Received: by 2002:ab2:3319:0:b0:1ef:7a0f:c32d with SMTP id i25csp263646lqc; Thu, 7 Mar 2024 17:28:42 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXkPE+wJxk4cJ3ZpHwO1nhnk0n1ejsdLL8jhIfYBdu1JLVDpf0ikV6VQhTe1tKwejjxmXniryTVFcfREuVuxt3dHUui7utosMgMx6tfHw== X-Google-Smtp-Source: AGHT+IHhpnjOs+O2T5DvPoqyOPoBvQsMZ131qPhpyNFLZ2jS+F4+L6wmlNWaWp7Hx+7n1S/ZRYS/ X-Received: by 2002:a05:6358:78a:b0:17c:1b6e:e4f5 with SMTP id n10-20020a056358078a00b0017c1b6ee4f5mr10724212rwj.27.1709861321872; Thu, 07 Mar 2024 17:28:41 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709861321; cv=pass; d=google.com; s=arc-20160816; b=fqnt1GCKL4QnEWxgJhYnITyTVlk1gEM8SmlQQ1fzATH1M0+VK+BdjnilYvVtbmHJS+ dfz4mmXtX82PsENiSpUCKi2rOXMcJfi5AXJEQPKCQwdFGDQtUcmeZVPW88/87fcZ9SI0 8qDKXrQs+ZrQr+Qp69A2AVzt7iqaaLDuC2BQtl2FEAErkYKnzncDKRSsREdJu1cD/Pt2 CotKKEg3ekZV4iU5jiaTnLW63aLa51CCYO7lZQT3bpOcdMIhxREzkiwNINr2EKhh8CXO FcmSkRS4ql1QI/yoDU3zPX//pI2PSaPUNA1XEH2Nl6MyckzjG8DO0v8qfzwLu2h92t4u bueQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date :dkim-signature; bh=2Q7HJDONtRmF9iMvjCwghqWgvN0CigeogTDpvGQ69zI=; fh=ZzxfUT8o4Dbe21rrWtk6/Tt6QEvNPrNlslVa2dlocOI=; b=Vjd2fx3+FY3UhoJzmpS0tluI13Z+yJRBCjdRePu6lnoVA+cnyVck2Vat5b6LkGix2E RVnLB9FNEMT+fxNJzAFrQjx9sz1c/YygMRXs1hYX9ZGezg3H89+GxtnvA3c0cYLEehgo W63/7g1oeL4TJYd5xdVTbjiDWGW2kgqvgPTOhyZCbYys897s8YdzuhwOrM8iqMUnkiuO 2IJ1rNH1qnCTDsnHkwr6Ycx6aRdYmXqpyhNNag4YCcdY9Ax06LKmc/k4r/WcCLD0Beo9 +5qbMv682t80IrXTog2m0q96HUFJ+uHfsPoA08gxGS800v/xTSV6gAYQ8xCI9M4yNuWT UeVA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=z3eMkDpS; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-96428-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-96428-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id i14-20020a639d0e000000b005d8e379746fsi14740121pgd.469.2024.03.07.17.28.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Mar 2024 17:28:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-96428-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=z3eMkDpS; arc=pass (i=1 spf=pass spfdomain=flex--seanjc.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-96428-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-96428-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 12ED2B21BFA for ; Fri, 8 Mar 2024 01:28:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2A1E92263A; Fri, 8 Mar 2024 01:28:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="z3eMkDpS" Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E321F139F for ; Fri, 8 Mar 2024 01:28:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709861304; cv=none; b=DECOeQOHtzYUORja7EilY65JcmsfoLsM+RiBvnYe1mfJ73Z59jSPE6qsUL7248arW27mNNJ9Zq4uqXTv/iKtu8MGRQgLJyIfEjxBuRbVABwITM/swM2X8cvw/KtguUBVWEvW8uAuXDrHQ4UsyE7EY9aj3tb0eIr5caDZ3y5e3Qk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709861304; c=relaxed/simple; bh=WdRzAXoOjri8cM1mBf2nyZ1olyPeorHKC2ja6oHUC8w=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=CSz5Gh5xc+VsF5vfdLo/TG+uJFqP2Rz5ltt+nF9LVJYiZW83J396EcjPA5mTnmntwlJO6Aq+1QUZkTpOAoz6oO2ItjrR1h3GWRCUvod3tqKgmV5b9hzVM94pU4NS9bQiFB7jRqApoUgFwD2XC3TWEbIUawRNrxoHiinznRqh/FY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=z3eMkDpS; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-6e64f08bddaso1427671b3a.2 for ; Thu, 07 Mar 2024 17:28:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1709861302; x=1710466102; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=2Q7HJDONtRmF9iMvjCwghqWgvN0CigeogTDpvGQ69zI=; b=z3eMkDpS/6+PetwDBmlpRG7eOoJ7Yj2yffijPFTBRNMv8KatRYJpOndk24nc1kc8Yh mSG6DwOaG1HZZwRZb8J5qB2qcxHBMPXLQaQuuUCi9byCqvijNj9/sEFj0PuWZibUuURD aQywtjzDegzBpLk6xbOqZdpSTSCJ4KzjvfiEsyluBFQAdFHJ96jHCY8gkbsjbRX7uTNm AJJqeLknQBb4NNPLQ8j4u3PZBrCtbWlxsQUNALHWlFZwE3TBo1ha1LziDMcqe+lhoIom A8g/QYhi+H5QGMOcP+8gIwxpUhPhlQxMHbzevdpPltsipTpxbMqO0/wq/Etgu6GBKu6S 4xdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709861302; x=1710466102; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2Q7HJDONtRmF9iMvjCwghqWgvN0CigeogTDpvGQ69zI=; b=EopDkzwCVL5YhCFJ/FJVNee6Da9fiAuo/206X/M29tkjgXRGIxVCNzvl7CZ46rkOWu /Y4kd4KJ2Xa+zUfygpWkrQdGXn/Q8lQfnmxtPPBkzC1dCyTrpzxe69KxCUkT/OQ/gXig w9aT1WnNQOsHpJoBvYpRHp7BEStsbkMjZD9x0V077prhn84QZAr0hMdtsR7M4C9MVbF3 yKsmGOefNkqBQzosjQnh2st5ASAIhHYCxEd5Q+fWyh2EoNH26kBiriUla54fibyze40j WAiEvC6R69icgINdNxnewcBaxJ98vRVIEWychgMRbXh+r4hxoDnTeNMDPw9j3BcBE0Xg zKjw== X-Forwarded-Encrypted: i=1; AJvYcCXwRZcU6WiY0sRvBvVBS9EuiW7EfcaAXFjPNANzQVchV5qmzKkLUbTt4Z2chKNtRWGe1jDMFOIqmcvGgMsWL4YeBRloLWoTceew/+f2 X-Gm-Message-State: AOJu0Yxh/Upu8h3oEHjcauCaMUDTUP1uZsbxXuZaHSuLQfrNOSow1mT+ C0x+a3hsLz83nSx9F5ZEZgfhT+xuAGL2BGlxoj4FSIisguDiEH5imhVSaeQ3zWyUiW/5TIWnk4V L4g== X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a05:6a00:9398:b0:6e5:35c8:eefa with SMTP id ka24-20020a056a00939800b006e535c8eefamr382394pfb.2.1709861302144; Thu, 07 Mar 2024 17:28:22 -0800 (PST) Date: Thu, 7 Mar 2024 17:28:20 -0800 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <9f8d8e3b707de3cd879e992a30d646475c608678.camel@intel.com> <20240307203340.GI368614@ls.amr.corp.intel.com> <35141245-ce1a-4315-8597-3df4f66168f8@intel.com> Message-ID: Subject: Re: [RFC PATCH 1/8] KVM: Document KVM_MAP_MEMORY ioctl From: Sean Christopherson To: David Matlack Cc: Kai Huang , Isaku Yamahata , "kvm@vger.kernel.org" , Isaku Yamahata , "federico.parola@polito.it" , "pbonzini@redhat.com" , "linux-kernel@vger.kernel.org" , "isaku.yamahata@gmail.com" , "michael.roth@amd.com" Content-Type: text/plain; charset="us-ascii" On Thu, Mar 07, 2024, David Matlack wrote: > On 2024-03-08 01:20 PM, Huang, Kai wrote: > > > > > +:Parameters: struct kvm_memory_mapping(in/out) > > > > > +:Returns: 0 on success, <0 on error > > > > > + > > > > > +KVM_MAP_MEMORY populates guest memory without running vcpu. > > > > > + > > > > > +:: > > > > > + > > > > > + struct kvm_memory_mapping { > > > > > + __u64 base_gfn; > > > > > + __u64 nr_pages; > > > > > + __u64 flags; > > > > > + __u64 source; > > > > > + }; > > > > > + > > > > > + /* For kvm_memory_mapping:: flags */ > > > > > + #define KVM_MEMORY_MAPPING_FLAG_WRITE _BITULL(0) > > > > > + #define KVM_MEMORY_MAPPING_FLAG_EXEC _BITULL(1) > > > > > + #define KVM_MEMORY_MAPPING_FLAG_USER _BITULL(2) > > > > > > > > I am not sure what's the good of having "FLAG_USER"? > > > > > > > > This ioctl is called from userspace, thus I think we can just treat this always > > > > as user-fault? > > > > > > The point is how to emulate kvm page fault as if vcpu caused the kvm page > > > fault. Not we call the ioctl as user context. > > > > Sorry I don't quite follow. What's wrong if KVM just append the #PF USER > > error bit before it calls into the fault handler? > > > > My question is, since this is ABI, you have to tell how userspace is > > supposed to use this. Maybe I am missing something, but I don't see how > > USER should be used here. > > If we restrict this API to the TDP MMU then KVM_MEMORY_MAPPING_FLAG_USER > is meaningless, PFERR_USER_MASK is only relevant for shadow paging. +1 > KVM_MEMORY_MAPPING_FLAG_WRITE seems useful to allow memslots to be > populated with writes (which avoids just faulting in the zero-page for > anon or tmpfs backed memslots), while also allowing populating read-only > memslots. > > I don't really see a use-case for KVM_MEMORY_MAPPING_FLAG_EXEC. It would midly be interesting for something like the NX hugepage mitigation. For the initial implementation, I don't think the ioctl() should specify protections, period. VMA-based mappings, i.e. !guest_memfd, already have a way to specify protections. And for guest_memfd, finer grained control in general, and long term compatibility with other features that are in-flight or proposed, I would rather userspace specify RWX protections via KVM_SET_MEMORY_ATTRIBUTES. Oh, and dirty logging would be a pain too. KVM doesn't currently support execute-only (XO) or !executable (RW), so I think we can simply define KVM_MAP_MEMORY to behave like a read fault. E.g. map RX, and add W if all underlying protections allow it. That way we can defer dealing with things like XO and RW *if* KVM ever does gain support for specifying those combinations via KVM_SET_MEMORY_ATTRIBUTES, which will likely be per-arch/vendor and non-trivial, e.g. AMD's NPT doesn't even allow for XO memory. And we shouldn't need to do anything for KVM_MAP_MEMORY in particular if KVM_SET_MEMORY_ATTRIBUTES gains support for RWX protections the existing RWX and RX combinations, e.g. if there's a use-case for write-protecting guest_memfd regions. We can always expand the uAPI, but taking away functionality is much harder, if not impossible.