Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp5087854rwb; Tue, 17 Jan 2023 09:03:19 -0800 (PST) X-Google-Smtp-Source: AMrXdXt06KEW9TnNOomP3epdhjHBsqSd5S8bB1+fF1V+waYRrsNCAPNlNGompDHdc6VA5jIbcxPm X-Received: by 2002:a05:6402:d4f:b0:49b:57f6:d9a with SMTP id ec15-20020a0564020d4f00b0049b57f60d9amr3630334edb.21.1673974999650; Tue, 17 Jan 2023 09:03:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673974999; cv=none; d=google.com; s=arc-20160816; b=VuP99mfK0ak/GUZakimDlQ3hv/JIbV4CyybUP0ajfgvjH1V9Bjy2yx/rKmeXJ7O2He njW8hPluoa9i2jK9gcEBgXXkG/3iolR4zDWTf3aZG6ZlVX6nk30p4+tApiKPSqSLjB6s rJYUVNF4zin1ILoUt5jsflF7O2+a2+Clm1pj2lCGlylKIKTYilwEXSogzFoL9v1avqXm JvPzrVZ3bfrt+L1ZgeZSGYBkBRJaSSbnCusm0e0+sO51O1VQAUxVqK/fAICC598v4DqE c+FB+/isE7bXkzq0k7scyFTEtQDs2jnddNn8ll4aceL/v6yxxcm3yPgvVIA6RYaXfr6E jb1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=8r/Ogh+1/rmJVW9GjnyNto0Qv9HGXvmys+QiP8n0bi8=; b=Sz7pLTiysbL2jFAj/RXeu1hK3KKolQnmFSQcXG0ERv1nzeFs+UaNRiu7zYlxRfMK6Z 61F4iy9azFrEgqYFk3H6rBN5nHKL0u8A32npu61wTMUOBKZCggHqsLFbHw71tA0VJBqS gQ2y2sDL128rGEQIxdKWp0j1j517bhNAAdhLWhwFDXIYwAtk+yLZuOYHzfmdBkADtuiL 8a8xSHXsl2bIoiHxFtbSYzuWXZgGNjhkf9CQm/gdGsWOfQFK2OEPYX0jbB+oscK8e26F e3YdClLSuxRkd0uUC714tuIuU31N0nAtibMIsuMy0DwxtHiu6StNfB9FjsU2nyvf4Bdk CfbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="Zqt//Us+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c7-20020a05640227c700b00488852e1250si15974484ede.254.2023.01.17.09.03.06; Tue, 17 Jan 2023 09:03:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="Zqt//Us+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233583AbjAQQq0 (ORCPT + 48 others); Tue, 17 Jan 2023 11:46:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232715AbjAQQqP (ORCPT ); Tue, 17 Jan 2023 11:46:15 -0500 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D2CB301B8 for ; Tue, 17 Jan 2023 08:46:08 -0800 (PST) Received: by mail-pf1-x434.google.com with SMTP id s3so21427952pfd.12 for ; Tue, 17 Jan 2023 08:46:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8r/Ogh+1/rmJVW9GjnyNto0Qv9HGXvmys+QiP8n0bi8=; b=Zqt//Us+4i857n+1xJVy2kkiE5l4YyMXMIvgWnWkki7y+W0sVhGU7GIzy/3mnhJcVh AO9ehmCXyq8Zjlok12JrlNyWu96zyA4m91XxdHC3feS1LeskkK+wS6WJtz19vBz5lbf8 FsodO4/8VeNqWqlUkFt1l29qjDON1oLjFf/dy45FsvbDT5mSch0lYU5O5lTPYBBTU26B XwyQhQAi1GiMa3kshq4YMcGMOtHLhYQmQIzTVWOm50Q2S0csgbclGjASM7KoUMKbJsv9 cGyMsfMY2qY2VBkBT1xri5EpObUoiNQuN5eRQgKE8mOqv4jVIhXT9RUPOj79tz4IZ4UK nMkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8r/Ogh+1/rmJVW9GjnyNto0Qv9HGXvmys+QiP8n0bi8=; b=x608F3e8NFLFAVneRZ3hSTbahVEw/WEpI6PXWuihctUJ25s7jfPT6AJ3NkZeel2ayJ HD+ekb/z/BnAomf53Wp8juVACojHLdhtY/9KfE+dPJ1w018xlYTcAUgN7vOKfRuvKjXe +TLubuanJxPbC8lIMbX4MF5TbIN5dEbf+/XbzcFYtwCIH2rGIMA8bS2oEVQmoQPCqQLm PxKdoJ7bJGqQDHfoe+2vEs3lbIfZQwMuiBxDJe1KZMHrRkWDI2zsAqVMaAITA0xcVwEu ZGYrujSrDe43hWdqtuU1pqRGGhHHOA7FKJ/znz3lmCWdZ1/Ri71h7DQDASdndJiPZJ5o imVw== X-Gm-Message-State: AFqh2kqKok0eaxZy45qnwkH2lD9OK4h3/E7nu7eevZrC7Cx69j0R8qUB p+hCmQ+gShGE0FX8+o9q/xZL5XZbwzWHN0NqX+u+uQ== X-Received: by 2002:aa7:85d5:0:b0:577:81cb:4761 with SMTP id z21-20020aa785d5000000b0057781cb4761mr353156pfn.46.1673973967519; Tue, 17 Jan 2023 08:46:07 -0800 (PST) MIME-Version: 1.0 References: <20230113212926.2904735-1-dionnaglaze@google.com> <20230113222024.rp2erl54vx3grdbd@box.shutemov.name> <20230116105648.63hsxnmj2juwudmu@sirius.home.kraxel.org> <20230116123057.wvr6rz7y3ubgcm5z@box.shutemov.name> <20230116134246.soworigs56bz5v7o@box.shutemov.name> <20230116231711.cudsnxvnfg6aef3w@box.shutemov.name> In-Reply-To: <20230116231711.cudsnxvnfg6aef3w@box.shutemov.name> From: Dionna Amalie Glaze Date: Tue, 17 Jan 2023 08:45:55 -0800 Message-ID: Subject: Re: [PATCH v2] x86/efi: Safely enable unaccepted memory in UEFI To: "Kirill A. Shutemov" Cc: Ard Biesheuvel , Gerd Hoffmann , "Kirill A. Shutemov" , linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, x86@kernel.org, jiewen.yao@intel.com, devel@edk2.groups.io, "Min M. Xu" , James Bottomley , Tom Lendacky , Erdem Aktas , Dave Hansen Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > Why do you call boot with a bootloader a legacy feature? > Gerd answered this about EBS called from the bootloader. > > they'll only get a safe view of the memory map. I don't think it's right > > to choose unsafe behavior for a legacy setup. > > Present memory map with unaccepted memory to OS that doesn't about it is > perfectly safe. This portion of the memory will be ignored. It is "feature > not [yet] implemented" case. > SNP guest support is already in Linux, and it gets a full view of the memory given to the VM. If the firmware ever introduces unaccepted memory, then the kernel's behavior is retroactively broken without the "accept all if AllowUnacceptedMemory() not called" behavior of the UEFI. The memory that existed before becomes ignored. This is not the right approach IMO. > > > This patch adds complexity, breaks what works and the only upside will > > > turn into a dead weight soon. > > > > > > There's alternative to add option to instruct firmware to accept all > > > memory from VMM side. It will serve legacy OS that doesn't know about > > > unaccepted memory and it is also can be use by latency-sensitive users > > > later on (analog of qemu -mem-prealloc). > > > > > > > This means that users of a distro that has not enabled unaccepted > > memory support cannot simply start a VM with the usual command, but > > instead have to know a baroque extra flag to get access to all the > > memory that they configured the machine (and for a CSP customer, paid > > for). That's not a good experience. > > New features require enabling. It is not something new. > What I'm saying is that you're suggesting a feature _dis_abling requirement, which is an antipattern. Any SNP user right now would need to add a "don't use an unimplemented feature" flag to get access to all its memory again. > > With GCE at least, you can't (shouldn't) associate the boot feature > > flag with a disk image because disks are mutable. If a customer > > upgrades their kernel after initially starting their VM, they can't > > remove the flag due to the way image annotations work. > > I guess a new VM has to be created, right? Doesn't sound like a big deal > to me. > Usually it's not, but the retroactive need to create a new VM once the firmware adds UEFI v2.9 support with unaccepted memory is a big deal. > The old will not break with upgraded kernel. Just not get benefit of the > feature. > A user buys access to a high memory VM: 768GiB. They then shut down and bring it back up on a new firmware that uses unaccepted memory. That VM goes from 785GiB free memory to 3GiB free memory at boot. This is because all memory above 4GiB (and nothing there for the 3-4GiB MMIO hole) would be the unknown unaccepted memory type. We need the accept-all-if-support-not-acked semantics with the protocol. > > All of this headache goes away by adopting a small patch to the kernel > > that calls a 0-ary protocol interface and keeping safe acceptance > > behavior in the firmware. I think Gerd is right here that we should > > treat it as a transition feature that we can remove later. > > Removing a feature is harder than adding one. How do you define that > "later" has come? > Gerd's response of after 6.1-lts EOL is reasonable to me. At the same time, both SEV-SNP and TDX's Kconfig would need to strictly require unaccepted memory. The semantics of the UEFI under the proposed protocol is allowed to change the default behavior when the protocol is not exposed to the OS. The default would then be to always introduce unaccepted memory for TDX and SEV-SNP guests. To Gerd's point, removing "first in edk2, later in linux too" I think is backwards. We need all users of the protocol to agree that SEV-SNP and TDX strictly imply unaccepted memory support. Only then can we remove the protocol from EDK2. > Anyway, I think we walk in a circle. I consider it a misfeature. If you > want still go this path, please add my > > Nacked-by: Kirill A. Shutemov > Thanks for your time discussing. -- -Dionna Glaze, PhD (she/her)