Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp490814ybt; Wed, 24 Jun 2020 04:22:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAiyOuYqcZ7/BAHdf7/eO8Zs4SjD65HlJpsnTn8TEBwXMOijRsPWTvIKqvQ6E/tPkz8o3g X-Received: by 2002:a50:f385:: with SMTP id g5mr18810304edm.347.1592997748148; Wed, 24 Jun 2020 04:22:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592997748; cv=none; d=google.com; s=arc-20160816; b=dTAkLoaAPj6ipxF46gDekM7+rgrd3vAJwMpO3tpPd3COqMDnY79XT9RMxS/jNS7U84 LTt7YJAtk2u1g4u8cz/qj6KjeGCNuxJu2RAv4RDCMXU0ZMRajTxNpXgxRq/CuIynqkMp rpA3PMSm0PEo5yPqjLB4dCfWBOF80tEz9f5MhZhtbSqqb4qTcjmRV9pjgY1QeLP3Obvj lfIe+/F34UlSxShEYj6zhGEbCP0j6OC57E8hng4JeVLxG5ZQv0rXOA9CJ3b1sgOdL2PS JZFRTGISMHuVcqXT7Rf7WL+aDxcasGDuuUaoAIVgzZ0W7g4QIcowTd5YXVruok1DO9vf XlgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=DX+S4Iv9//DK5TM6iTr1gukMVp+PNpNUJApXfJj3QDU=; b=Y9lxAxFVwfxA5DI3ILRxtMVgV6OtsnxtnedhXtrcM0PSnYJbgGJ/4WY9P/hLKYFbwl /wP0O7o6HrMyIKACnFnGu6mfIQHGIVGJTHUPFBeinJQ8RZH9i8Mfwovuya+MwUHxfYh9 bpl1ZQTFhnge8+t+j4FKnhhVnMm/XqTCKt9Rwku9wRkM9zk9ZENgj1a0BzGsafI93HkM tMZJ5Ofpn2mMbWKuIwfIM8i2J/p6ladQPcXOx8bTT7MNHjQtQjeGsqqVWA7eB2fXfL+x 7vtoHpp14ClanxGKK3p8RDpyChxNoo5wjL4sKfMqcUwQGTbVneehQHsphnkomcQOj39n WvFQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d19si4645308edz.443.2020.06.24.04.22.03; Wed, 24 Jun 2020 04:22:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390634AbgFXLSy (ORCPT + 99 others); Wed, 24 Jun 2020 07:18:54 -0400 Received: from foss.arm.com ([217.140.110.172]:36028 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390586AbgFXLSv (ORCPT ); Wed, 24 Jun 2020 07:18:51 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 44A0B1F1; Wed, 24 Jun 2020 04:18:50 -0700 (PDT) Received: from [192.168.1.84] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 588F53F6CF; Wed, 24 Jun 2020 04:18:48 -0700 (PDT) Subject: Re: [RFC PATCH 0/2] MTE support for KVM guest To: Catalin Marinas Cc: Dave P Martin , Peter Maydell , Marc Zyngier , lkml - Kernel Mailing List , "kvmarm@lists.cs.columbia.edu" , Thomas Gleixner , Will Deacon , arm-mail-list References: <20200617123844.29960-1-steven.price@arm.com> <20200624093846.GA11863@gaia> <20200624103412.GD25945@arm.com> <20200624110904.GB11863@gaia> From: Steven Price Message-ID: <904edac0-3de7-35a6-a9bc-b983ccd3490c@arm.com> Date: Wed, 24 Jun 2020 12:18:46 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <20200624110904.GB11863@gaia> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 24/06/2020 12:09, Catalin Marinas wrote: > On Wed, Jun 24, 2020 at 12:03:35PM +0100, Steven Price wrote: >> On 24/06/2020 11:34, Dave Martin wrote: >>> On Wed, Jun 24, 2020 at 10:38:48AM +0100, Catalin Marinas wrote: >>>> On Tue, Jun 23, 2020 at 07:05:07PM +0100, Peter Maydell wrote: >>>>> On Wed, 17 Jun 2020 at 13:39, Steven Price wrote: >>>>>> These patches add support to KVM to enable MTE within a guest. It is >>>>>> based on Catalin's v4 MTE user space series[1]. >>>>>> >>>>>> [1] http://lkml.kernel.org/r/20200515171612.1020-1-catalin.marinas%40arm.com >>>>>> >>>>>> Posting as an RFC as I'd like feedback on the approach taken. >>>>> >>>>> What's your plan for handling tags across VM migration? >>>>> Will the kernel expose the tag ram to userspace so we >>>>> can copy it from the source machine to the destination >>>>> at the same time as we copy the actual ram contents ? >>>> >>>> Qemu can map the guest memory with PROT_MTE and access the tags directly >>>> with LDG/STG instructions. Steven was actually asking in the cover >>>> letter whether we should require that the VMM maps the guest memory with >>>> PROT_MTE as a guarantee that it can access the guest tags. >>>> >>>> There is no architecturally visible tag ram (tag storage), that's a >>>> microarchitecture detail. >>> >>> If userspace maps the guest memory with PROT_MTE for dump purposes, >>> isn't it going to get tag check faults when accessing the memory >>> (i.e., when dumping the regular memory content, not the tags >>> specifically). >>> >>> Does it need to map two aliases, one with PROT_MTE and one without, >>> and is that architecturally valid? >> >> Userspace would either need to have two mappings (I don't believe there are >> any architectural issues with that - but this could be awkward to arrange in >> some situations) or be careful to avoid faults. Basically your choices with >> one mapping are: >> >> 1. Disable tag checking (using prctl) when touching the memory. This works >> but means you lose tag checking for the VMM's own accesses during this code >> sequence. >> >> 2. Read the tag values and ensure you use the correct tag. This suffers >> from race conditions if the VM is still running. >> >> 3. Use one of the exceptions in the architecture that generates a Tag >> Unchecked access. Sadly the only remotely useful thing I can see in the v8 >> ARM is "A base register plus immediate offset addressing form, with the SP >> as the base register." - but making sure SP is in range of where you want to >> access would be a pain. > > Or: > > 4. Set PSTATE.TCO when accessing tagged memory in an unsafe way. > Ah yes, similar to (1) but much lower overhead ;) That's probably the best option - it can be hidden in a memcpy_ignoring_tags() function. However it still means that the VMM can't directly touch the guest's memory which might cause issues for the VMM. Steve