Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6B1EC64EC4 for ; Fri, 10 Feb 2023 18:42:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233135AbjBJSmF (ORCPT ); Fri, 10 Feb 2023 13:42:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34790 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233134AbjBJSmB (ORCPT ); Fri, 10 Feb 2023 13:42:01 -0500 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5437823665 for ; Fri, 10 Feb 2023 10:41:58 -0800 (PST) Received: by mail-pl1-x635.google.com with SMTP id o8so5009195pls.11 for ; Fri, 10 Feb 2023 10:41:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Ok45EUB5a0lrC1G1VBEVIJghKeOSx8dIT5YrcpXaZ2U=; b=GgjbQSZy1IdPTox+nR5ZLWTTXO7nzY/UMimwyDKci+qHnDHiXVnPsr/YKUeoxdwuCF zRyXiMSJLLFbPedh2Ek6TS5A4Tp5q9b4CKjWwJ8AWSfUOkzWDDf0i4Wsuvxw7WcBNMwX yBPsHXrxMECfexaRc6rBcBK8ib7PFOK5jxBmM3Bj/mLNrFrkHfQPotqyXTQ83lRqcGpH Wgb8FDbkydZZgOKI95IsGhjydWszVFbReaoR+JgIwemL3x7hLv25HLQ9iA3PxJqAsswF 7gMIiQi7gtC8Zf/qPhn88buWnIrBU+9LuQqHhogX1qcG2uorcOYPD9koLiIuNrvumYBx wNAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ok45EUB5a0lrC1G1VBEVIJghKeOSx8dIT5YrcpXaZ2U=; b=m8oDX57s9MkgiwKQ3fRv05WctA4cv/hFhefH34VTHKPl0UuJk69+1nOdqiFYaIpXyk jA76M+YICcmLr4gfHG9Rd4Uy9XdisEwMbdvqBuf1JiFB/3l0tFN38qmbYxyQWTj5+oMk 1HTYi8y/DPZC2ZN9Lc1Q0g2Jo3IYGkSaa71Xwy5A1uWFhHa8LL+/QaQO7FSyVIuMUkco MHazvXu/k7SaFf5F7FZ8YuHFpY1tbXjaUCRbWbXw5wRDSA5Htek9WhG69Nrmq7Da35sh HT7UX6T1JAFisS+TBNr+ADzhRbHcP1luksrYGy/a0vFke0meljOmxjAZGnHNhqhjA+4Y nuJQ== X-Gm-Message-State: AO0yUKVRorJx8fr31KatxejG6YpmDKd9B4eBMm/iMLCTHqmlO+Hjhvjx V9ZS4OR+zQ6f7B0sHX/ZkYq1HQ== X-Google-Smtp-Source: AK7set93DJYG63ys9SOctBQRI7ddeFJlbzAb9UdgGVNbO8ool9VJU4UwhLQF6yN0q5ReGJyClZ0xtg== X-Received: by 2002:a17:902:e551:b0:19a:6cd2:a658 with SMTP id n17-20020a170902e55100b0019a6cd2a658mr234114plf.7.1676054518244; Fri, 10 Feb 2023 10:41:58 -0800 (PST) Received: from google.com (7.104.168.34.bc.googleusercontent.com. [34.168.104.7]) by smtp.gmail.com with ESMTPSA id a21-20020a170902ee9500b00199190b00efsm3701641pld.97.2023.02.10.10.41.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Feb 2023 10:41:57 -0800 (PST) Date: Fri, 10 Feb 2023 18:41:54 +0000 From: Sean Christopherson To: "Michael Kelley (LINUX)" Cc: Dave Hansen , Borislav Petkov , "hpa@zytor.com" , KY Srinivasan , Haiyang Zhang , "wei.liu@kernel.org" , Dexuan Cui , "luto@kernel.org" , "peterz@infradead.org" , "davem@davemloft.net" , "edumazet@google.com" , "kuba@kernel.org" , "pabeni@redhat.com" , "lpieralisi@kernel.org" , "robh@kernel.org" , "kw@linux.com" , "bhelgaas@google.com" , "arnd@arndb.de" , "hch@lst.de" , "m.szyprowski@samsung.com" , "robin.murphy@arm.com" , "thomas.lendacky@amd.com" , "brijesh.singh@amd.com" , "tglx@linutronix.de" , "mingo@redhat.com" , "dave.hansen@linux.intel.com" , Tianyu Lan , "kirill.shutemov@linux.intel.com" , "sathyanarayanan.kuppuswamy@linux.intel.com" , "ak@linux.intel.com" , "isaku.yamahata@intel.com" , "dan.j.williams@intel.com" , "jane.chu@oracle.com" , "tony.luck@intel.com" , "x86@kernel.org" , "linux-kernel@vger.kernel.org" , "linux-hyperv@vger.kernel.org" , "netdev@vger.kernel.org" , "linux-pci@vger.kernel.org" , "linux-arch@vger.kernel.org" , "iommu@lists.linux.dev" Subject: Re: [PATCH v5 06/14] x86/ioremap: Support hypervisor specified range to map as encrypted Message-ID: References: <1673559753-94403-1-git-send-email-mikelley@microsoft.com> <1673559753-94403-7-git-send-email-mikelley@microsoft.com> <4216dea6-d899-aecb-2207-caa2ae7db0e3@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Wearing my KVM hat and not my Google hat... On Thu, Feb 09, 2023, Michael Kelley (LINUX) wrote: > From: Dave Hansen Sent: Wednesday, February 8, 2023 9:24 AM > > > > On 2/7/23 04:41, Borislav Petkov wrote: > > > Or are there no similar TDX solutions planned where the guest runs > > > unmodified and under a paravisor? > > > > I actually don't think paravisors make *ANY* sense for Linux. I 100% agree, but Intel made what I think almost entirely irrelevant by refusing to allow third party code to run in SEAM. > > If you have to modify the guest, then just modify it to talk to the > > hypervisor directly. This code is... modifying the guest. What does > > putting a paravisor in the middle do for you? > > One of the original goals of the paravisor was to make fewer > modifications to the guest, especially in areas that aren't directly related > to the hypervisor. It's arguable as to whether that goal played out in > reality. > > But another significant goal is to be able to move some device emulation > from the hypervisor/VMM to the guest context. In a CoCo VM, this move > is from outside the TCB to inside the TCB. A great example is a virtual > TPM. Per the CoCo VM threat model, a guest can't rely on a vTPM > provided by the host. I vehemently disagree with this assertion. It's kinda sorta true, but only because Intel and AMD have gone down the road of not providing the mechanisms and ability for the hypervisor to run and attest to the integrity, functionality, etc. of (a subset of) the hypervisor's own code. Taking SEAM/TDX as an example, if the code running in SEAM were an extension of KVM instead of a hypervisor-agnostic nanny, then there would be no need for a "paravisor" to provide a vTPM. It would be very feasible to teach the SEAM-protected bits of KVM to forward vTPM accesses to a host-provided, signed, attested, and open source software running in a helper TD. I fully realize you meant "untrusted host", but statements like "the host can't be trusted" subconciously reinforce the, IMO, flawed model of hardware vendors and _only_ hardware vendors providing the trusted bits. The idea that firmware/software written by hardware vendors is somehow more trustworthy than fully open source software is simultaneously laughable and infuriating. Anyways, tying things back to the actual code being discussed, I vote against CC_ATTR_PARAVISOR. Being able to trust device emulation is not unique to a paravisor. A single flag also makes too many assumptions about what is trusted and thus should be accessed encrypted.