Received-SPF: pass (google.com: domain of linux-kernel+bounces-19099-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Date: Mon, 8 Jan 2024 14:02:57 +0800
From: Yan Zhao <yan.y.zhao@intel.com>
To: Jason Gunthorpe <jgg@nvidia.com>
CC: <kvm@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<dri-devel@lists.freedesktop.org>, <pbonzini@redhat.com>,
	<seanjc@google.com>, <olvaffe@gmail.com>, <kevin.tian@intel.com>,
	<zhiyuan.lv@intel.com>, <zhenyu.z.wang@intel.com>, <yongwei.ma@intel.com>,
	<vkuznets@redhat.com>, <wanpengli@tencent.com>, <jmattson@google.com>,
	<joro@8bytes.org>, <gurchetansingh@chromium.org>, <kraxel@redhat.com>,
	<zzyiwei@google.com>, <ankita@nvidia.com>, <alex.williamson@redhat.com>,
	<maz@kernel.org>, <oliver.upton@linux.dev>, <james.morse@arm.com>,
	<suzuki.poulose@arm.com>, <yuzenghui@huawei.com>
Subject: Re: [PATCH 0/4] KVM: Honor guest memory types for virtio GPU devices
Message-ID: <ZZuQEQAVX28v7p9Z@yzhao56-desk.sh.intel.com>
Reply-To: Yan Zhao <yan.y.zhao@intel.com>
References: <20240105091237.24577-1-yan.y.zhao@intel.com>
 <20240105195551.GE50406@nvidia.com>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20240105195551.GE50406@nvidia.com>
Precedence: bulk
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?p6jM7Na2Ia0Q850VhWTEgtg8tLR/cUAw95a/g+R8wa9d0RYrWK1ud2XNAdOS?=
 =?us-ascii?Q?stc5WBVmZcNHptxTEgwJPMoFGzOh9Baob6XNZr9ioHt7NgqDtY3ivksfE6VJ?=
 =?us-ascii?Q?G/RCmWwtey6n1F9zIMPGBjKBFClOskBMTBOr0RKQWYmajHk6oO8IOtPTA/tL?=
 =?us-ascii?Q?5HeCYfR5nItFwCsoer11QIm+Kfef9wWHDSzMTX/QGejnril6m3enQROX9AHX?=
 =?us-ascii?Q?nCFFaY5v1fyh+qcZqz+TZuYA7hbfhWOIv++BHAJZc/kCQF3dlpxWN6R5pjMc?=
 =?us-ascii?Q?cTGZwtuNyXs8O3mm0OpbgnPVmQ/Na3PZvbMC3kTdwLSmef25Zv2gt/luqz3k?=
 =?us-ascii?Q?G8rpZs1Vy+/V4c0lMu675SctwTUYxaI6Im9SZgAdNZpFxO3mOu6MDtrIm3We?=
 =?us-ascii?Q?K9IobQZHYf692xfRffF/PSpzuRpVZbo4QgEC9JY6n+rAfuo/pfuJvcwkFdT4?=
 =?us-ascii?Q?4gQ1bMZ/b7FxkuZ37qRUsmAGmbCqIxUv3xAsl08Sn5z1tuXKWZ7ZlylqY7xH?=
 =?us-ascii?Q?PBHj0IEAuykx+3FO8KFlOMND+rQU0ej+68prePrzUrx4aeTceh5rUaN0Y91A?=
 =?us-ascii?Q?LDahhlC3qdU3BLDgAhil8AvJMr1Rst3Q+M7LNW6TxHRhEu6JNmU4nqnbBext?=
 =?us-ascii?Q?MuxrPLsgvt7N9xgFVYhYlh1jUDIgHwn9sHmsagMv9sdfLvyUUacuLrt4B31V?=
 =?us-ascii?Q?CNg6gS8dSHxxOP2SBfqpHTqcoc3gNlJ6GTi5T/RGLvqJPgdxb151GQS4k1jV?=
 =?us-ascii?Q?M36PpAgrdVF0mxDjgnS5pHKtRgANoJWZObYtyOLR79fO7cUTL24Pmxogo/Tg?=
 =?us-ascii?Q?urt3xt07sfOomwmtvbWnPx36U93ItqPZX2QoO/tvYYGTcRfwSPHr2EPnvdcj?=
 =?us-ascii?Q?Oeo3pn+trlaDvLMd2HhdUe35vxSeFl2mMu+o8AvWkzeqNpQhsb0rpErPXsS2?=
 =?us-ascii?Q?+o3whNHMaLtNWFQvJMojEA6k96aIBe01snYG1ObH5Lzp4qI0iGzwObaYINVn?=
 =?us-ascii?Q?FkdamQ6+utGUwXuZ9NABRQJNEWif7vwFntoZPdL1zMpQDg/B/03ztKTRwwVu?=
 =?us-ascii?Q?NQcPBVWg4E9N927sh1ICsJBzd6zncZAxQe7P2hx1PFyddwAl/Xds8RGrzulY?=
 =?us-ascii?Q?mSA78UEB2pKhNIAOFWZdM6HNFAroV+J5taXnxkfbXvEpQubwmz9MDMHIjFR2?=
 =?us-ascii?Q?6DOs9ONDbO7BjdA1pjQB+/ac+cYtaSTZ3q7GgNip+XSupjN372voNybdkjc7?=
 =?us-ascii?Q?2vUg8lEAAuFf1rET0recWNxz96Jn/d3lOsnGWAWqVn+Wl2tpKfOl29zpOitT?=
 =?us-ascii?Q?6eE9AXFSPw6cKSBIKOCKiKFUrJ5SXTUzohVTUzQmEMS3GALDvFyIvkkbK9R4?=
 =?us-ascii?Q?XndIOct4DngzxGJiLaSaKAUR4QmiGUYHxtoO38P5l0TPqvNuG1J166E3fsUg?=
 =?us-ascii?Q?j+BiZ3s1ibI/cv5bBURlGpc0fqz33M7Y6Rw2L7KdoLjOz32AoPTrRLhTyKYm?=
 =?us-ascii?Q?Uu5/KPJf9WJUMrHvKhaQOXH0jmbw1hpdnkGoSTC97JzV4/Li9mO+8uXgGein?=
 =?us-ascii?Q?f9AZ9Ue5y91oXgSvrjIiKh2NDoktyEpaotRU4/Iy?=
X-MS-Exchange-CrossTenant-Network-Message-Id: 671385a7-fa70-4fd6-c9ba-08dc10139142
X-MS-Exchange-CrossTenant-AuthSource: DS7PR11MB5966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jan 2024 06:32:20.8793
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: NdgQyTOl8TrdsYL7+2eu5y0Zi/o1bWMS5V40k7b14jDLuLzhg89LWHT1AM88EY5RfJdt133LIr4bE9jL7TF29g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5207
X-OriginatorOrg: intel.com

On Fri, Jan 05, 2024 at 03:55:51PM -0400, Jason Gunthorpe wrote:
> On Fri, Jan 05, 2024 at 05:12:37PM +0800, Yan Zhao wrote:
> > This series allow user space to notify KVM of noncoherent DMA status so as
> > to let KVM honor guest memory types in specified memory slot ranges.
> > 
> > Motivation
> > ===
> > A virtio GPU device may want to configure GPU hardware to work in
> > noncoherent mode, i.e. some of its DMAs do not snoop CPU caches.
> 
> Does this mean some DMA reads do not snoop the caches or does it
> include DMA writes not synchronizing the caches too?
Both DMA reads and writes are not snooped.
The virtio host side will mmap the buffer to WC (pgprot_writecombine)
for CPU access and program the device to access the buffer in uncached
way.
Meanwhile, virtio host side will construct a memslot in KVM with the PTR
returned from the mmap, and notify virtio guest side to mmap the same buffer in
guest page table with PAT=WC, too.

> 
> > This is generally for performance consideration.
> > In certain platform, GFX performance can improve 20+% with DMAs going to
> > noncoherent path.
> > 
> > This noncoherent DMA mode works in below sequence:
> > 1. Host backend driver programs hardware not to snoop memory of target
> >    DMA buffer.
> > 2. Host backend driver indicates guest frontend driver to program guest PAT
> >    to WC for target DMA buffer.
> > 3. Guest frontend driver writes to the DMA buffer without clflush stuffs.
> > 4. Hardware does noncoherent DMA to the target buffer.
> > 
> > In this noncoherent DMA mode, both guest and hardware regard a DMA buffer
> > as not cached. So, if KVM forces the effective memory type of this DMA
> > buffer to be WB, hardware DMA may read incorrect data and cause misc
> > failures.
> 
> I don't know all the details, but a big concern would be that the
> caches remain fully coherent with the underlying memory at any point
> where kvm decides to revoke the page from the VM.
Ah, you mean, for page migration, the content of the page may not be copied
correctly, right?

Currently in x86, we have 2 ways to let KVM honor guest memory types:
1. through KVM memslot flag introduced in this series, for virtio GPUs, in
   memslot granularity.
2. through increasing noncoherent dma count, as what's done in VFIO, for
   Intel GPU passthrough, for all guest memory.

This page migration issue should not be the case for virtio GPU, as both host
and guest are synced to use the same memory type and actually the pages
are not anonymous pages.
For GPU pass-through, though host mmaps with WB, it's still fine for guest to
use WC because page migration on pages of VMs with pass-through device is not
allowed.

But I agree, this should be a case if user space sets the memslot flag to honor
guest memory type to memslots for guest system RAM where non-enlightened guest
components may cause guest and host to access with different memory types.
Or simply when the guest is a malicious one.

> If you allow an incoherence of cache != physical then it opens a
> security attack where the observed content of memory can change when
> it should not.

In this case, will this security attack impact other guests?

> 
> ARM64 has issues like this and due to that ARM has to have explict,
> expensive, cache flushing at certain points.
>