Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp592256lqt; Thu, 6 Jun 2024 12:09:21 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUrFd8qtuNe5DfBRo2ARLXctQKgSJhjOHDXhyjn2++OyR/SQost2hnse/XC+ATa+kumHQgLhqJiJ63tI7Jp7mSeWKh5YWHooJqbt/6oHQ== X-Google-Smtp-Source: AGHT+IG1J9rKVMdlAIAlN46ZaqzeKyluBhM7sq/rlKm9vGeecuMfOqIIr8VcSUWRclimi5d7/Ev+ X-Received: by 2002:a05:6a20:7355:b0:1b1:d31d:c0c5 with SMTP id adf61e73a8af0-1b2f9befcd2mr505079637.37.1717700960853; Thu, 06 Jun 2024 12:09:20 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717700960; cv=pass; d=google.com; s=arc-20160816; b=R14eJi6W9VkwdIBab13iL1QkooUAOUPOYJFKgfwD5izTMa7rSicLbBB9UxxLJv4VXW ZxRMuMjM62amo/zKo5M9jcuG9zCpIXC7psbkn+9oMrfeNh7OUAYGCG1OfnXXZpw9sp8A 5Fcha4q56P6GltxR8OD4keBf1g7wpw7lR0OGkC5JGUVNnNRPjgKDoxmxR3cN0EAL2aIR MetaL1ASx0oGu8eHO2TbVDT7P1pX+7nyfaxcOcnhIjmU4qAu0v4Nr5b/3zzNPzqN8BaB vqXfJ6kRiab/vqSl1+H0ajsnJWDMN2MqiIVpFhAi0nvt9nXhbi8DxF/TNi+lBLhWYNH+ Y7lA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=TxurxTxUP5RVwmSF1ResBn6n91BqHxg1hBNshM3B5DA=; fh=lKA5+qSrmCntiBRlC/cnZmkqDZhjKmRPW9ikeIcT4Po=; b=KgX7uL5J3FYB7lln+ZianaAGKvruLX9/ls9O6Gow/pNxmh/ykUJMi0qqYbkJfDNFQg IGawbqt/w01lqAWMY8Snr3d8Xvjm8L+SLrW/OOi4nit7yHhzoF72RPbG53ryQ14X2AkA aQ1q6cFPkbvEZ8jPlIZ4A1GPwYfB8dA8FfKlyUiJFzbb8qMEqmnNcEtSPaN/Y1t5lP1N B/HcC4CVkhYga8voH4OvAkMaJcmWsVNYW3jxK0UNe4D39tsGS2IYnxdCzoyAsZAmc59I Oy+TTOwHcpxi6vCxWcIB9DMWvehO7K73GNbB5y367TbO62zj/TcZEaROQyb9o5fk89Wn OasA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel+bounces-204898-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-204898-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6de262c000fsi1589305a12.394.2024.06.06.12.09.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Jun 2024 12:09:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-204898-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of linux-kernel+bounces-204898-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-204898-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 0A81DB264E4 for ; Thu, 6 Jun 2024 18:38:26 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A47AE47F6C; Thu, 6 Jun 2024 18:38:15 +0000 (UTC) Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E78ED515; Thu, 6 Jun 2024 18:38:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717699095; cv=none; b=f+ecUDygTGAlxer+gzNg3eM51yjJkjjKPxOJBirk5ov0E5LM6Voz8G5hFZCTnM7jd9Tpjlh56r+WdN2AaxmRvDMAy3ovP+s/wphbFjt0x36BUFNS8RmduIGQcEGiztQ46tJEmSWtdAuvIjopTCUPBG/YANBfWLtYMKDzMS38+ck= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717699095; c=relaxed/simple; bh=m4y07AqUVhllB8GdQjGhynxMK/W/hDUwql04aVzrTcI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=LNZ8LOZPPYiogAdFfff/+rt/wVdrNWO7Sceb2vkKVtgkUvDRlYn9HWd+IOQNWAaPt2b+dkWZgcgC2IklmwjBo7CnCIHWj//a+fjSwa0r14S8SQ6L8vYrW3E1yE/3udBbDLQtSC9dJZpQgDTRRdLC1H0C34F78X2XE3Cs7tOEiOo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F4CBC2BD10; Thu, 6 Jun 2024 18:38:11 +0000 (UTC) Date: Thu, 6 Jun 2024 19:38:08 +0100 From: Catalin Marinas To: Marc Zyngier Cc: Steven Price , kvm@vger.kernel.org, kvmarm@lists.linux.dev, Will Deacon , James Morse , Oliver Upton , Suzuki K Poulose , Zenghui Yu , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Joey Gouly , Alexandru Elisei , Christoffer Dall , Fuad Tabba , linux-coco@lists.linux.dev, Ganapatrao Kulkarni Subject: Re: [PATCH v3 12/14] arm64: realm: Support nonsecure ITS emulation shared Message-ID: References: <20240605093006.145492-1-steven.price@arm.com> <20240605093006.145492-13-steven.price@arm.com> <86a5jzld9g.wl-maz@kernel.org> <4c363476-e5b5-42ff-9f30-a02a92b6751b@arm.com> <867cf2l6in.wl-maz@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <867cf2l6in.wl-maz@kernel.org> On Thu, Jun 06, 2024 at 11:17:36AM +0100, Marc Zyngier wrote: > On Wed, 05 Jun 2024 16:08:49 +0100, > Steven Price wrote: > > 2. Use a special (global) memory allocator that does the > > set_memory_decrypted() dance on the pages that it allocates but allows > > packing the allocations. I'm not aware of an existing kernel API for > > this, so it's potentially quite a bit of code. The benefit is that it > > reduces memory consumption in a realm guest, although fragmentation > > still means we're likely to see a (small) growth. > > > > Any thoughts on what you think would be best? > > I would expect that something similar to kmem_cache could be of help, > only with the ability to deal with variable object sizes (in this > case: minimum of 256 bytes, in increments defined by the > implementation, and with a 256 byte alignment). Hmm, that's doable but not that easy to make generic. We'd need a new class of kmalloc-* caches (e.g. kmalloc-decrypted-*) which use only decrypted pages together with a GFP_DECRYPTED flag or something to get the slab allocator to go for these pages and avoid merging with other caches. It would actually be the page allocator parsing this gfp flag, probably in post_alloc_hook() to set the page decrypted and re-encrypt it in free_pages_prepare(). A slight problem here is that free_pages() doesn't get the gfp flag, so we'd need to store some bit in the page flags. Maybe the flag is not that bad, do we have something like for page_to_phys() to give us the high IPA address for decrypted pages? Similarly if we go for a kmem_cache (or a few for multiple sizes). One can specify a constructor which could set the memory decrypted but there's no destructor (and also the constructor is per object, not per page, so we'd need some refcounting). Another approach contained within the driver is to use mempool_create() with our own _alloc_fn/_free_fn that sets the memory decrypted/encrypted accordingly, though sub-page allocations need additional tracking. Also that's fairly similar to kmem_cache, fixed size. Yet another option would be to wire it somehow in the DMA API but the minimum allocation is already a page size, so we don't gain anything. What gets somewhat closer to what we need is gen_pool. It can track different sizes, we just need to populate the chunks as needed. I don't think this would work as a generic allocator but may be good enough within the ITS code. If there's a need for such generic allocations in other parts of the kernel, my preference would be something around kmalloc caches and a new GFP flag (first option; subject to the selling it to the mm folk). But that's more of a separate prototyping effort that may or may not succeed. Anyway, we could do some hacking around gen_pool as a temporary solution (maybe as a set of patches on top of this series to be easier to revert) and start investigating a proper decrypted page allocator in parallel. We just need to find a victim that has the page allocator fresh in mind (Ryan or Alexandru ;)). -- Catalin