Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp7612661rwn; Wed, 14 Sep 2022 01:16:53 -0700 (PDT) X-Google-Smtp-Source: AA6agR4EQO5xV1IvSjufLBMbmuiStbFrDc7C/1T3FPvXyC9m+glkkKZWwovtbyLiOkvKYFDra2Oe X-Received: by 2002:a17:907:728d:b0:77e:143b:a86 with SMTP id dt13-20020a170907728d00b0077e143b0a86mr8376292ejc.770.1663143413716; Wed, 14 Sep 2022 01:16:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663143413; cv=none; d=google.com; s=arc-20160816; b=SJnz9tJmkMmzBc0ctNU6fZKa8FzIIUNbDUUJg1BTegfZNu/w9zdDCckeU+OfXsywkZ J3U8m0Nq83CjNFzwwMQRUYZIwvecpSvMIrmBj9dTb2QMoPSF8DOVpDs1cngZ6rd/l+yg DwgewIWsimzmryI4Z7xTt+aFLqO67+8fRoO5f3biKICUkFRE9e6UdYd5pOG6HFTghZ8f VgYJGzd5vweM/+9/NqFDoZSe5CpzMC3ja3KIFq0wiuemavVMx8fjA9wQQUQsZUzUKkYX 49cQ5M0aXFIjnPY7X9vY8GQl0HUEHOEyfCooId8ouVp494qoUFGv+WlViAFapbvU5kVi MVkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=BqUhxcUOvv8EZWeVoadoEfAKAvxiKy4DFaV8F/F3nRo=; b=WSRmvwB5bfKBfi7LZHtxjstlyAfJeRX/spJsJwZrsaWWFOgjTOXpob8mo9tlt3nwkt 76oNyc87Au5agM0kIEGFwOETHvYw5S0kPgvDjC8Do8Wt9IQf2gJibW0ulkPQMXAv4ZE+ CfThIl/A1+lRwojFzaI7r3jOwLemQCX2BQz7q/ZQmg/B7gmi5QJBlBTwbe0n3FI9U9uG s5xuYYNExy7eqO082HHlotvFv0VT84NuvDN4KqTbVUCv+LOKVLVu0Dh4lBrGyL45ktVe 0oMYzmmGERUVB8IOxUhqf3QAL6cFfko+EmHJ+pjnzm15d5K/6O+6RHhi/nNAdKolV04e 94Mw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Y45pldWa; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c19-20020aa7df13000000b0045157705127si9664411edy.317.2022.09.14.01.16.18; Wed, 14 Sep 2022 01:16:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Y45pldWa; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230182AbiINIGI (ORCPT + 99 others); Wed, 14 Sep 2022 04:06:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229943AbiINIFz (ORCPT ); Wed, 14 Sep 2022 04:05:55 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D146C54 for ; Wed, 14 Sep 2022 01:05:54 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id jm11so14309353plb.13 for ; Wed, 14 Sep 2022 01:05:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date; bh=BqUhxcUOvv8EZWeVoadoEfAKAvxiKy4DFaV8F/F3nRo=; b=Y45pldWaU7msnCMC3mB1XfdqYiXenh8aXHlb6P8wpifZtyvVUiC/Pmw9QwKSxvKaE1 5vCUZeWVnXL53VuRrWpqC7y1PQSe7vOrfidrlH914Nd9vnCG1aZejYGhPNdsgrnD5Smm /VxtyFzzPQwbhCVzigMHS4tQiLksGnaZozE5ratC2Nr12jt2UGbq7KuGY95gkkT5Nr7P QlAkTCyt4TIEYQ/FCiD1d6HvKJE59tarY+ga+VyyyjxeDhsob2/t6Uozzfn0gmp2BAea 2ebCdl6bZD9HrQpesANzLn3iVJ0t6GeI0W0uEcAhhlKoQjbI4C09YKx4Cw7P/AIku5Wn 77lA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date; bh=BqUhxcUOvv8EZWeVoadoEfAKAvxiKy4DFaV8F/F3nRo=; b=yC7Ix/EPCNYsqYch8+ZRMW2lOzpJxcXTZfF7mqzdtJ3OryNbaogTKgpn6iH1KYNZNi esh8H3W29qudrESftRQWq/NLR1T0yi5dsbRwKis5Evd3g4LPMbAD3N1At2IEPPS07x77 Q+mo1kMkYOikwLccOvNOj6RnNqio+VyOYAEdWq0plQavKdq74KEERst+ZO+GdY6vghne IBTb0j2/raZuPUh7d4VgKBTkKmcpIzROsce494GhPXliJLO509XFVQIIpP/eIPw+J5Pd rkp2ZEU2UCz/MN2lNysDTU3vVlWhQ+SL6Pf2TsDkx1YqGvkXBqAivlmJ30KECBQowhGi 3K4w== X-Gm-Message-State: ACgBeo3UyZheoe/aHtLbgHtaMNSzXkVpiOYPgqcdVH+w6ctQsIHS+gRp uGJzsNJFfA0wNEw1gXagy2jhxQ== X-Received: by 2002:a17:90a:d804:b0:202:f247:91b0 with SMTP id a4-20020a17090ad80400b00202f24791b0mr3530610pjv.8.1663142753759; Wed, 14 Sep 2022 01:05:53 -0700 (PDT) Received: from google.com (7.104.168.34.bc.googleusercontent.com. [34.168.104.7]) by smtp.gmail.com with ESMTPSA id d8-20020a17090a6a4800b001fd7e56da4csm8460240pjm.39.2022.09.14.01.05.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Sep 2022 01:05:53 -0700 (PDT) Date: Wed, 14 Sep 2022 08:05:49 +0000 From: Sean Christopherson To: Michael Roth Cc: Brijesh Singh , x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-coco@lists.linux.dev, linux-mm@kvack.org, linux-crypto@vger.kernel.org, Thomas Gleixner , Ingo Molnar , Joerg Roedel , Tom Lendacky , "H. Peter Anvin" , Ard Biesheuvel , Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Andy Lutomirski , Dave Hansen , Sergio Lopez , Peter Gonda , Peter Zijlstra , Srinivas Pandruvada , David Rientjes , Dov Murik , Tobin Feldman-Fitzthum , Borislav Petkov , Vlastimil Babka , "Kirill A . Shutemov" , Andi Kleen , tony.luck@intel.com, marcorr@google.com, sathyanarayanan.kuppuswamy@linux.intel.com, jarkko@profian.com Subject: Re: [PATCH Part2 v5 39/45] KVM: SVM: Introduce ops for the post gfn map and unmap Message-ID: References: <20210820155918.7518-1-brijesh.singh@amd.com> <20210820155918.7518-40-brijesh.singh@amd.com> <4e41dcff-7c7b-cf36-434a-c7732e7e8ff2@amd.com> <20220908212114.sqne7awimfwfztq7@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220908212114.sqne7awimfwfztq7@amd.com> X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Sep 08, 2022, Michael Roth wrote: > On Fri, Oct 15, 2021 at 05:16:28PM +0000, Sean Christopherson wrote: > So in the context of this interim solution, we're trying to look for a > solution that's simple enough that it can be used reliably, without > introducing too much additional complexity into KVM. There is one > approach that seems to fit that bill, that Brijesh attempted in an > earlier version of this series (I'm not sure what exactly was the > catalyst to changing the approach, as I wasn't really in the loop at > the time, but AIUI there weren't any showstoppers there, but please > correct me if I'm missing anything): > > - if the host is writing to a page that it thinks is supposed to be > shared, and the guest switches it to private, we get an RMP fault > (actually, we will get a !PRESENT fault, since as of v5 we now > remove the mapping from the directmap as part of conversion) > - in the host #PF handler, if we see that the page is marked private > in the RMP table, simply switch it back to shared > - if this was a bug on the part of the host, then the guest will see As discussed off-list, attempting to fix up RMP violations in the host #PF handler is not a viable approach. There was also extensive discussion on-list a while back: https://lore.kernel.org/all/8a244d34-2b10-4cf8-894a-1bf12b59cf92@www.fastmail.com > AIUI, this is still sort of an open question, but you noted how nuking > the directmap without any formalized interface for letting the kernel > know about it could be problematic down the road, which also sounds > like the sort of thing more suited for having UPM address at a more > general level, since there are similar requirements for TDX as well. > > AIUI there are 2 main arguments against splitting the directmap: > a) we can't easily rebuild it atm > b) things like KSM might still tries to access private pages > > But unmapping also suffers from a), since we still end up splitting the > directmap unless we remove pages in blocks of 2M. But for UPM, it's easy to rebuild the direct map since there will be an explicit, kernel controlled point where the "inaccesible" memfd releases the private page. > But nothing prevents a guest from switching a single 4K page to private, in > which case we are forced to split. That would be normal behavior on the part > of the guest for setting up GHCB pages/etc, so we still end up splitting the > directmap over time. The host actually isn't _forced_ to split with UPM. One option would be to refuse to split the direct map and instead force userspace to eat the 2mb allocation even though it only wants to map a single 4kb chunk into the guest. I don't know that that's a _good_ option, but it is an option.