Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp80549rwb; Wed, 17 Aug 2022 23:18:59 -0700 (PDT) X-Google-Smtp-Source: AA6agR7xpU3keV9txk/luU06v6Ll+MVWafeBk5IrYIaRpwDMROGJWl3RxgrB4DhlolqPUndoZ6bp X-Received: by 2002:a63:8a4b:0:b0:429:f4d5:7f72 with SMTP id y72-20020a638a4b000000b00429f4d57f72mr1413968pgd.51.1660803538779; Wed, 17 Aug 2022 23:18:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660803538; cv=none; d=google.com; s=arc-20160816; b=FkYGGiE3Nf3iqkUQ5aos8rC+EV5iiYYUhzKCXzOYb5pahSK78wilPJIrlmghRc6M4U HiVq2ouCAxEArCeypRfi5ARlRN5ua8gyS20sBMOVwi2hr1GTRsbWhuoV7Evqj4KiN4I+ ceziksjZ+xlBjH5PV290f6F65WuSuGZIk75nEoeTST/surj1ZM19M044EPzrd6znpBnu j6pjJ7t1ATV7wZmL+d3Ei4juAtU0zZkZ5VxwbvKqKQKk/4hRKEGIpsPyZFuroYbZ3IT4 Ce9kaYtFJP37a+PX4eZEBete4s7gc1tO0G/PpqiLgr5lkB4cm12i+T88xqq1DnKzvHXN vlFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:message-id:in-reply-to :subject:cc:to:from:date:dkim-signature; bh=c4YN6O08AaYBNToE2Um1itfC+MNp00Kd+ydM+T0W7ko=; b=uchDdFt4cZEvozxy9uahRZ0tqNNNLwO7Dj+qJXiCSu0E2rG8xk2CgM8VhaLS1Mfvp6 F+tfooGsu49Y4IDvlKSJf21xevmmUGww3HcXdidKpVAww9vFrK4LVH+5i+RhE7kqSDbl MHVADW55vco7/36gHA/59+xd6NL3iDWCHeGcQYW+uA2u0wvK2a+EBhjFSuA0m0Y+Sj8u MuHi0qeV1uWJiD+kspo/XDIFx8ymSKqHax3boHmVR+eTZXcdH7+7OmnOW0t59/qkOU6V 0uuRWM8K0HaBZwR4mAjObm7bV6+wxPOu//xDTZzRTQMa7jT4f0z4sn8w5nXL5rzjedmY 9oEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=IZg9hsqi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q11-20020a6557cb000000b003fc137079c2si792591pgr.60.2022.08.17.23.18.47; Wed, 17 Aug 2022 23:18:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=IZg9hsqi; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243323AbiHRFki (ORCPT + 99 others); Thu, 18 Aug 2022 01:40:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242483AbiHRFkf (ORCPT ); Thu, 18 Aug 2022 01:40:35 -0400 Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D17272B77 for ; Wed, 17 Aug 2022 22:40:34 -0700 (PDT) Received: by mail-qt1-x836.google.com with SMTP id cr9so412848qtb.13 for ; Wed, 17 Aug 2022 22:40:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:from:to:cc; bh=c4YN6O08AaYBNToE2Um1itfC+MNp00Kd+ydM+T0W7ko=; b=IZg9hsqi4ssQ7fuSUIn7+iozROcN5MvemR4pWibTfFN+hfgd52YevwqpQv+32PXVtk tMKwa30Shd3IsjRcMLHYaAnJfl/UHy6ihTpMO5jxCGTVmCK8t9Q/fI2uh+GiuGiPBmQT hK2VF/OtxMLDbC/ytFlCkss/tfpwYlp5+ZwaMpzIEC+P6HlTmxeljMnHhkBQPeC4di9d T2u0GkCtVLOLm6jsVJ/3uxGfDAAj5JLx6gR6GsoWNUhw61Zp1rHlGIeQeHfYiVPTdajB O6i+/DSqdHmANKvtofbV85bdjkpgDV6mKg5DiLTieyv2rXLbetaIRb7kxG6T1BLHQnBp SkEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:x-gm-message-state:from:to:cc; bh=c4YN6O08AaYBNToE2Um1itfC+MNp00Kd+ydM+T0W7ko=; b=g+VU7QBMTO//1xV+JqE+5n0LsJFOS/c8YEaXgPtiVlc90kK/78cxzBJ5YwYq/7mAMV N4bFgB+q+HparonlWG4YIgi9rLHVo/M7UmbG8zN3Y8ajG32Z2ZFq/o1nmvADNiSggOxb qzdHay8qkeWbRTNM1H73h0Ms6vHQhlk78o20koCc2kwerozCN6VyLb59rvM0Dc8AzN5T DGwWA5RuwBzqWwXN20EEVWKnnptDCCyru9OHBBj19sUdI6u68FJEYWXZkVdupQ3xeomJ dOuk1kln6TWSc+opyQWz4/1F8D3FeKARMtrOKNmZI2H+Xaghf1jzHrz2UyKjVXaSMcyb nNuw== X-Gm-Message-State: ACgBeo13k83l6Owj8dBBlkXyV2vUi+queJUOW1yw7UXuCXMryD0Trfhy UA8rYP9uxj6YasrTXVP7uTIFEA== X-Received: by 2002:a05:622a:1745:b0:343:5e40:47b1 with SMTP id l5-20020a05622a174500b003435e4047b1mr1310585qtk.120.1660801233516; Wed, 17 Aug 2022 22:40:33 -0700 (PDT) Received: from ripple.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id m1-20020a05620a290100b006b95f832aebsm787055qkp.96.2022.08.17.22.40.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Aug 2022 22:40:33 -0700 (PDT) Date: Wed, 17 Aug 2022 22:40:12 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@ripple.anvils To: Chao Peng cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, linux-doc@vger.kernel.org, qemu-devel@nongnu.org, linux-kselftest@vger.kernel.org, Paolo Bonzini , Jonathan Corbet , Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H . Peter Anvin" , Hugh Dickins , Jeff Layton , "J . Bruce Fields" , Andrew Morton , Shuah Khan , Mike Rapoport , Steven Price , "Maciej S . Szmigiero" , Vlastimil Babka , Vishal Annapurve , Yu Zhang , "Kirill A . Shutemov" , luto@kernel.org, jun.nakajima@intel.com, dave.hansen@intel.com, ak@linux.intel.com, david@redhat.com, aarcange@redhat.com, ddutile@redhat.com, dhildenb@redhat.com, Quentin Perret , Michael Roth , mhocko@suse.com, Muchun Song , "Gupta, Pankaj" Subject: Re: [PATCH v7 00/14] KVM: mm: fd-based approach for supporting KVM guest private memory In-Reply-To: <20220706082016.2603916-1-chao.p.peng@linux.intel.com> Message-ID: References: <20220706082016.2603916-1-chao.p.peng@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 6 Jul 2022, Chao Peng wrote: > This is the v7 of this series which tries to implement the fd-based KVM > guest private memory. Here at last are my reluctant thoughts on this patchset. fd-based approach for supporting KVM guest private memory: fine. Use or abuse of memfd and shmem.c: mistaken. memfd_create() was an excellent way to put together the initial prototype. But since then, TDX in particular has forced an effort into preventing (by flags, seals, notifiers) almost everything that makes it shmem/tmpfs. Are any of the shmem.c mods useful to existing users of shmem.c? No. Is MFD_INACCESSIBLE useful or comprehensible to memfd_create() users? No. What use do you have for a filesystem here? Almost none. IIUC, what you want is an fd through which QEMU can allocate kernel memory, selectively free that memory, and communicate fd+offset+length to KVM. And perhaps an interface to initialize a little of that memory from a template (presumably copied from a real file on disk somewhere). You don't need shmem.c or a filesystem for that! If your memory could be swapped, that would be enough of a good reason to make use of shmem.c: but it cannot be swapped; and although there are some references in the mailthreads to it perhaps being swappable in future, I get the impression that will not happen soon if ever. If your memory could be migrated, that would be some reason to use filesystem page cache (because page migration happens to understand that type of memory): but it cannot be migrated. Some of these impressions may come from earlier iterations of the patchset (v7 looks better in several ways than v5). I am probably underestimating the extent to which you have taken on board other usages beyond TDX and SEV private memory, and rightly want to serve them all with similar interfaces: perhaps there is enough justification for shmem there, but I don't see it. There was mention of userfaultfd in one link: does that provide the justification for using shmem? I'm afraid of the special demands you may make of memory allocation later on - surprised that huge pages are not mentioned already; gigantic contiguous extents? secretmem removed from direct map? Here's what I would prefer, and imagine much easier for you to maintain; but I'm no system designer, and may be misunderstanding throughout. QEMU gets fd from opening /dev/kvm_something, uses ioctls (or perhaps the fallocate syscall interface itself) to allocate and free the memory, ioctl for initializing some of it too. KVM in control of whether that fd can be read or written or mmap'ed or whatever, no need to prevent it in shmem.c, no need for flags, seals, notifications to and fro because KVM is already in control and knows the history. If shmem actually has value, call into it underneath - somewhat like SysV SHM, and /dev/zero mmap, and i915/gem make use of it underneath. If shmem has nothing to add, just allocate and free kernel memory directly, recorded in your own xarray. With that /dev/kvm_something subject to access controls and LSMs - which I cannot find for memfd_create(). Full marks for including the MFD_INACCESSIBLE manpage update, and for Cc'ing linux-api: but I'd have expected some doubts from that direction already. Hugh