From: Pasha Tatashin <pasha.tatashin@soleen.com>
To: David Woodhouse <dwmw2@infradead.org>
Cc: Alexander Graf <graf@amazon.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
kvm@vger.kernel.org, linux-mm@kvack.org, kvmarm@lists.linux.dev,
rppt@kernel.org, pratyush@kernel.org, pbonzini@redhat.com,
seanjc@google.com, maz@kernel.org, oupton@kernel.org,
alex.williamson@redhat.com, kevin.tian@intel.com,
rientjes@google.com, Tycho.Andersen@amd.com,
anthony.yznaga@oracle.com, baolu.lu@linux.intel.com,
david@kernel.org, dmatlack@google.com, mheyne@amazon.de,
jgowans@amazon.com, jgg@nvidia.com,
pankaj.gupta.linux@gmail.com, kpraveen.lkml@gmail.com,
vipinsh@google.com, vannapurve@google.com, corbet@lwn.net,
loeser@linux.microsoft.com, tglx@kernel.org, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org,
hpa@zytor.com, roman.gushchin@linux.dev,
akpm@linux-foundation.org, pjt@google.com, "Petrongonas,
Evangelos" <epetron@amazon.de>,
kpsingh@kernel.org, jackmanb@google.com
Subject: Re: [RFC] proposal: KVM: Orphaned VMs: The Caretaker approach for Live Update
Date: Wed, 29 Apr 2026 16:13:55 +0000 [thread overview]
Message-ID: <afIru_PE3W0hIsu7@plex> (raw)
In-Reply-To: <cd0ae5795cf14a7b20c90840b0a3eba7db160e72.camel@infradead.org>
On 04-29 09:40, David Woodhouse wrote:
> On Wed, 2026-04-29 at 10:13 +0200, Alexander Graf wrote:
> > I would prefer we only attach the whole caretaker and all of its
> > specialties right around the point when live update happens. Why keep it
> > dangling and active forever? That way you can also late load the kernel
> > module that contains it, so you can be sure it's an up to date version.
>
> "Why keep it dangling and active forever?"
>
> I've always wanted to tie this to address space isolation.
>
> The only way to truly stay in front of the constant stream of new
> speculation vulnerabilities has been to just make sure there's nothing
> sensitive accessible in the address space at all. Hence all the work on
> secret hiding, XPFO, proclocal, etc. — and hence the occasional
> researcher finding their shiny new (5-year-old) vulnerability and being
> confused when it doesn't leak anything *interesting* in certain
> environments.
>
> I'd like to see the inner KVM_RUN loop switch to a completely separate
> address space, in which there's a kind of caretaker which can handle
> the bare minimum of interrupts and timers and the most common exits,
> and which *relatively* rarely has to come back into the real Linux
> address space.
>
> And once you have that caretaker running in its own address space...
> why not just let it keep going while Linux does its kexec?
Yep, this captures one of the benefits of having a permanently attached
Caretaker.
By establishing that isolated execution environment for the inner
KVM_RUN loop to mitigate speculation vulnerabilities, we naturally get
the hardware-enforced boundary required to survive the kexec gap. The
Live Update capability is effectively a byproduct of achieving true
Address Space Isolation.
+CC KP and Brendan
next prev parent reply other threads:[~2026-04-29 16:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 22:29 [RFC] proposal: KVM: Orphaned VMs: The Caretaker approach for Live Update Pasha Tatashin
2026-04-29 8:13 ` Alexander Graf
2026-04-29 8:40 ` David Woodhouse
2026-04-29 16:13 ` Pasha Tatashin [this message]
2026-04-29 16:02 ` Pasha Tatashin
2026-04-30 13:28 ` Paolo Bonzini
2026-04-30 15:27 ` David Woodhouse
2026-05-01 3:32 ` Paolo Bonzini
2026-05-01 8:56 ` David Woodhouse
2026-05-01 22:07 ` Pasha Tatashin
2026-05-01 21:48 ` Pasha Tatashin
2026-05-03 16:57 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afIru_PE3W0hIsu7@plex \
--to=pasha.tatashin@soleen.com \
--cc=Tycho.Andersen@amd.com \
--cc=akpm@linux-foundation.org \
--cc=alex.williamson@redhat.com \
--cc=anthony.yznaga@oracle.com \
--cc=baolu.lu@linux.intel.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=david@kernel.org \
--cc=dmatlack@google.com \
--cc=dwmw2@infradead.org \
--cc=epetron@amazon.de \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jackmanb@google.com \
--cc=jgg@nvidia.com \
--cc=jgowans@amazon.com \
--cc=kevin.tian@intel.com \
--cc=kexec@lists.infradead.org \
--cc=kpraveen.lkml@gmail.com \
--cc=kpsingh@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=loeser@linux.microsoft.com \
--cc=maz@kernel.org \
--cc=mheyne@amazon.de \
--cc=mingo@redhat.com \
--cc=oupton@kernel.org \
--cc=pankaj.gupta.linux@gmail.com \
--cc=pbonzini@redhat.com \
--cc=pjt@google.com \
--cc=pratyush@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=tglx@kernel.org \
--cc=vannapurve@google.com \
--cc=vipinsh@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.