, Dr. David Alan Gilbert wrote:
>>>>>>>>>>> * Cornelia Huck (cohuck@redhat.com) wrote:
>>>>>>>>>>>> On Tue, 5 Jan 2021 12:41:25 -0800
>>>>>>>>>>>> Ram Pai <linuxram@us.ibm.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Jan 05, 2021 at 11:56:14AM +0100, Halil Pasic wrote:
>>>>>>>>>>>>>> On Mon, 4 Jan 2021 10:40:26 -0800
>>>>>>>>>>>>>> Ram Pai <linuxram@us.ibm.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>>> The main difference between my proposal and the other proposal is...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> In my proposal the guest makes the compatibility decision and acts
>>>>>>>>>>>>>>> accordingly. In the other proposal QEMU makes the compatibility
>>>>>>>>>>>>>>> decision and acts accordingly. I argue that QEMU cannot make a good
>>>>>>>>>>>>>>> compatibility decision, because it wont know in advance, if the guest
>>>>>>>>>>>>>>> will or will-not switch-to-secure.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You have a point there when you say that QEMU does not know in advance,
>>>>>>>>>>>>>> if the guest will or will-not switch-to-secure. I made that argument
>>>>>>>>>>>>>> regarding VIRTIO_F_ACCESS_PLATFORM (iommu_platform) myself. My idea
>>>>>>>>>>>>>> was to flip that property on demand when the conversion occurs. David
>>>>>>>>>>>>>> explained to me that this is not possible for ppc, and that having the
>>>>>>>>>>>>>> "securable-guest-memory" property (or whatever the name will be)
>>>>>>>>>>>>>> specified is a strong indication, that the VM is intended to be used as
>>>>>>>>>>>>>> a secure VM (thus it is OK to hurt the case where the guest does not
>>>>>>>>>>>>>> try to transition). That argument applies here as well.
>>>>>>>>>>>>>
>>>>>>>>>>>>> As suggested by Cornelia Huck, what if QEMU disabled the
>>>>>>>>>>>>> "securable-guest-memory" property if 'must-support-migrate' is enabled?
>>>>>>>>>>>>> Offcourse; this has to be done with a big fat warning stating
>>>>>>>>>>>>> "secure-guest-memory" feature is disabled on the machine.
>>>>>>>>>>>>> Doing so, will continue to support guest that do not try to transition.
>>>>>>>>>>>>> Guest that try to transition will fail and terminate themselves.
>>>>>>>>>>>>
>>>>>>>>>>>> Just to recap the s390x situation:
>>>>>>>>>>>>
>>>>>>>>>>>> - We currently offer a cpu feature that indicates secure execution to
>>>>>>>>>>>> be available to the guest if the host supports it.
>>>>>>>>>>>> - When we introduce the secure object, we still need to support
>>>>>>>>>>>> previous configurations and continue to offer the cpu feature, even
>>>>>>>>>>>> if the secure object is not specified.
>>>>>>>>>>>> - As migration is currently not supported for secured guests, we add a
>>>>>>>>>>>> blocker once the guest actually transitions. That means that
>>>>>>>>>>>> transition fails if --only-migratable was specified on the command
>>>>>>>>>>>> line. (Guests not transitioning will obviously not notice anything.)
>>>>>>>>>>>> - With the secure object, we will already fail starting QEMU if
>>>>>>>>>>>> --only-migratable was specified.
>>>>>>>>>>>>
>>>>>>>>>>>> My suggestion is now that we don't even offer the cpu feature if
>>>>>>>>>>>> --only-migratable has been specified. For a guest that does not want to
>>>>>>>>>>>> transition to secure mode, nothing changes; a guest that wants to
>>>>>>>>>>>> transition to secure mode will notice that the feature is not available
>>>>>>>>>>>> and fail appropriately (or ultimately, when the ultravisor call fails).
>>>>>>>>>>>> We'd still fail starting QEMU for the secure object + --only-migratable
>>>>>>>>>>>> combination.
>>>>>>>>>>>>
>>>>>>>>>>>> Does that make sense?
>>>>>>>>>>>
>>>>>>>>>>> It's a little unusual; I don't think we have any other cases where
>>>>>>>>>>> --only-migratable changes the behaviour; I think it normally only stops
>>>>>>>>>>> you doing something that would have made it unmigratable or causes
>>>>>>>>>>> an operation that would make it unmigratable to fail.
>>>>>>>>>>
>>>>>>>>>> I would like to NOT block this feature with --only-migrateable. A guest
>>>>>>>>>> can startup unprotected (and then is is migrateable). the migration blocker
>>>>>>>>>> is really a dynamic aspect during runtime.
>>>>>>>>>
>>>>>>>>> But the point of --only-migratable is to turn things that would have
>>>>>>>>> blocked migration into failures, so that a VM started with
>>>>>>>>> --only-migratable is *always* migratable.
>>>>>>>>
>>>>>>>> Hmmm, fair enough. How do we do this with host-model? The constructed model
>>>>>>>> would contain unpack, but then it will fail to startup? Or do we silently
>>>>>>>> drop unpack in that case? Both variants do not feel completely right.
>>>>>>>
>>>>>>> Failing if you explicitly specified unpacked feels right, but failing
>>>>>>> if you just used the host model feels odd. Removing unpack also is a
>>>>>>> bit odd, but I think the better option if we want to do anything about
>>>>>>> it at all.
>>>>>>
>>>>>> 'host-model' feels a bit special; but breaking the rule that
>>>>>> only-migratable doesn't change behaviour is weird
>>>>>> Can you do host,-unpack to make that work explicitly?
>>>>>
>>>>> I guess that should work. But it means that we need to add logic in libvirt
>>>>> to disable unpack for host-passthru and host-model. Next problem is then,
>>>>> that a future version might implement migration of such guests, which means
>>>>> that libvirt must then stop fencing unpack.
>>>>
>>>> The "host-model" is supposed to always be migratable, so we should
>>>> fence the feature there.
>>>>
>>>> host-passthrough is "undefined" whether it is migratable - it may or may
>>>> not work, no guarantees made by libvirt.
>>>>
>>>> Ultimately I think the problem is that there ought to be an explicit
>>>> config to enable the feature for s390, as there is for SEV, and will
>>>> also presumably be needed for ppc.
>>>
>>> Yes, an explicit config is what we want; unfortunately, we have to deal
>>> with existing setups as well...
>>>
>>> The options I see are
>>> - leave things for existing setups as they are now (i.e. might become
>>> unmigratable when the guest transitions), and make sure we're doing
>>> the right thing with the new object
>>> - always make the unpack feature conflict with migration requirements;
>>> this is a guest-visible change
>>>
>>> The first option might be less hairy, all considered?
>>
>> What about a libvirt change that removes the unpack from the host-model as
>> soon as only-migrateable is used. When that is in place, QEMU can reject
>> the combination of only-migrateable + unpack.
>
> I think libvirt needs to just unconditionally remove unpack from host-model
> regardless, and require an explicit opt in. We can do that in libvirt
> without compat problems, because we track the expansion of "host-model"
> for existing running guests.
This is true for running guests, but not for shutdown and restart.
I would really like to avoid bad (and hard to debug) surprises that a guest boots
fine with libvirt version x and then fail with x+1. So at the beginning
I am fine with libvirt removing "unpack" from the default host model expansion
if the --only-migrateable parameter is used. Now I look into libvirt and I
cannot actually find code that uses this parameter. Are there some patches
posted somewhere?
>
> QEMU could introduce a deprecation warning right now, and then turn it into
> an error after the deprecation cycle is complete.
next prev parent reply other threads:[~2021-01-14 15:30 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-04 5:44 [for-6.0 v5 00/13] Generalize memory encryption models David Gibson
2020-12-04 5:44 ` [for-6.0 v5 01/13] qom: Allow optional sugar props David Gibson
2020-12-04 12:57 ` Cornelia Huck
2020-12-14 21:25 ` Eduardo Habkost
2021-01-11 18:04 ` Philippe Mathieu-Daudé
2020-12-04 5:44 ` [for-6.0 v5 02/13] securable guest memory: Introduce new securable guest memory base class David Gibson
2020-12-04 5:44 ` [for-6.0 v5 03/13] securable guest memory: Handle memory encryption via interface David Gibson
2020-12-04 13:10 ` Cornelia Huck
2021-01-08 4:03 ` David Gibson
2021-01-12 3:49 ` David Gibson
2020-12-04 5:44 ` [for-6.0 v5 04/13] securable guest memory: Move side effect out of machine_set_memory_encryption() David Gibson
2020-12-04 5:44 ` [for-6.0 v5 05/13] securable guest memory: Rework the "memory-encryption" property David Gibson
2021-01-11 18:09 ` Philippe Mathieu-Daudé
2020-12-04 5:44 ` [for-6.0 v5 06/13] securable guest memory: Decouple kvm_memcrypt_*() helpers from KVM David Gibson
2021-01-11 18:13 ` Philippe Mathieu-Daudé
2021-01-12 3:03 ` David Gibson
2020-12-04 5:44 ` [for-6.0 v5 07/13] sev: Add Error ** to sev_kvm_init() David Gibson
2020-12-14 16:50 ` Cornelia Huck
2020-12-04 5:44 ` [for-6.0 v5 08/13] securable guest memory: Introduce sgm "ready" flag David Gibson
2020-12-14 17:00 ` Cornelia Huck
2020-12-17 5:38 ` David Gibson
2020-12-17 11:24 ` Cornelia Huck
2020-12-04 5:44 ` [for-6.0 v5 09/13] securable guest memory: Move SEV initialization into arch specific code David Gibson
2020-12-04 5:44 ` [for-6.0 v5 10/13] spapr: Add PEF based securable guest memory David Gibson
2021-01-05 23:34 ` Ram Pai
2021-01-08 0:34 ` David Gibson
2020-12-04 5:44 ` [for-6.0 v5 11/13] spapr: PEF: prevent migration David Gibson
2020-12-14 17:22 ` Cornelia Huck
2020-12-17 5:47 ` David Gibson
2020-12-17 11:38 ` Cornelia Huck
2020-12-17 14:15 ` Greg Kurz
2020-12-18 11:41 ` Cornelia Huck
2020-12-18 12:08 ` Dr. David Alan Gilbert
2021-01-04 7:15 ` Ram Pai
2021-01-04 12:46 ` [EXTERNAL] " Halil Pasic
2021-01-04 18:40 ` Ram Pai
2021-01-05 10:56 ` [EXTERNAL] " Halil Pasic
2021-01-05 20:41 ` Ram Pai
2021-01-11 16:59 ` Cornelia Huck
2021-01-11 19:58 ` Ram Pai
2021-01-12 8:19 ` Cornelia Huck
2021-01-12 18:55 ` Ram Pai
2021-01-13 8:06 ` Cornelia Huck
2021-01-15 18:55 ` Ram Pai
2021-01-19 8:19 ` Cornelia Huck
2021-01-19 9:59 ` Daniel P. Berrangé
2021-01-14 11:23 ` Daniel P. Berrangé
2021-01-13 12:42 ` Dr. David Alan Gilbert
2021-01-14 10:28 ` Christian Borntraeger
2021-01-14 10:36 ` Dr. David Alan Gilbert
2021-01-14 10:52 ` Christian Borntraeger
2021-01-14 11:05 ` Cornelia Huck
2021-01-14 11:45 ` Dr. David Alan Gilbert
2021-01-14 11:50 ` Christian Borntraeger
2021-01-14 12:20 ` Daniel P. Berrangé
2021-01-14 14:04 ` Cornelia Huck
2021-01-14 14:09 ` Christian Borntraeger
2021-01-14 14:15 ` Daniel P. Berrangé
2021-01-14 15:25 ` Christian Borntraeger [this message]
2021-01-14 15:33 ` Daniel P. Berrangé
2021-01-15 18:24 ` Ram Pai
2021-01-14 11:25 ` Daniel P. Berrangé
2021-01-14 23:51 ` David Gibson
2021-01-18 17:39 ` Dr. David Alan Gilbert
2021-01-19 8:28 ` Christian Borntraeger
2021-01-19 8:34 ` Cornelia Huck
2020-12-04 5:44 ` [for-6.0 v5 12/13] securable guest memory: Alter virtio default properties for protected guests David Gibson
2020-12-04 8:10 ` Christian Borntraeger
2020-12-04 8:17 ` Cornelia Huck
2020-12-04 8:29 ` Christian Borntraeger
2020-12-04 14:43 ` Halil Pasic
2020-12-08 1:54 ` David Gibson
2020-12-08 8:16 ` Christian Borntraeger
2020-12-08 10:28 ` Halil Pasic
2020-12-08 12:50 ` Cornelia Huck
2020-12-17 5:53 ` David Gibson
2020-12-04 17:04 ` Cornelia Huck
2020-12-04 5:44 ` [for-6.0 v5 13/13] s390: Recognize securable-guest-memory option David Gibson
2020-12-15 11:45 ` Cornelia Huck
2020-12-17 5:54 ` David Gibson
2020-12-04 8:06 ` [for-6.0 v5 00/13] Generalize memory encryption models Christian Borntraeger
2020-12-04 13:02 ` Cornelia Huck
2020-12-04 13:07 ` Dr. David Alan Gilbert
2020-12-04 13:12 ` Cornelia Huck
2020-12-08 2:57 ` David Gibson
2020-12-08 12:43 ` Cornelia Huck
2020-12-17 6:21 ` David Gibson
2020-12-17 11:43 ` Cornelia Huck
2020-12-04 13:25 ` Daniel P. Berrangé
2020-12-04 13:51 ` Halil Pasic
2020-12-08 2:54 ` David Gibson
2020-12-04 9:50 ` Daniel P. Berrangé
2021-01-12 3:02 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e13aad37-97ba-de1b-f311-cd37044c1809@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=berrange@redhat.com \
--cc=brijesh.singh@amd.com \
--cc=bwalk@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=david@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=fiuczy@linux.ibm.com \
--cc=frankja@linux.ibm.com \
--cc=groug@kaod.org \
--cc=kvm@vger.kernel.org \
--cc=linuxram@us.ibm.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mihajlov@linux.ibm.com \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pair@us.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=rth@twiddle.net \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).