Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2875661ybi; Mon, 17 Jun 2019 11:54:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqyWZdZAhpZDscMnYI/S5tPqUH71J/yqYFgXGV97KJyIjHNh4baB2hqMlNk5cbkEBwi8trlc X-Received: by 2002:a17:902:6b86:: with SMTP id p6mr39831817plk.14.1560797640199; Mon, 17 Jun 2019 11:54:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560797640; cv=none; d=google.com; s=arc-20160816; b=QvpKc+avoN7MGoOhAWIsjRl8u4BBd7MVkz2F5+fQXgsGpNVNpqP20sM/sF6Scnccbn PxmAyPy8kVsmLlKOOrp5Qjh5G2EtempSD+eLKkcWkW7tydWcsrFcOwmQFkFCOHTsYMnE IiTOjc7ppkk2No6j6cMw/quwztnGonCsGQYq/mPF+LGXgmoGTbBRe/1mmSHG5MtOMmWt 04VarDAiRXvvBwiC15iTHjQ1xLe9XXuzL+oQTGdI06AGGPNPZ0QbcXjAQw6+Woqui+L8 doa7g55q4/+BwCXbEUM7R0MfagHNXjDPLN6b3NnR7HL7TiRfkYAxu2+HZ5QnpJ0sYHE0 0BJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=V33gFYBC1xUvo+Vd4Wqvv3K5sNksw5k/BUi3Ex5l8XM=; b=zd6A5dAl8pmQTKfuMqr6rwSoUinUA9jm6zx7BtdiB+T6YLEKL9x4NWrsbMfV8JOhl1 QAxoSrHMYNKD07NlCRWqK+WYy1Kz2JWwOP6g6pg//KGVEzR9qEqbU1z+umITwRmTiFFu e0Mtt1FmhnXxp/z16DCy5zNpzKQFadF1+agu3DIZ+kLAq7qbn5pz9qBOgxOMGaALlJnX SVvTG3fCeGxDAQfsWB0NDANOQVJ00X5+T7C15Pc2N386kknKOsl/jl3OXoBeQl0OskbV DRSJS/8R95sROOPpCd17K/MhGgxJiFZz/QP8RHcngxBvb9zW4TIKVIW8rWhn9E/+aN+O FY5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0Dr1Iy1V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z68si6113953pgb.344.2019.06.17.11.53.45; Mon, 17 Jun 2019 11:54:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0Dr1Iy1V; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726623AbfFQSxi (ORCPT + 99 others); Mon, 17 Jun 2019 14:53:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:48008 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725772AbfFQSxh (ORCPT ); Mon, 17 Jun 2019 14:53:37 -0400 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AF26321655 for ; Mon, 17 Jun 2019 18:53:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560797617; bh=lKC3JNmm/M1af0c1PRbg2Uh820jqPX+NRIxEKPybN6M=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=0Dr1Iy1V0hAJ3rnm6kc3K5SbhQQtt9OipXmix3nmhNMADb4NoPh18+yKuKBvN4EU4 Z6dOzZ56nlA9rH2kDsoMZcP6Qdi3MpfFZ6Jbga/CQDaoTLaiImVUds/GSgaOjiZNTe slkiFT+xALD+x9RZbCyPNafq4xEcyCCYbAgcNYR8= Received: by mail-wr1-f41.google.com with SMTP id p13so11128131wru.10 for ; Mon, 17 Jun 2019 11:53:36 -0700 (PDT) X-Gm-Message-State: APjAAAUbmHLXoQQs08DaN+FxAhMzRfHQafGrtAmIGDZJErgjzc8KwKWE OSAmvkijO/eNadv3dEMbmcu08EQIiOeR4pq0YyFH1A== X-Received: by 2002:a5d:6207:: with SMTP id y7mr56496191wru.265.1560797615195; Mon, 17 Jun 2019 11:53:35 -0700 (PDT) MIME-Version: 1.0 References: <58788f05-04c3-e71c-12c3-0123be55012c@amazon.com> <63b1b249-6bc7-ffd9-99db-d36dd3f1a962@intel.com> <698ca264-123d-46ae-c165-ed62ea149896@intel.com> <5AA8BF10-8987-4FCB-870C-667A5228D97B@gmail.com> <20190617184536.GB11017@char.us.oracle.com> In-Reply-To: <20190617184536.GB11017@char.us.oracle.com> From: Andy Lutomirski Date: Mon, 17 Jun 2019 11:53:22 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC 00/10] Process-local memory allocations for hiding KVM secrets To: Konrad Rzeszutek Wilk Cc: Dave Hansen , Nadav Amit , Andy Lutomirski , Alexander Graf , Thomas Gleixner , Marius Hillenbrand , kvm list , LKML , Kernel Hardening , Linux-MM , Alexander Graf , David Woodhouse , "the arch/x86 maintainers" , Peter Zijlstra Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 17, 2019 at 11:44 AM Konrad Rzeszutek Wilk wrote: > > On Mon, Jun 17, 2019 at 11:07:45AM -0700, Dave Hansen wrote: > > On 6/17/19 9:53 AM, Nadav Amit wrote: > > >>> For anyone following along at home, I'm going to go off into crazy > > >>> per-cpu-pgds speculation mode now... Feel free to stop reading now. :) > > >>> > > >>> But, I was thinking we could get away with not doing this on _every_ > > >>> context switch at least. For instance, couldn't 'struct tlb_context' > > >>> have PGD pointer (or two with PTI) in addition to the TLB info? That > > >>> way we only do the copying when we change the context. Or does that tie > > >>> the implementation up too much with PCIDs? > > >> Hmm, that seems entirely reasonable. I think the nasty bit would be > > >> figuring out all the interactions with PV TLB flushing. PV TLB > > >> flushes already don't play so well with PCID tracking, and this will > > >> make it worse. We probably need to rewrite all that code regardless. > > > How is PCID (as you implemented) related to TLB flushing of kernel (not > > > user) PTEs? These kernel PTEs would be global, so they would be invalidated > > > from all the address-spaces using INVLPG, I presume. No? > > > > The idea is that you have a per-cpu address space. Certain kernel > > virtual addresses would map to different physical address based on where > > you are running. Each of the physical addresses would be "owned" by a > > single CPU and would, by convention, never use a PGD that mapped an > > address unless that CPU that "owned" it. > > > > In that case, you never really invalidate those addresses. > > But you would need to invalidate if the process moved to another CPU, correct? > There's nothing to invalidate. It's a different CPU with a different TLB. The big problem is that you have a choice. Either you can have one PGD per (mm, cpu) or you just have one or a few PGDs per CPU and you change them every time you change processes. Dave's idea to have one or two per (cpu, asid) is right, though. It means we have a decent chance of context switching without rewriting the whole thing, and it also means we don't need to write to the one that's currently loaded when we switch CR3. The latter could plausibly be important enough that we'd want to pretend we're using PCID even if we're not.