Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3286523pxk; Mon, 7 Sep 2020 08:31:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzbxONWulntpUEXmD1MJ6OFok5M2pKrNRVUufaPDiFtcKmoArJzEh9/t9nmd6cgDXV7O0mS X-Received: by 2002:a17:906:386:: with SMTP id b6mr21236204eja.538.1599492686652; Mon, 07 Sep 2020 08:31:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599492686; cv=none; d=google.com; s=arc-20160816; b=eaT/T6vQRjenspnN/sA8XCuYwe5MhRcrCEUtmtCX0Zg75t1lAmQkeMuk2hu3ZnwVVU 7pG+v/r/fWcmMMEjNudHKm1pCORHH/EsbUj1QapvLiMh1esXqUz5CGTzwBzlF44Qay8i l95t+VDenO85mR9JYg/JU91rmhmP9B6xFI35FFqm1BdqdR42m6Iw6cAkpW1SlK1Ku+Y6 hP4KXybC8OLe5uSCd6GCANcR2K9/QZ7ZPJrkK8QEwuCMPz9WMPMgQ0Ft0biIx1IYYjEY aL92oG9na2wqZ0eZtUFI7A2kA/VWWXgrurVWLc4vY+ClV9Mcx+am667gjY9118xs+a9A uKIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=8sVz1sXB3S8O+Ei2CKhwWlGsleL+awuWDP8l7TGlMTQ=; b=kkiI1y8JkMadSIMaJeCbDbbTFE7zUYqvGjd4W62CuT9HRZzCU8OJ2b/jfUfYfiLsCE VbM1LZV47CvkixFZUyagnNR6ZOMW4jNjQawXu397oDNvIUR9wYPUthJoKbsUyQUIMT9J XewCmtQCeBS/SpwhnC2a9tYaG9KatvD/DwpZgBzNA9GAeWFcHnfSKwiHCnOQLtns92Nf wUK3QfvyLe29odYanVVixMYnYWEflTc8/XdGFzpb+DFsC20g+FDCvFvvfgji2IRc6459 jd5jigJ1IGk9lhloo7YFzOMmbprDcibABkuzDpiCsgFQ3C/T+uZvX7Dz0IXindyMztUo JQVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=J+ZJ2KCL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bl4si11055492ejb.752.2020.09.07.08.31.03; Mon, 07 Sep 2020 08:31:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=J+ZJ2KCL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730192AbgIGP3D (ORCPT + 99 others); Mon, 7 Sep 2020 11:29:03 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:48457 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730067AbgIGP21 (ORCPT ); Mon, 7 Sep 2020 11:28:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1599492505; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8sVz1sXB3S8O+Ei2CKhwWlGsleL+awuWDP8l7TGlMTQ=; b=J+ZJ2KCLBLu9z2ZlcygP6YcNm5GH3S0BSLlkDTGVNg7vSRSMwhlm4WYaViU1iEzvLYoKRI oFP7E5FhpFOmo+3ov+Ho1xMVUo446QNl0XtRy3FPu/APrM93jyEvXSYuEoP/VtNAQdV5ni XQZWBEDOGkAsW7ld9cTnknjYEtdi5rs= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-227-lo-bhTY-OiOxxFEK9sC7Kg-1; Mon, 07 Sep 2020 11:28:24 -0400 X-MC-Unique: lo-bhTY-OiOxxFEK9sC7Kg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1D0DD18B9EC1; Mon, 7 Sep 2020 15:28:22 +0000 (UTC) Received: from work-vm (ovpn-114-180.ams2.redhat.com [10.36.114.180]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 742D65D9D2; Mon, 7 Sep 2020 15:28:15 +0000 (UTC) Date: Mon, 7 Sep 2020 16:28:12 +0100 From: "Dr. David Alan Gilbert" To: Steven Price , eric.auger@redhat.com Cc: Catalin Marinas , Marc Zyngier , Will Deacon , James Morse , Julien Thierry , Suzuki K Poulose , kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Dave Martin , Mark Rutland , Thomas Gleixner , qemu-devel@nongnu.org, Juan Quintela , Richard Henderson , Peter Maydell , Haibo Xu Subject: Re: [PATCH v2 0/2] MTE support for KVM guest Message-ID: <20200907152812.GJ2682@work-vm> References: <20200904160018.29481-1-steven.price@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200904160018.29481-1-steven.price@arm.com> User-Agent: Mutt/1.14.6 (2020-07-11) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (cc'ing in Eric Auger) * Steven Price (steven.price@arm.com) wrote: > Arm's Memory Tagging Extension (MTE) adds 4 bits of tag data to every 16 > bytes of memory in the system. This along with stashing a tag within the > high bit of virtual addresses allows runtime checking of memory > accesses. > > These patches add support to KVM to enable MTE within a guest. They are > based on Catalin's v9 MTE user-space support series[1]. > > I'd welcome feedback on the proposed user-kernel ABI. Specifically this > series currently: > > 1. Requires the VMM to enable MTE per-VCPU. > 2. Automatically promotes (normal host) memory given to the guest to be > tag enabled (sets PG_mte_tagged), if any VCPU has MTE enabled. The > tags are cleared if the memory wasn't previously MTE enabled. > 3. Doesn't provide any new methods for the VMM to access the tags on > memory. > > (2) and (3) are particularly interesting from the aspect of VM migration. > The guest is able to store/retrieve data in the tags (presumably for the > purpose of tag checking, but architecturally it could be used as just > storage). This means that when migrating a guest the data needs to be > transferred (or saved/restored). > > MTE tags are controlled by the same permission model as normal pages > (i.e. a read-only page has read-only tags), so the normal methods of > detecting guest changes to pages can be used. But this would also > require the tags within a page to be migrated at the same time as the > data (since the access control for tags is the same as the normal data > within a page). (Without understanding anything about your tag system...) Note that during (normal, non-postcopy) migration the consistency can be a little loose - until the guest starts running; i.e. you can send a page that's in themiddle of being modified as long as you make sure you send it again later so that what the guest sees on the destination when it runs is consistent; i.e. it would be fine to send your tags separately to your data and allow them to get a little out of sync, as long as they caught up before the guest ran. > (3) may be problematic and I'd welcome input from those familiar with > VMMs. User space cannot access tags unless the memory is mapped with the > PROT_MTE flag. However enabling PROT_MTE will also enable tag checking > for the user space process (assuming the VMM enables tag checking for > the process) and since the tags in memory are controlled by the guest > it's unlikely the VMM would have an appropriately tagged pointer for its > access. This means the VMM would either need to maintain two mappings of > memory (one to access tags, the other to access data) or disable tag > checking during the accesses to data. Imagine I had a second mapping; what would it look like; how would I get and restore the tags? In terms of migration stream, I guess we have two ways to do this, either it rides shotgun on the main RAM section pages, transmitting those few extra bytes whenever we transmit a page, or you have a separate iteratable device for RAMtags, and it just transmits those. How you keep the two together is an interesting question. The shotgun method sounds nasty to avoid putting special cases in the, already hairy, RAM code. > If it's not practical to either disable tag checking in the VMM or > maintain multiple mappings then the alternatives I'm aware of are: > > * Provide a KVM-specific method to extract the tags from guest memory. > This might also have benefits in terms of providing an easy way to > read bulk tag data from guest memory (since the LDGM instruction > isn't available at EL0). > * Provide support for user space setting the TCMA0 or TCMA1 bits in > TCR_EL1. These would allow the VMM to generate pointers which are not > tag checked. I guess you want the VMM to do as much tagged checked access as possible on it's own data structures? How do things like virtio work where the qemu or kernel is accessing guest memory for IO? Dave > Feedback is welcome, and feel free to ask questions if anything in the > above doesn't make sense. > > Changes since the previous v1 posting[2]: > > * Rebasing clean-ups > * sysreg visibility is now controlled based on whether the VCPU has MTE > enabled or not > > [1] https://lore.kernel.org/r/20200904103029.32083-1-catalin.marinas@arm.com > [2] https://lore.kernel.org/r/20200713100102.53664-1-steven.price%40arm.com > > Steven Price (2): > arm64: kvm: Save/restore MTE registers > arm64: kvm: Introduce MTE VCPU feature > > arch/arm64/include/asm/kvm_emulate.h | 3 +++ > arch/arm64/include/asm/kvm_host.h | 9 ++++++++- > arch/arm64/include/asm/sysreg.h | 3 ++- > arch/arm64/include/uapi/asm/kvm.h | 1 + > arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h | 14 ++++++++++++++ > arch/arm64/kvm/mmu.c | 15 +++++++++++++++ > arch/arm64/kvm/reset.c | 8 ++++++++ > arch/arm64/kvm/sys_regs.c | 20 +++++++++++++++----- > 8 files changed, 66 insertions(+), 7 deletions(-) > > -- > 2.20.1 > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK