[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v10 3/9] KVM: Extend the memslot to support fd-based private
From: |
Chao Peng |
Subject: |
Re: [PATCH v10 3/9] KVM: Extend the memslot to support fd-based private memory |
Date: |
Tue, 20 Dec 2022 15:43:18 +0800 |
On Mon, Dec 19, 2022 at 03:36:28PM +0100, Borislav Petkov wrote:
> On Fri, Dec 02, 2022 at 02:13:41PM +0800, Chao Peng wrote:
> > In memory encryption usage, guest memory may be encrypted with special
> > key and can be accessed only by the guest itself. We call such memory
> > private memory. It's valueless and sometimes can cause problem to allow
>
> valueless?
>
> I can't parse that.
It's unnecessary and ...
>
> > userspace to access guest private memory. This new KVM memslot extension
> > allows guest private memory being provided through a restrictedmem
> > backed file descriptor(fd) and userspace is restricted to access the
> > bookmarked memory in the fd.
>
> bookmarked?
userspace is restricted to access the memory content in the fd.
>
> > This new extension, indicated by the new flag KVM_MEM_PRIVATE, adds two
> > additional KVM memslot fields restricted_fd/restricted_offset to allow
> > userspace to instruct KVM to provide guest memory through restricted_fd.
> > 'guest_phys_addr' is mapped at the restricted_offset of restricted_fd
> > and the size is 'memory_size'.
> >
> > The extended memslot can still have the userspace_addr(hva). When use, a
>
> "When un use, ..."
When both userspace_addr and restricted_fd/offset were used, ...
>
> ...
>
> > diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig
> > index a8e379a3afee..690cb21010e7 100644
> > --- a/arch/x86/kvm/Kconfig
> > +++ b/arch/x86/kvm/Kconfig
> > @@ -50,6 +50,8 @@ config KVM
> > select INTERVAL_TREE
> > select HAVE_KVM_PM_NOTIFIER if PM
> > select HAVE_KVM_MEMORY_ATTRIBUTES
> > + select HAVE_KVM_RESTRICTED_MEM if X86_64
> > + select RESTRICTEDMEM if HAVE_KVM_RESTRICTED_MEM
>
> Those deps here look weird.
>
> RESTRICTEDMEM should be selected by TDX_GUEST as it can't live without
> it.
RESTRICTEDMEM is needed by TDX_HOST, not TDX_GUEST.
>
> Then you don't have to select HAVE_KVM_RESTRICTED_MEM simply because of
> X86_64 - you need that functionality when the respective guest support
> is enabled in KVM.
Letting the actual feature(e.g. TDX or pKVM) select it or add dependency
sounds a viable and clearer solution. Sean, let me know your opinion.
>
> Then, looking forward into your patchset, I'm not sure you even
> need HAVE_KVM_RESTRICTED_MEM - you could make it all depend on
> CONFIG_RESTRICTEDMEM. But that's KVM folks call - I'd always aim for
> less Kconfig items because we have waay too many.
The only reason to add another HAVE_KVM_RESTRICTED_MEM is some code only
works for 64bit[*] and CONFIG_RESTRICTEDMEM is not sufficient to enforce
that.
[*] https://lore.kernel.org/all/YkJLFu98hZOvTSrL@google.com/
Thanks,
Chao
>
> Thx.
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
Re: [PATCH v10 3/9] KVM: Extend the memslot to support fd-based private memory, Borislav Petkov, 2022/12/19
[PATCH v10 4/9] KVM: Add KVM_EXIT_MEMORY_FAULT exit, Chao Peng, 2022/12/02
[PATCH v10 5/9] KVM: Use gfn instead of hva for mmu_notifier_retry, Chao Peng, 2022/12/02