Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2076701ybv; Fri, 14 Feb 2020 11:01:27 -0800 (PST) X-Google-Smtp-Source: APXvYqzDpEBqluIQn3gVHlsMoAJFZGnmael8omqJGF8NHwlqOmJSnElgpeA9I6YY6h0ko6SyfFRc X-Received: by 2002:a9d:7b50:: with SMTP id f16mr3486458oto.18.1581706887830; Fri, 14 Feb 2020 11:01:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581706887; cv=none; d=google.com; s=arc-20160816; b=mqp/KstvdnD9DXedPVgcjJg/Arr83FiUl8qhkQ3pt3Bn6/llMx2j9RbjXlzUnS5neL XAk0/7HO7l9Bgj5zg2Sb9bNbvIr54ZJlKpNDC1JgAJcLj1i++qxbdq7mOBdWhBQ4CmF1 cQqr4pWvedeu7/PC3CSSr08X4oamAPnjPVJL7Qrxk5klfzZC2aqdRYHN+c+KMTwZGuB3 qkc8L4vRCmTZzwLCudu3oJMnCVO0YSnU5J51AMxWdQ/89aMZdnQZ6Z5akisnZtv9/T0t KEC6AYl8CqGUnZ5DC3cTv7uKa5xO140EuC8ZP5D9VJ4k4/npg3GethU5kyyMbgNhKHYp mFHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=s11rpUya7qFYQvMs2lslBlJbUNeX8R96Cgb+6CQZsSo=; b=YAVAlxKhXujzS5Mv/opyJaj/OTwLS1wCb7MQgTNaMfGfSMmdgoka6eZO1VWzMcc7zG 8iqgqaypSQsfUX8SbsfLDn/7bnqw8klEOGd8U5x+gFaOM7NbxCT2IIoQLe6JAqRmplE6 c7Rr7oU8InN24MHOR7ARjGX0dKTSbTivSvcSiN7zp1EkIrN0tq+hqa9ojLW72vlxkFBs EHN/13mfb9BxxLFwFF+BbPxxdvmzUS06HOfQkNGNhKSdPed8tTRBOLDUMIcGqnXFhcwL 7bJOKIltoh9myMT2BOcS+XsyzrCIyDOYasv5qyCFGNzghRlgiRyGHG5w+d+lJ/nykujp lMcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dBvKkrbN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f81si3187756oig.110.2020.02.14.11.01.15; Fri, 14 Feb 2020 11:01:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dBvKkrbN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387895AbgBNS7C (ORCPT + 99 others); Fri, 14 Feb 2020 13:59:02 -0500 Received: from mail.kernel.org ([198.145.29.99]:46512 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729210AbgBNS7B (ORCPT ); Fri, 14 Feb 2020 13:59:01 -0500 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 181A72467E for ; Fri, 14 Feb 2020 18:59:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581706741; bh=sDuNfKWoPpSrN5oPOUrwlTFcBuhLYXcdRqnE84ZHMxI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=dBvKkrbN2zjKd1UtcXTrhOUf9txYmtN0gkqLua8TatxLDTKDhnFRk10uGFH4s/WXt IBc0zPL4OqPZ/9WlXc2HcUXR7nlTjCWoNDOEEiYDf4x8oeRqZ4V5akhtz7mhTCGD3F nYSXryAUaoB6HbO7V4V529hFJYgfz3F3t1+QvK28= Received: by mail-wr1-f49.google.com with SMTP id z7so12098931wrl.13 for ; Fri, 14 Feb 2020 10:59:01 -0800 (PST) X-Gm-Message-State: APjAAAUOfaOOFaNRK21SHwlgsJ7UTfPSs1CtYo312bipi7A86K7aB5uZ cI4Z9r69f/EIIJA2tp2ILA2hEk4nP2D9G6iFaF5MIQ== X-Received: by 2002:a5d:4cc9:: with SMTP id c9mr5361655wrt.70.1581706739323; Fri, 14 Feb 2020 10:58:59 -0800 (PST) MIME-Version: 1.0 References: <20200213230916.GB8784@ashkalra_ubuntu_server> In-Reply-To: <20200213230916.GB8784@ashkalra_ubuntu_server> From: Andy Lutomirski Date: Fri, 14 Feb 2020 10:58:46 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 00/12] SEV Live Migration Patchset. To: Ashish Kalra Cc: Andy Lutomirski , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Radim Krcmar , Joerg Roedel , Borislav Petkov , Tom Lendacky , David Rientjes , X86 ML , kvm list , LKML , Brijesh Singh Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 13, 2020 at 3:09 PM Ashish Kalra wrote: > > On Wed, Feb 12, 2020 at 09:43:41PM -0800, Andy Lutomirski wrote: > > On Wed, Feb 12, 2020 at 5:14 PM Ashish Kalra wrote: > > > > > > From: Ashish Kalra > > > > > > This patchset adds support for SEV Live Migration on KVM/QEMU. > > > > I skimmed this all and I don't see any description of how this all works. > > > > Does any of this address the mess in svm_register_enc_region()? Right > > now, when QEMU (or a QEMU alternative) wants to allocate some memory > > to be used for guest encrypted pages, it mmap()s some memory and the > > kernel does get_user_pages_fast() on it. The pages are kept pinned > > for the lifetime of the mapping. This is not at all okay. Let's see: > > > > - The memory is pinned and it doesn't play well with the Linux memory > > management code. You just wrote a big patch set to migrate the pages > > to a whole different machines, but we apparently can't even migrate > > them to a different NUMA node or even just a different address. And > > good luck swapping it out. > > > > - The memory is still mapped in the QEMU process, and that mapping is > > incoherent with actual guest access to the memory. It's nice that KVM > > clflushes it so that, in principle, everything might actually work, > > but this is gross. We should not be exposing incoherent mappings to > > userspace. > > > > Perhaps all this fancy infrastructure you're writing for migration and > > all this new API surface could also teach the kernel how to migrate > > pages from a guest *to the same guest* so we don't need to pin pages > > forever. And perhaps you could put some thought into how to improve > > the API so that it doesn't involve nonsensical incoherent mappings.o > > As a different key is used to encrypt memory in each VM, the hypervisor > can't simply copy the the ciphertext from one VM to another to migrate > the VM. Therefore, the AMD SEV Key Management API provides a new sets > of function which the hypervisor can use to package a guest page for > migration, while maintaining the confidentiality provided by AMD SEV. > > There is a new page encryption bitmap created in the kernel which > keeps tracks of encrypted/decrypted state of guest's pages and this > bitmap is updated by a new hypercall interface provided to the guest > kernel and firmware. > > KVM_GET_PAGE_ENC_BITMAP ioctl can be used to get the guest page encryption > bitmap. The bitmap can be used to check if the given guest page is > private or shared. > > During the migration flow, the SEND_START is called on the source hypervisor > to create an outgoing encryption context. The SEV guest policy dictates whether > the certificate passed through the migrate-set-parameters command will be > validated. SEND_UPDATE_DATA is called to encrypt the guest private pages. > After migration is completed, SEND_FINISH is called to destroy the encryption > context and make the VM non-runnable to protect it against cloning. > > On the target machine, RECEIVE_START is called first to create an > incoming encryption context. The RECEIVE_UPDATE_DATA is called to copy > the received encrypted page into guest memory. After migration has > completed, RECEIVE_FINISH is called to make the VM runnable. > Thanks! This belongs somewhere in the patch set. You still haven't answered my questions about the existing coherency issues and whether the same infrastructure can be used to migrate guest pages within the same machine. Also, you're making guest-side and host-side changes. What ensures that you don't try to migrate a guest that doesn't support the hypercall for encryption state tracking?