Received: by 2002:ac0:8c9a:0:0:0:0:0 with SMTP id r26csp4103701ima; Mon, 4 Feb 2019 10:15:00 -0800 (PST) X-Google-Smtp-Source: AHgI3IZlVIsT0vQv1rE8CdsPDC1Rr/ncvVSEGbadntxGHpklxLbLv1+CquOR/NwnElDUJyzrdZb6 X-Received: by 2002:a63:6ecf:: with SMTP id j198mr608989pgc.3.1549304100880; Mon, 04 Feb 2019 10:15:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549304100; cv=none; d=google.com; s=arc-20160816; b=C+jB5EbrUmDnd51fs/1xaHwTAyrEv7/2MCU+yGV3co0Rz2RXYzJvegC9Jx8pE9oj/D yKcVEDZOkKpHqo+MPlc1CVzIjjEQooR4ZB7AStEXLR7vetuOnSoP9GVkk+ZcXfqwBdge iBgxGTA9t7BIG2nLqdXVGsB1zDEJb/c0D55qaLS8kbYwTtoxYXz3nUqxoN2k/5rlEAtz VmqngeuZJh7QBhxpqKzb7iJGdQ56RYp8Tj/hY1p6yW9A2taXF6+Syu+TXwvDUsH7seUo Ljo/Q+symKE0XoiwS2ezLhyobwXN+MspG6PVQ/f/+CixQxahrETDspLIay9Ay5Gjj/ah xtYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:mime-version:date:in-reply-to :subject:cc:to:from:user-agent:references; bh=dSF17sZ+fXK/2TYVqsMfW7W9eNCNxYGF/uErsUiZyWg=; b=oPK5Y/jpvPGQcOyArpROWwyb3UuLjl/L/g/hN0+FX71TKDMRtpIK2V5i4vLIk0j1o9 p4Nw6R5LM4Hz6tYuyOvjaCybGz41NQBIlIQcDlgClUFig+K6Eie/cfsrcXl4PHTODZde 35+O3vqpPXs09sKVICBNcm9sLgNSpHbTiQRnGqc9G21Go5RLlYdNkGkShe+FGdEQd1vN MWo5IYkeiDh2QrXkMyDor/Q1nAZj8OsNZbEX4LoIdC3WmrnjQrYHK2TdaWshDjKOFe+P OVLRh0doaxw02zwWPNi24L2PEV5tCgOT91GlayjxV/hduLkxjpkuBfjkf86WnkOrLq6m pb7Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r59si667990plb.247.2019.02.04.10.14.44; Mon, 04 Feb 2019 10:15:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728772AbfBDSOe (ORCPT + 99 others); Mon, 4 Feb 2019 13:14:34 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:60670 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726585AbfBDSOd (ORCPT ); Mon, 4 Feb 2019 13:14:33 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x14I8tbC056149 for ; Mon, 4 Feb 2019 13:14:32 -0500 Received: from e16.ny.us.ibm.com (e16.ny.us.ibm.com [129.33.205.206]) by mx0a-001b2d01.pphosted.com with ESMTP id 2qesjt2fqk-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 04 Feb 2019 13:14:31 -0500 Received: from localhost by e16.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 4 Feb 2019 18:14:30 -0000 Received: from b01cxnp22036.gho.pok.ibm.com (9.57.198.26) by e16.ny.us.ibm.com (146.89.104.203) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 4 Feb 2019 18:14:26 -0000 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x14IEPKa23592984 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 4 Feb 2019 18:14:25 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B3D27AE05F; Mon, 4 Feb 2019 18:14:25 +0000 (GMT) Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A3270AE05C; Mon, 4 Feb 2019 18:14:22 +0000 (GMT) Received: from morokweng.localdomain (unknown [9.85.235.178]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTPS; Mon, 4 Feb 2019 18:14:22 +0000 (GMT) References: <87zhrj8kcp.fsf@morokweng.localdomain> <87womn8inf.fsf@morokweng.localdomain> <20190129134750-mutt-send-email-mst@kernel.org> User-agent: mu4e 1.0; emacs 26.1 From: Thiago Jung Bauermann To: "Michael S. Tsirkin" Cc: virtualization@lists.linux-foundation.org, linuxppc-dev@lists.ozlabs.org, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jason Wang , Christoph Hellwig , David Gibson , Alexey Kardashevskiy , Paul Mackerras , Benjamin Herrenschmidt , Ram Pai , Jean-Philippe Brucker Subject: Re: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted In-reply-to: <20190129134750-mutt-send-email-mst@kernel.org> Date: Mon, 04 Feb 2019 16:14:20 -0200 MIME-Version: 1.0 Content-Type: text/plain X-TM-AS-GCONF: 00 x-cbid: 19020418-0072-0000-0000-000003F491CB X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010536; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000279; SDB=6.01156338; UDB=6.00603144; IPR=6.00936797; MB=3.00025434; MTD=3.00000008; XFM=3.00000015; UTC=2019-02-04 18:14:29 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19020418-0073-0000-0000-00004B0F3B28 Message-Id: <877eefxvyb.fsf@morokweng.localdomain> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-04_12:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902040140 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Michael, Michael S. Tsirkin writes: > On Tue, Jan 29, 2019 at 03:42:44PM -0200, Thiago Jung Bauermann wrote: >> >> Fixing address of powerpc mailing list. >> >> Thiago Jung Bauermann writes: >> >> > Hello, >> > >> > With Christoph's rework of the DMA API that recently landed, the patch >> > below is the only change needed in virtio to make it work in a POWER >> > secure guest under the ultravisor. >> > >> > The other change we need (making sure the device's dma_map_ops is NULL >> > so that the dma-direct/swiotlb code is used) can be made in >> > powerpc-specific code. >> > >> > Of course, I also have patches (soon to be posted as RFC) which hook up >> > to the powerpc secure guest support code. >> > >> > What do you think? >> > >> > From d0629a36a75c678b4a72b853f8f7f8c17eedd6b3 Mon Sep 17 00:00:00 2001 >> > From: Thiago Jung Bauermann >> > Date: Thu, 24 Jan 2019 22:08:02 -0200 >> > Subject: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted >> > >> > The host can't access the guest memory when it's encrypted, so using >> > regular memory pages for the ring isn't an option. Go through the DMA API. >> > >> > Signed-off-by: Thiago Jung Bauermann > > Well I think this will come back to bite us (witness xen which is now > reworking precisely this path - but at least they aren't to blame, xen > came before ACCESS_PLATFORM). > > I also still think the right thing would have been to set > ACCESS_PLATFORM for all systems where device can't access all memory. I understand. The problem with that approach for us is that because we don't know which guests will become secure guests and which will remain regular guests, QEMU would need to offer ACCESS_PLATFORM to all guests. And the problem with that is that for QEMU on POWER, having ACCESS_PLATFORM turned off means that it can bypass the IOMMU for the device (which makes sense considering that the name of the flag was IOMMU_PLATFORM). And we need that for regular guests to avoid performance degradation. So while ACCESS_PLATFORM solves our problems for secure guests, we can't turn it on by default because we can't affect legacy systems. Doing so would penalize existing systems that can access all memory. They would all have to unnecessarily go through address translations, and take a performance hit. The semantics of ACCESS_PLATFORM assume that the hypervisor/QEMU knows in advance - right when the VM is instantiated - that it will not have access to all guest memory. Unfortunately that assumption is subtly broken on our secure-platform. The hypervisor/QEMU realizes that the platform is going secure only *after the VM is instantiated*. It's the kernel running in the VM that determines that it wants to switch the platform to secure-mode. Another way of looking at this issue which also explains our reluctance is that the only difference between a secure guest and a regular guest (at least regarding virtio) is that the former uses swiotlb while the latter doens't. And from the device's point of view they're indistinguishable. It can't tell one guest that is using swiotlb from one that isn't. And that implies that secure guest vs regular guest isn't a virtio interface issue, it's "guest internal affairs". So there's no reason to reflect that in the feature flags. That said, we still would like to arrive at a proper design for this rather than add yet another hack if we can avoid it. So here's another proposal: considering that the dma-direct code (in kernel/dma/direct.c) automatically uses swiotlb when necessary (thanks to Christoph's recent DMA work), would it be ok to replace virtio's own direct-memory code that is used in the !ACCESS_PLATFORM case with the dma-direct code? That way we'll get swiotlb even with !ACCESS_PLATFORM, and virtio will get a code cleanup (replace open-coded stuff with calls to existing infrastructure). > But I also think I don't have the energy to argue about power secure > guest anymore. So be it for power secure guest since the involved > engineers disagree with me. Hey I've been wrong in the past ;). Yeah, it's been a difficult discussion. Thanks for still engaging! I honestly thought that this patch was a good solution (if the guest has encrypted memory it means that the DMA API needs to be used), but I can see where you are coming from. As I said, we'd like to arrive at a good solution if possible. > But the name "sev_active" makes me scared because at least AMD guys who > were doing the sensible thing and setting ACCESS_PLATFORM My understanding is, AMD guest-platform knows in advance that their guest will run in secure mode and hence sets the flag at the time of VM instantiation. Unfortunately we dont have that luxury on our platforms. > (unless I'm > wrong? I reemember distinctly that's so) will likely be affected too. > We don't want that. > > So let's find a way to make sure it's just power secure guest for now > pls. Yes, my understanding is that they turn ACCESS_PLATFORM on. And because of that, IIUC this patch wouldn't affect them because in their platform vring_use_dma_api() returns true earlier in the "if !virtio_has_iommu_quirk(vdev)" condition. > I also think we should add a dma_api near features under virtio_device > such that these hacks can move off data path. Sorry, I don't understand this. > By the way could you please respond about virtio-iommu and > why there's no support for ACCESS_PLATFORM on power? There is support for ACCESS_PLATFORM on POWER. We don't enable it because it causes a performance hit. > I have Cc'd you on these discussions. I'm having a look at the spec and the patches, but to be honest I'm not the best powerpc guy for this. I'll see if I can get others to have a look. > Thanks! Thanks as well! -- Thiago Jung Bauermann IBM Linux Technology Center