Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3960212imm; Mon, 6 Aug 2018 13:52:28 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeY8olKtP8J+2O0sNN2bEAUhdfOhsk/KeWc4T15jsXIufrdtxRoz27z4srOXDXqOupaCiti X-Received: by 2002:aa7:82c3:: with SMTP id f3-v6mr18696848pfn.136.1533588748067; Mon, 06 Aug 2018 13:52:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533588748; cv=none; d=google.com; s=arc-20160816; b=AdAjOFZmq1uSK02L8CBq6WVFMmqXWk2r7JR7l2eQJmMJk2vfVFrkP5AeXHBQNaGXVD oUyPJx32NToO0zetb/CYdKJpLB5PbgKR1+vSr9lawAaGEGAxvZoRy9Iu8ZCoPM+ltgwm Mje87Hc806IBkprwcKod0f7ayIoGyWciqvFPcyWXfiq7aRvmN4kdLXibr3KheEg9A8vK FHIajtWE9I4gr6uh12t1RUr5RYyDd4bClQk1n+IPQ4lN8psvkyq7BoGyX8ft1bONIbD0 CnekytxcrRtJfz4ea4Lm1ioBl8FbwGDlSHeL6yyuttfWF++3nzkrSZL35zdDMM7/jue7 EbOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=QUNGtdxfrfFuTtIvZ7SwcRG9UQu0ak4KknjoSMGdSvU=; b=fsi89Qw6g+ZCekvXod9tQSvq3hsgq4eVyhDM7GFc8hbYc3AX6uoB3w88DDlUBJSl0o D//PoLDbg6hHFLCQFXjZ36TBbDPQnQLSnDAYXttD0j2GobFuqjZ8jpWUKTxs6dFCxEdg iJbTE5/MltLkB9sX4cuauyOjl7R3HyfiKpCRil5IX/xII5uhBTWHGbW7aaiUiZhx3p5H lSslu+dSHbQ9z/GRjdMAM5nfewha8aP6J4RFi8/d5zBRA1ol2b8GmwoEH9iCl9FNvdXJ vta56Ygnk9Om/dBsbtHEfZPojGVZCT8ypNL3iGnX9LUsTOYh8cHWx2nIV70DFmEphNve vRew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t19-v6si12316364plj.334.2018.08.06.13.52.12; Mon, 06 Aug 2018 13:52:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388309AbeHFWqf (ORCPT + 99 others); Mon, 6 Aug 2018 18:46:35 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:46024 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730055AbeHFWqd (ORCPT ); Mon, 6 Aug 2018 18:46:33 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3E84C40214E2; Mon, 6 Aug 2018 20:35:47 +0000 (UTC) Received: from redhat.com (unknown [10.36.118.7]) by smtp.corp.redhat.com (Postfix) with SMTP id 2F3762026DE8; Mon, 6 Aug 2018 20:35:39 +0000 (UTC) Date: Mon, 6 Aug 2018 23:35:39 +0300 From: "Michael S. Tsirkin" To: Benjamin Herrenschmidt Cc: Christoph Hellwig , Will Deacon , Anshuman Khandual , virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, aik@ozlabs.ru, robh@kernel.org, joe@perches.com, elfring@users.sourceforge.net, david@gibson.dropbear.id.au, jasowang@redhat.com, mpe@ellerman.id.au, linuxram@us.ibm.com, haren@linux.vnet.ibm.com, paulus@samba.org, srikar@linux.vnet.ibm.com, robin.murphy@arm.com, jean-philippe.brucker@arm.com, marc.zyngier@arm.com Subject: Re: [RFC 0/4] Virtio uses DMA API for all devices Message-ID: <20180806233024-mutt-send-email-mst@kernel.org> References: <20180802225738-mutt-send-email-mst@kernel.org> <20180803070507.GA1344@infradead.org> <20180803220443-mutt-send-email-mst@kernel.org> <051fd78e15595b414839fa8f9d445b9f4d7576c6.camel@kernel.crashing.org> <20180805031046-mutt-send-email-mst@kernel.org> <20180806164106-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 06 Aug 2018 20:35:47 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Mon, 06 Aug 2018 20:35:47 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'mst@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 07, 2018 at 05:56:59AM +1000, Benjamin Herrenschmidt wrote: > On Mon, 2018-08-06 at 16:46 +0300, Michael S. Tsirkin wrote: > > > > > Right, we'll need some quirk to disable balloons in the guest I > > > suppose. > > > > > > Passing something from libvirt is cumbersome because the end user may > > > not even need to know about secure VMs. There are use cases where the > > > security is a contract down to some special application running inside > > > the secure VM, the sysadmin knows nothing about. > > > > > > Also there's repercussions all the way to admin tools, web UIs etc... > > > so it's fairly wide ranging. > > > > > > So as long as we only need to quirk a couple of devices, it's much > > > better contained that way. > > > > So just the balloon thing already means that yes management and all the > > way to the user tools must know this is going on. Otherwise > > user will try to inflate the balloon and wonder why this does not work. > > There is *dozens* of management systems out there, not even all open > source, we won't ever be able to see the end of the tunnel if we need > to teach every single of them, including end users, about platform > specific new VM flags like that. > > .../... In the end I suspect you will find you have to. > > Here's another example: you can't migrate a secure vm to hypervisor > > which doesn't support this feature. Again management tools above libvirt > > need to know otherwise they will try. > > There will have to be a new machine type for that I suppose, yes, > though it's not just the hypervisor that needs to know about the > modified migration stream, it's also the need to have a compatible > ultravisor with the right keys on the other side. > > So migration is going to be special and require extra admin work in all > cases yes. But not all secure VMs are meant to be migratable. > > In any case, back to the problem at hand. What a qemu flag gives us is > just a way to force iommu at VM creation time. I don't think a qemu flag is strictly required for a problem at hand. > This is rather sub-optimal, we don't really want the iommu in the way, > so it's at best a "workaround", and it's not really solving the real > problem. This specific problem, I think I agree. > As I said replying to Christoph, we are "leaking" into the interface > something here that is really what's the VM is doing to itself, which > is to stash its memory away in an inaccessible place. > > Cheers, > Ben. I think Christoph merely objects to the specific implementation. If instead you do something like tweak dev->bus_dma_mask for the virtio device I think he won't object. -- MST