Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4712788ybi; Mon, 15 Jul 2019 13:31:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqxZsiDV/zL+vWmRbX+BfslPjewtWiN11zfT3h39eTB7M3FOnmqjPisEvqFdDMac8paCSVIc X-Received: by 2002:a63:9245:: with SMTP id s5mr29382822pgn.123.1563222670514; Mon, 15 Jul 2019 13:31:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563222670; cv=none; d=google.com; s=arc-20160816; b=HcOjSQdPYmshhRNrW9A6LA6rZKe1YtEEecdrqdkG4PO9cMhzDJ4coxvxsUbIA4fod2 waOnDmc8Yzj9iRimknVuGr56Euee9sSJZ6rS3Tk1ISNq5WXJfmgQr2kvKQaMsiZfph5v 4C8qyCZ7xb7tl8lStxtuC/gGO6XqQskRCAHak/Y+5mCXYepd9B8XmUOLAsT6jq1DuVFp VLIBjCGMjhtyZI//ykIcnuY9I49IyBzdpUaEOjYi1pJiyljZk+BdydQ3IzAl8n79qpPa qotGlPaO8K9D7IClKfNkrF44+cKvKIPSCXtOGGncGdlv55Ur7cNmwv6WAfmIFHUb1SCw r4Cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:mime-version:date:in-reply-to :subject:cc:to:from:user-agent:references; bh=P1n7dTP/wSA/laX5IBQF1yq504IHciNmALIdnwRhO2w=; b=m8L6OMp/bFosiMQry5Zx9SKs2tZCkGKguL1PsqqjlX2tb8GKjCdcoKiKbZfJ7gcLnv vTuCR5u8LzVl2RQ6q/ksqzVyU6pRM1XjMv+s36qHodH4f4+LQIUxg1Zu5xrZ0g1zidtD T94S/th0Mos4gkBoX3z9K/GGqAa6q/e+L10Va+ZLI7MV/DTD5nQblyYETFUf8yAmB4Ks +FtVWe5iOMucVB4zHVGixk8gwAZIwJ+gklobA+JX7/WhrX6iz+36kzLLbBXzBR5LwiI0 mJink2xyS7iK1n7F49xBE/8X4W8ruMPLS/CIJi9M6I313PXaFYyL8ZQNkonh/vxxyFXB ydgw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z20si17139773pfa.282.2019.07.15.13.30.52; Mon, 15 Jul 2019 13:31:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731621AbfGOU3k (ORCPT + 99 others); Mon, 15 Jul 2019 16:29:40 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:3402 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731054AbfGOU3k (ORCPT ); Mon, 15 Jul 2019 16:29:40 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x6FKSgDN143944 for ; Mon, 15 Jul 2019 16:29:39 -0400 Received: from e35.co.us.ibm.com (e35.co.us.ibm.com [32.97.110.153]) by mx0b-001b2d01.pphosted.com with ESMTP id 2trxbe5fmr-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 15 Jul 2019 16:29:38 -0400 Received: from localhost by e35.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 15 Jul 2019 21:29:38 +0100 Received: from b03cxnp08027.gho.boulder.ibm.com (9.17.130.19) by e35.co.us.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 15 Jul 2019 21:29:32 +0100 Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp08027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x6FKTVfV61276602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 15 Jul 2019 20:29:31 GMT Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 30FF3BE053; Mon, 15 Jul 2019 20:29:31 +0000 (GMT) Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7ADF2BE04F; Mon, 15 Jul 2019 20:29:17 +0000 (GMT) Received: from morokweng.localdomain (unknown [9.85.238.93]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTPS; Mon, 15 Jul 2019 20:29:17 +0000 (GMT) References: <20190320171027-mutt-send-email-mst@kernel.org> <87tvfvbwpb.fsf@morokweng.localdomain> <20190323165456-mutt-send-email-mst@kernel.org> <87a7go71hz.fsf@morokweng.localdomain> <20190520090939-mutt-send-email-mst@kernel.org> <877ea26tk8.fsf@morokweng.localdomain> <20190603211528-mutt-send-email-mst@kernel.org> <877e96qxm7.fsf@morokweng.localdomain> <20190701092212-mutt-send-email-mst@kernel.org> <87d0id9nah.fsf@morokweng.localdomain> <20190715103411-mutt-send-email-mst@kernel.org> User-agent: mu4e 1.2.0; emacs 26.2 From: Thiago Jung Bauermann To: "Michael S. Tsirkin" Cc: virtualization@lists.linux-foundation.org, linuxppc-dev@lists.ozlabs.org, iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org, Jason Wang , Christoph Hellwig , David Gibson , Alexey Kardashevskiy , Paul Mackerras , Benjamin Herrenschmidt , Ram Pai , Jean-Philippe Brucker , Michael Roth , Mike Anderson Subject: Re: [RFC PATCH] virtio_ring: Use DMA API if guest memory is encrypted In-reply-to: <20190715103411-mutt-send-email-mst@kernel.org> Date: Mon, 15 Jul 2019 17:29:06 -0300 MIME-Version: 1.0 Content-Type: text/plain X-TM-AS-GCONF: 00 x-cbid: 19071520-0012-0000-0000-0000174FE71F X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00011434; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000286; SDB=6.01232674; UDB=6.00649454; IPR=6.01013976; MB=3.00027729; MTD=3.00000008; XFM=3.00000015; UTC=2019-07-15 20:29:36 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19071520-0013-0000-0000-00005813BEDE Message-Id: <874l3nnist.fsf@morokweng.localdomain> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-07-15_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1907150234 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Michael S. Tsirkin writes: > On Sun, Jul 14, 2019 at 02:51:18AM -0300, Thiago Jung Bauermann wrote: >> >> >> Michael S. Tsirkin writes: >> >> > So this is what I would call this option: >> > >> > VIRTIO_F_ACCESS_PLATFORM_IDENTITY_ADDRESS >> > >> > and the explanation should state that all device >> > addresses are translated by the platform to identical >> > addresses. >> > >> > In fact this option then becomes more, not less restrictive >> > than VIRTIO_F_ACCESS_PLATFORM - it's a promise >> > by guest to only create identity mappings, >> > and only before driver_ok is set. >> > This option then would always be negotiated together with >> > VIRTIO_F_ACCESS_PLATFORM. >> > >> > Host then must verify that >> > 1. full 1:1 mappings are created before driver_ok >> > or can we make sure this happens before features_ok? >> > that would be ideal as we could require that features_ok fails >> > 2. mappings are not modified between driver_ok and reset >> > i guess attempts to change them will fail - >> > possibly by causing a guest crash >> > or some other kind of platform-specific error >> >> I think VIRTIO_F_ACCESS_PLATFORM_IDENTITY_ADDRESS is good, but requiring >> it to be accompanied by ACCESS_PLATFORM can be a problem. One reason is >> SLOF as I mentioned above, another is that we would be requiring all >> guests running on the machine (secure guests or not, since we would use >> the same configuration for all guests) to support it. But >> ACCESS_PLATFORM is relatively recent so it's a bit early for that. For >> instance, Ubuntu 16.04 LTS (which is still supported) doesn't know about >> it and wouldn't be able to use the device. > > OK and your target is to enable use with kernel drivers within > guests, right? Right. > My question is, we are defining a new flag here, I guess old guests > then do not set it. How does it help old guests? Or maybe it's > not designed to ... Indeed. The idea is that QEMU can offer the flag, old guests can reject it (or even new guests can reject it, if they decide not to convert into secure VMs) and the feature negotiation will succeed with the flag unset. -- Thiago Jung Bauermann IBM Linux Technology Center