From: Christoffer Dall <cdall@linaro.org>
To: Florent Revest <revestflo@gmail.com>
Cc: Florent Revest <florent.revest@arm.com>,
linux-arm-kernel@lists.infradead.org, matt@codeblueprint.co.uk,
ard.biesheuvel@linaro.org, pbonzini@redhat.com,
rkrcmar@redhat.com, christoffer.dall@linaro.org,
catalin.marinas@arm.com, will.deacon@arm.com,
mark.rutland@arm.com, marc.zyngier@arm.com,
linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu,
leif.lindholm@arm.com
Subject: Re: [RFC 00/11] KVM, EFI, arm64: EFI Runtime Services Sandboxing
Date: Mon, 16 Oct 2017 22:47:34 +0200 [thread overview]
Message-ID: <20171016204734.GO1845@lvm> (raw)
In-Reply-To: <1506460492.5507.58.camel@gmail.com>
On Tue, Sep 26, 2017 at 11:14:52PM +0200, Florent Revest wrote:
> On Thu, 2017-08-31 at 11:26 +0200, Christoffer Dall wrote:
> > I wonder if this should be split into two series; one that sets up
> > anything you may need from KVM, and another one that uses that for
> > UEFI.
> >
> > There's a lot KVM and UEFI intertwined logic and assumptions in patch
> > 10, which makes this series a bit hard to read.
>
> The way hypercalls are currently handled in handle_hvc required this
> mixed patch. Would some kind of HVC subscription mechanism be suitable
> to have in KVM? (e.g: a function allowing to register a callback on a
> certain HVC function ID) This would allow the 10/11 patch to keep the
> kvm code intact.
Yes, I would have no objections to that if it were relatively
non-invasive at runtime for normal VMs.
>
> > I'd like some documentation (in the series and in
> > Documentation/virtual/kvm) of how this works, and which hidden
> > assumptions there are. For example, how do you ensure you never
> > attempt to return to userspace?
>
> I don't think my code ensured this. I'd need to give it a second look.
>
> > How many VCPUs do you support?
>
> You can create as many VCPUs as you would in a "normal VM". Also, each
> VCPU can be ran in a kthread.
>
> > Do you support any form of virtual interrupts? How about timers?
>
> No support for virtual interrupts or timers indeed. The EFI Runtime
> Services sandboxing wouldn't require that.
>
> > Can a VM access physical devices?
>
> The very idea of Runtime Services sandboxing requires Internal VMs to
> have access to some of the physical devices.
>
> > How do you debug and trace something like this? Can the VM be
> > monitored from userspace?
>
> There is nothing ready for that.
>
> > These feel like fundamental questions to me that needs addressing
> > before I can competently review the code.
> >
> > I think a slightly more concrete motivation and outlining the example
> > of the broken UEFI on Seattle would help paving the way for these
> > patches.
>
> As far as I can remember, EFI Runtime Services on this platform have
> already been reported to sometimes disable or enable interrupts. Maybe
> someone at ARM has more details about the problem ?
>
Thanks for answering these questions. If you or anyone else picks up
this work, we can gather some of the stuff in the thread for
documentation and todo items.
Thanks,
-Christoffer
WARNING: multiple messages have this Message-ID (diff)
From: cdall@linaro.org (Christoffer Dall)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC 00/11] KVM, EFI, arm64: EFI Runtime Services Sandboxing
Date: Mon, 16 Oct 2017 22:47:34 +0200 [thread overview]
Message-ID: <20171016204734.GO1845@lvm> (raw)
In-Reply-To: <1506460492.5507.58.camel@gmail.com>
On Tue, Sep 26, 2017 at 11:14:52PM +0200, Florent Revest wrote:
> On Thu, 2017-08-31 at 11:26 +0200, Christoffer Dall wrote:
> > I wonder if this should be split into two series; one that sets up
> > anything you may need from KVM, and another one that uses that for
> > UEFI.
> >
> > There's a lot KVM and UEFI intertwined logic and assumptions in patch
> > 10, which makes this series a bit hard to read.
>
> The way hypercalls are currently handled in handle_hvc required this
> mixed patch. Would some kind of HVC subscription mechanism be suitable
> to have in KVM? (e.g: a function allowing to register a callback on a
> certain HVC function ID) This would allow the 10/11 patch to keep the
> kvm code intact.
Yes, I would have no objections to that if it were relatively
non-invasive at runtime for normal VMs.
>
> > I'd like some documentation (in the series and in
> > Documentation/virtual/kvm) of how this works, and which hidden
> > assumptions there are. For example, how do you ensure you never
> > attempt to return to userspace?
>
> I don't think my code ensured this. I'd need to give it a second look.
>
> > How many VCPUs do you support?
>
> You can create as many VCPUs as you would in a "normal VM". Also, each
> VCPU can be ran in a kthread.
>
> > Do you support any form of virtual interrupts??How about timers?
>
> No support for virtual interrupts or timers indeed. The EFI Runtime
> Services sandboxing wouldn't require that.
>
> > Can a VM access physical devices?
>
> The very idea of Runtime Services sandboxing requires Internal VMs to
> have access to some of the physical devices.
>
> > How do you debug and trace something like this??Can the VM be
> > monitored from userspace?
>
> There is nothing ready for that.
>
> > These feel like fundamental questions to me that needs addressing
> > before I can competently review the code.
> >
> > I think a slightly more concrete motivation and outlining the example
> > of the broken UEFI on Seattle would help paving the way for these
> > patches.
>
> As far as I can remember, EFI Runtime Services on this platform have
> already been reported to sometimes disable or enable interrupts. Maybe
> someone at ARM has more details about the problem ?
>
Thanks for answering these questions. If you or anyone else picks up
this work, we can gather some of the stuff in the thread for
documentation and todo items.
Thanks,
-Christoffer
next prev parent reply other threads:[~2017-10-16 20:47 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-25 8:31 [RFC 00/11] KVM, EFI, arm64: EFI Runtime Services Sandboxing Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 01/11] arm64: Add an SMCCC function IDs header Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 02/11] KVM: arm64: Return an Unknown ID on unhandled HVC Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 03/11] KVM: Allow VM lifecycle management without userspace Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 04/11] KVM, arm, arm64: Offer PAs to IPAs idmapping to internal VMs Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-31 9:23 ` Christoffer Dall
2017-08-31 9:23 ` Christoffer Dall
2017-09-26 21:14 ` Florent Revest
2017-09-26 21:14 ` Florent Revest
2017-10-16 20:45 ` Christoffer Dall
2017-10-16 20:45 ` Christoffer Dall
2017-10-16 20:45 ` Christoffer Dall
2017-08-25 8:31 ` [RFC 05/11] KVM: Expose VM/VCPU creation functions Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 06/11] KVM, arm64: Expose a VCPU initialization function Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 07/11] KVM: Allow initialization before the module target Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 08/11] KVM, arm, arm64: Initialize KVM's core earlier Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 09/11] EFI, arm, arm64: Enable EFI Runtime Services later Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 10/11] efi, arm64: Sandbox Runtime Services in a VM Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 8:31 ` [RFC 11/11] KVM, arm64: Don't trap internal VMs SMC calls Florent Revest
2017-08-25 8:31 ` Florent Revest
2017-08-25 9:40 ` [RFC 00/11] KVM, EFI, arm64: EFI Runtime Services Sandboxing Florent Revest
2017-08-25 9:40 ` Florent Revest
2017-08-25 9:40 ` Florent Revest
2017-08-31 9:26 ` Christoffer Dall
2017-08-31 9:26 ` Christoffer Dall
2017-09-26 21:14 ` Florent Revest
2017-09-26 21:14 ` Florent Revest
2017-10-16 20:47 ` Christoffer Dall [this message]
2017-10-16 20:47 ` Christoffer Dall
2017-09-22 21:44 ` Ard Biesheuvel
2017-09-22 21:44 ` Ard Biesheuvel
2017-09-26 21:14 ` Florent Revest
2017-09-26 21:14 ` Florent Revest
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171016204734.GO1845@lvm \
--to=cdall@linaro.org \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=christoffer.dall@linaro.org \
--cc=florent.revest@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=leif.lindholm@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=matt@codeblueprint.co.uk \
--cc=pbonzini@redhat.com \
--cc=revestflo@gmail.com \
--cc=rkrcmar@redhat.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.