Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3954411imm; Mon, 6 Aug 2018 13:44:08 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdHWCIvKYN+T//3jPEMSfflJK71otoTvTW+6pmQIQfiw2XY6FTlZc0yffvzN4wm5sZEuqlL X-Received: by 2002:a17:902:aa4b:: with SMTP id c11-v6mr15093078plr.344.1533588248912; Mon, 06 Aug 2018 13:44:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533588248; cv=none; d=google.com; s=arc-20160816; b=j/AHng+deZ/LBccg1gHhThUYjD6UcZ2kHVx4AHpfAscaIcHIFaSgOhC6wSuSF2rIju 0zh5+l7y4q4OIvSbSAusT57yTMxsG+RHnHv9YzCy9iRrcG+CJMGr1SJny9tR1lPbdzzk N5qeLJwgmLqHPoZMCPCE4dcZaFD7g7jbO3Mbk3u49d6nOOu54chJxzyx6a1qD05LDSCC dCgRGHRSphq3tFyVSl+NTmU1Svwg0AJOHCX9dT6yrXj0ZqNpB/fZmMmNDtoOMzZS6k6q pTRdmhs0iiaHYJ0wzRJndoVw/SVaF4Ux0Wj1HOaSyLTwL9Y3SQmerq1ZVadNGMDrtb31 Y/hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :arc-authentication-results; bh=XxuOWhzL8XwH9MPZ1Gn5KNf8a6w3sKzW/ecJye8KbDQ=; b=wKamt9LZ3MNTxQ1OwTB+IJDHvXSCw27AuZHyWatpiDqW6xD/VkNYK6Wb8FvrBk7c3D nErm3EVCIW6Md7PlAz728zU93pLSDbMZ+sTwIuIEYZTblQLf8wGmmWzbpUK5Rg81Z+Av VE7LYllWWPr34W5hbX4zl3QaR6480537x8+c7F6/YRhKJLCbPdb8oS9+dP03O7qXVZet HmJb8qYtXx3mxC2SYABlGgtLqtXw70kTqW3LGp9oiPPtO9FbMGd3oym0/Gn8T/zd7l7T m7cu6gzyulIAJKM6jr3NcrEz8EQuxunUjFEYxN3YbYWcUQvagxPl/q8HhPeTDzcdklRX oJdQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t10-v6si11930664pge.624.2018.08.06.13.43.53; Mon, 06 Aug 2018 13:44:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387493AbeHFWIv (ORCPT + 99 others); Mon, 6 Aug 2018 18:08:51 -0400 Received: from gate.crashing.org ([63.228.1.57]:52613 "EHLO gate.crashing.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732921AbeHFWIv (ORCPT ); Mon, 6 Aug 2018 18:08:51 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by gate.crashing.org (8.14.1/8.14.1) with ESMTP id w76Jv0VW002428; Mon, 6 Aug 2018 14:57:01 -0500 Message-ID: Subject: Re: [RFC 0/4] Virtio uses DMA API for all devices From: Benjamin Herrenschmidt To: "Michael S. Tsirkin" Cc: Christoph Hellwig , Will Deacon , Anshuman Khandual , virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, aik@ozlabs.ru, robh@kernel.org, joe@perches.com, elfring@users.sourceforge.net, david@gibson.dropbear.id.au, jasowang@redhat.com, mpe@ellerman.id.au, linuxram@us.ibm.com, haren@linux.vnet.ibm.com, paulus@samba.org, srikar@linux.vnet.ibm.com, robin.murphy@arm.com, jean-philippe.brucker@arm.com, marc.zyngier@arm.com Date: Tue, 07 Aug 2018 05:56:59 +1000 In-Reply-To: <20180806164106-mutt-send-email-mst@kernel.org> References: <20180802200646-mutt-send-email-mst@kernel.org> <20180802225738-mutt-send-email-mst@kernel.org> <20180803070507.GA1344@infradead.org> <20180803220443-mutt-send-email-mst@kernel.org> <051fd78e15595b414839fa8f9d445b9f4d7576c6.camel@kernel.crashing.org> <20180805031046-mutt-send-email-mst@kernel.org> <20180806164106-mutt-send-email-mst@kernel.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.4 (3.28.4-1.fc28) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2018-08-06 at 16:46 +0300, Michael S. Tsirkin wrote: > > > Right, we'll need some quirk to disable balloons in the guest I > > suppose. > > > > Passing something from libvirt is cumbersome because the end user may > > not even need to know about secure VMs. There are use cases where the > > security is a contract down to some special application running inside > > the secure VM, the sysadmin knows nothing about. > > > > Also there's repercussions all the way to admin tools, web UIs etc... > > so it's fairly wide ranging. > > > > So as long as we only need to quirk a couple of devices, it's much > > better contained that way. > > So just the balloon thing already means that yes management and all the > way to the user tools must know this is going on. Otherwise > user will try to inflate the balloon and wonder why this does not work. There is *dozens* of management systems out there, not even all open source, we won't ever be able to see the end of the tunnel if we need to teach every single of them, including end users, about platform specific new VM flags like that. .../... > Here's another example: you can't migrate a secure vm to hypervisor > which doesn't support this feature. Again management tools above libvirt > need to know otherwise they will try. There will have to be a new machine type for that I suppose, yes, though it's not just the hypervisor that needs to know about the modified migration stream, it's also the need to have a compatible ultravisor with the right keys on the other side. So migration is going to be special and require extra admin work in all cases yes. But not all secure VMs are meant to be migratable. In any case, back to the problem at hand. What a qemu flag gives us is just a way to force iommu at VM creation time. This is rather sub-optimal, we don't really want the iommu in the way, so it's at best a "workaround", and it's not really solving the real problem. As I said replying to Christoph, we are "leaking" into the interface something here that is really what's the VM is doing to itself, which is to stash its memory away in an inaccessible place. Cheers, Ben.