Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9403111rwp; Thu, 20 Jul 2023 04:35:28 -0700 (PDT) X-Google-Smtp-Source: APBJJlEBHEDpDbR+KFyijDkPHGGkf+sHhc7FStl6iGdz/KAv6MEJDYwRtlA1kivhAIrUjPEZdRl7 X-Received: by 2002:a17:907:7f18:b0:98f:c9b:24ed with SMTP id qf24-20020a1709077f1800b0098f0c9b24edmr6098056ejc.67.1689852928110; Thu, 20 Jul 2023 04:35:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689852928; cv=none; d=google.com; s=arc-20160816; b=FLRLbZfgJ8gbSG7UKad5darVzmGr0uSC0bHOj9YAAYGH+2SArpl5kz/Z56vVscyPLJ j3AbG+qd9L4IGzrTrrz3/670iwghAx+zSaSJaMAnJ+qCLSAds5Itzqc5dqOAT2DgNfWp PZt4k6y9/hMaBNeBvcmqWwxOiB048qLc+sMNEPQBkKHzEMdQLpZThnvMh5pnczXcnHw8 i4tg4YQiuUNSznM+PCGmGCFu2vn5/UGrUSyt6EXh2W/2OJnCvrKnICTJYehXwaW6bSDz demJyAFq4Jfim5oPWMc6hegHEnBshGS9yruZuywdFJ2lliHDmvAJNNt/YSkAsT4QW5iT Z2UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=e4B2BG6XUrUqGr12MPkMZlVrlwa3pTF2YfzQOfvQ10Q=; fh=88kWLdG1vMWuaSB0MVOl6+MMLV8kNfbm9ZyBdrlSZvg=; b=052MwyCZA0IyVgLFq2Ekl1SrNMViHC1LjEHhYFgpuZXPED8yw6pHvAk9AdMXs3l+OJ lz5QsjlQ6UfzStCZqOr6w/ikWh+7i6bjxb7/Q1mzPx1r25hKSLt/xTfuOngNguGRFph/ i1q/32b4SYQvu+Hrag8E3Wx+agzG7v7iGs/ejTG+2wlOeEZ8sVpI+jI0i34KRDlSqkSN Cu4geJ/IElHbTKyfqI0LF4VQJz5vX3+C6VMHKQRfFaX8CQd8qwkfjR0amX8+lFYlEbEZ 2yZndxPbhC1EXxg4LkJOdtzIjfOiHz2ReGij/KD1Kggf/Jr7EXlAt4W/F3nBQttMOAgS lNXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=itESVfl4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lz24-20020a170906fb1800b00992fef5cff8si556591ejb.552.2023.07.20.04.35.03; Thu, 20 Jul 2023 04:35:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=itESVfl4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230211AbjGTKj6 (ORCPT + 99 others); Thu, 20 Jul 2023 06:39:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229704AbjGTKj4 (ORCPT ); Thu, 20 Jul 2023 06:39:56 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA37E10FC; Thu, 20 Jul 2023 03:39:55 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 76ED9619D6; Thu, 20 Jul 2023 10:39:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 628BEC433C8; Thu, 20 Jul 2023 10:39:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689849594; bh=Ar/Gi1NpfeGPQHX9IvNG60t0nluiTW51x6QacXx+2Fo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=itESVfl4kwoeHpazFODI25Ze0/Mpw2JE1wwRTKeEpY6l2/WuEIglQJEqaZBBDgn9G 81ZjDN1xNM6U6lOU5IKpsoInvikT3lNMYPlf2Mc4fbJklfhGG7ZcbZe6A3fxkBtDnq CLge5Hw424qwiu1mL+NxMUzR4+xHVahM3J/cxYe/iJpsCf0yzo2FM4d4R+jZyrDM5h 1l93xBHmhfkfp2igQPCjy3TW3h0uWjhOImxdePy2KnFv0i/P5a5EmsX5MIWawoytEZ OFbqU1U4a+vkd+dex7ykkUUD5hnFA7JFDZWuwsLfRomtCCgHVX36A4MjmX2km/T+de 05/h+1VZXHCdQ== Date: Thu, 20 Jul 2023 11:39:47 +0100 From: Will Deacon To: Elliot Berman Cc: Alex Elder , Srinivas Kandagatla , Prakruthi Deepak Heragu , Murali Nalajala , Trilok Soni , Srivatsa Vaddagiri , Carl van Schaik , Dmitry Baryshkov , Bjorn Andersson , Konrad Dybcio , Arnd Bergmann , Greg Kroah-Hartman , Rob Herring , Krzysztof Kozlowski , Jonathan Corbet , Bagas Sanjaya , Andy Gross , Catalin Marinas , Jassi Brar , linux-arm-msm@vger.kernel.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, qperret@google.com Subject: Re: [PATCH v13 10/24] gunyah: vm_mgr: Add/remove user memory regions Message-ID: <20230720103946.GC11034@willie-the-truck> References: <20230509204801.2824351-1-quic_eberman@quicinc.com> <20230509204801.2824351-11-quic_eberman@quicinc.com> <20230519115948.GB2637@willie-the-truck> <20230605141839.GD21212@willie-the-truck> <3bd86221-ee2e-d157-009b-11f6ada98537@quicinc.com> <04605642-cad8-1701-ff41-63f2f00ba5f6@quicinc.com> <20230714121321.GB5597@willie-the-truck> <5ef4a5f7-27a0-f46c-fcbd-c3b8c93e0366@quicinc.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5ef4a5f7-27a0-f46c-fcbd-c3b8c93e0366@quicinc.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 18, 2023 at 07:28:49PM -0700, Elliot Berman wrote: > On 7/14/2023 5:13 AM, Will Deacon wrote: > > On Thu, Jul 13, 2023 at 01:28:34PM -0700, Elliot Berman wrote: > > > On 6/22/2023 4:56 PM, Elliot Berman wrote: > > > > On 6/7/2023 8:54 AM, Elliot Berman wrote: > > > > > On 6/5/2023 7:18 AM, Will Deacon wrote: > > > > > > Right, protected guests will use the new restricted memfd ("guest mem" > > > > > > now, I think?), but non-protected guests should implement the existing > > > > > > interface *without* the need for the GUP pin on guest memory pages. Yes, > > > > > > that means full support for MMU notifiers so that these pages can be > > > > > > managed properly by the host kernel. We're working on that for pKVM, but > > > > > > it requires a more flexible form of memory sharing over what we > > > > > > currently > > > > > > have so that e.g. the zero page can be shared between multiple entities. > > > > > > > > > > Gunyah doesn't support swapping pages out while the guest is running > > > > > and the design of Gunyah isn't made to give host kernel full control > > > > > over the S2 page table for its guests. As best I can tell from > > > > > reading the respective drivers, ACRN and Nitro Enclaves both GUP pin > > > > > guest memory pages prior to giving them to the guest, so I don't > > > > > think this requirement from Gunyah is particularly unusual. > > > > > > > > > > > > > I read/dug into mmu notifiers more and I don't think it matches with > > > > Gunyah's features today. We don't allow the host to freely manage VM's > > > > pages because it requires the guest VM to have a level of trust on the > > > > host. Once a page is given to the guest, it's done for the lifetime of > > > > the VM. Allowing the host to replace pages in the guest memory map isn't > > > > part of any VM's security model that we run in Gunyah. With that > > > > requirement, longterm pinning looks like the correct approach to me. > > > > > > Is my approach of longterm pinning correct given that Gunyah doesn't allow > > > host to freely swap pages? > > > > No, I really don't think a longterm GUP pin is the right approach for this. > > GUP pins in general are horrible for the mm layer, but required for cases > > such as DMA where I/O faults are unrecoverable. Gunyah is not a good > > justification for such a hack, and I don't think you get to choose which > > parts of the Linux mm you want and which bits you don't. > > > > In other words, either carve out your memory and pin it that way, or > > implement the proper hooks for the mm to do its job. > > I talked to the team about whether we can extend the Gunyah support for > this. We have plans to support sharing/lending individual pages when the > guest faults on them. The support also allows (unprotected) pages to be > removed from the VM. We'll need to temporarily pin the pages of the VM > configuration device tree blob while the VM is being created and those pages > can be unpinned once the VM starts. I'll work on this. That's pleasantly unexpected, thanks for pursuing this! Will