Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp856836pxk; Wed, 9 Sep 2020 23:38:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0pg5NFN6bTVEfM7GRh0IxchthO/9g44oi+mw4o9CKJEuOk/zaOIeJ+1pNN1T50wAb+G2B X-Received: by 2002:a17:906:4b4a:: with SMTP id j10mr7336912ejv.498.1599719925358; Wed, 09 Sep 2020 23:38:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599719925; cv=none; d=google.com; s=arc-20160816; b=kE5gTlbtr76Pc8nSxiNL9ReONLJWvy4lYSp9Q82dLdEhv7ChlNlLuO4YvaTu1amjXn smvMescGQOMJrR6CWThLO0vC6VpjCih0ORTv7BSkLzohiTcA2PpLfyBA0gqP5Y7Y9BMm PBM52HTcWmvKaEWc2hp4z/liu0S7s+jMQe9PeeDV1Ap/11ANEQrJOlOIn0s9bu1yyioC 1VOZAja8MbTxdd0FUV1EmzyiQ3ClzejBGrrPkW4tpxTYgu/9kRiuTGkJLsu8Ds5JwaFG 54jDIR59Yw2MrF+ztbQrhPjnVXjOCBM1flc3z29QR+GTVXynp3eujk06alDyPxHQ/hap r+eA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=9UW16lUstnnCGbjpX3liKw7JzbSB4SPpIDupEPmn0vI=; b=Dq4ZM9EM/BYD2CVEQJjzdELE2FhF/WkmDb6whn6TTPFPCSUXgwqUTRDUuRvyActAMt y8uPMFu3p3I243vXYsNqWibG78iCxdJm9SfdB2zD4bzQ5LUh0NEs1tIEIZrVUiuWWbBF Iro3cKSK8qQcwf0D0ugkbutzBpg7Br6EMLVQL5dMbOnDGy0nXJ8Zy+wHzD9zwG9kmvDG qExusLA0Y23PQFx/sr9R8cfpMa+nXoDvh55kBYFZgkSOMk8omuCfKvhHMdz2OrE0JYU6 ZIutBuFiOVxmSVYLfmK3qwDJ8JYJSwdrW4CStiRZt/Kuq2DTkwtu1Sxssclq0cRq13Q+ SuRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ORBbdEvC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a12si3086301eda.373.2020.09.09.23.38.21; Wed, 09 Sep 2020 23:38:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ORBbdEvC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726893AbgIJGgd (ORCPT + 99 others); Thu, 10 Sep 2020 02:36:33 -0400 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:28606 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726693AbgIJGga (ORCPT ); Thu, 10 Sep 2020 02:36:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1599719788; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9UW16lUstnnCGbjpX3liKw7JzbSB4SPpIDupEPmn0vI=; b=ORBbdEvCijRtsn9ZbDuTzo6MtTssRFeHeCL7cXE8A7QjDukN6mZEe01r+bMrY+9Yt/BCWX LIwj4GWpd4CrHYMrxK6nZV/MKzrwXtepQMRHMWI6M/d4ztlcmdBnwu45mCGYB7z2ioj+Ij zThFZJ2dl+/BZTRhbCbIFe/GEb4DODE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-326-l5e4-x2BMViknvYHd6dgQQ-1; Thu, 10 Sep 2020 02:36:25 -0400 X-MC-Unique: l5e4-x2BMViknvYHd6dgQQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B56951005E7C; Thu, 10 Sep 2020 06:30:06 +0000 (UTC) Received: from kamzik.brq.redhat.com (unknown [10.40.192.124]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 60B0B7E46E; Thu, 10 Sep 2020 06:30:01 +0000 (UTC) Date: Thu, 10 Sep 2020 08:29:58 +0200 From: Andrew Jones To: Steven Price Cc: Peter Maydell , Juan Quintela , Catalin Marinas , Richard Henderson , qemu-devel@nongnu.org, "Dr. David Alan Gilbert" , kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, Marc Zyngier , Thomas Gleixner , Will Deacon , Dave Martin , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 0/2] MTE support for KVM guest Message-ID: <20200910062958.o55apuvdxmf3uiqb@kamzik.brq.redhat.com> References: <20200904160018.29481-1-steven.price@arm.com> <20200909152540.ylnrljd6aelxoxrf@kamzik.brq.redhat.com> <857566df-1b98-84f7-9268-d092722dc749@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <857566df-1b98-84f7-9268-d092722dc749@arm.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 09, 2020 at 05:04:15PM +0100, Steven Price wrote: > On 09/09/2020 16:25, Andrew Jones wrote: > > On Fri, Sep 04, 2020 at 05:00:16PM +0100, Steven Price wrote: > > > 2. Automatically promotes (normal host) memory given to the guest to be > > > tag enabled (sets PG_mte_tagged), if any VCPU has MTE enabled. The > > > tags are cleared if the memory wasn't previously MTE enabled. > > > > Shouldn't this be up to the guest? Or, is this required in order for the > > guest to use tagging at all. Something like making the guest IPAs memtag > > capable, but if the guest doesn't enable tagging then there is no guest > > impact? In any case, shouldn't userspace be the one that adds PROT_MTE > > to the memory regions it wants the guest to be able to use tagging with, > > rather than KVM adding the attribute page by page? > > I think I've probably explained this badly. > > The guest can choose how to populate the stage 1 mapping - so can choose > which parts of memory are accessed tagged or not. However, the hypervisor > cannot restrict this in stage 2 (except by e.g. making the memory uncached > but that's obviously not great - however devices forward to the guest can be > handled like this). > > Because the hypervisor cannot restrict the guest's access to the tags, the > hypervisor must assume that all memory given to the guest could have the > tags accessed. So it must (a) clear any stale data from the tags, and (b) > ensure that the tags are preserved (e.g. when swapping pages out). > Yes, this is how I understood it. > Because of the above the current series automatically sets PG_mte_tagged on > the pages. Note that this doesn't change the mappings that the VMM has (a > non-PROT_MTE mapping will still not have access to the tags). But if userspace created the memslots with memory already set with PROT_MTE, then this wouldn't be necessary, right? And, as long as there's still a way to access the memory with tag checking disabled, then it shouldn't be a problem. > > > > If userspace needs to write to guest memory then it should be due to > > a device DMA or other specific hardware emulation. Those accesses can > > be done with tag checking disabled. > > Yes, the question is can the VMM (sensibly) wrap the accesses with a > disable/renable tag checking for the process sequence. The alternative at > the moment is to maintain a separate (untagged) mapping for the purpose > which might present it's own problems. Hmm, so there's no easy way to disable tag checking when necessary? If we don't map the guest ram with PROT_MTE and continue setting the attribute in KVM, as this series does, then we don't need to worry about it tag checking when accessing the memory, but then we can't access the tags for migration. > > > > > > > If it's not practical to either disable tag checking in the VMM or > > > maintain multiple mappings then the alternatives I'm aware of are: > > > > > > * Provide a KVM-specific method to extract the tags from guest memory. > > > This might also have benefits in terms of providing an easy way to > > > read bulk tag data from guest memory (since the LDGM instruction > > > isn't available at EL0). > > > > Maybe we need a new version of KVM_GET_DIRTY_LOG that also provides > > the tags for all addresses of each dirty page. > > Certainly possible, although it seems to conflate two operations: "get list > of dirty pages", "get tags from page". It would also require a lot of return > space (size of slot/32). > It would require num-set-bits * host-page-size / 16 / 2, right? > > > * Provide support for user space setting the TCMA0 or TCMA1 bits in > > > TCR_EL1. These would allow the VMM to generate pointers which are not > > > tag checked. > > > > So this is necessary to allow the VMM to keep tag checking enabled for > > itself, plus map guest memory as PROT_MTE, and write to that memory when > > needed? > > This is certainly one option. The architecture provides two "magic" values > (all-0s and all-1s) which can be configured using TCMAx to be treated > differently. The VMM could therefore construct pointers to otherwise tagged > memory which would be treated as untagged. > > However, Catalin's user space series doesn't at the moment expose this > functionality. > So if I understand correctly this would allow us to map the guest memory with PAGE_MTE and still access the memory when needed. If so, then this sounds interesting. Thanks, drew