Re: [PATCH RFC 00/17] arm64 kernel text replication

From: Marc Zyngier <maz@kernel.org>
To: "Russell King (Oracle)" <linux@armlinux.org.uk>
Cc: Ard Biesheuvel <ardb@kernel.org>,
	Quentin Perret <qperret@google.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Jonathan Corbet <corbet@lwn.net>, Will Deacon <will@kernel.org>,
	linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org
Subject: Re: [PATCH RFC 00/17] arm64 kernel text replication
Date: Fri, 23 Jun 2023 16:54:42 +0100	[thread overview]
Message-ID: <d18208d1ae12c81edd2830ac7ca7116a@kernel.org> (raw)
In-Reply-To: <ZJW7kvWqLVZV4KVr@shell.armlinux.org.uk>

On 2023-06-23 16:34, Russell King (Oracle) wrote:
> On Fri, Jun 23, 2023 at 05:24:20PM +0200, Ard Biesheuvel wrote:
>> (cc Marc and Quentin)
>> 
>> On Mon, 5 Jun 2023 at 11:05, Russell King (Oracle)
>> <linux@armlinux.org.uk> wrote:
>> >
>> > Hi,
>> >
>> > Are there any comments on this?
>> >
>> 
>> Hi Russell,
>> 
>> I think the proposed approach is sound, but it is rather intrusive, as
>> you've pointed out already (wrt KASLR and KASAN etc). And once my LPA2
>> work gets merged (which uses root level -1 when booted on LPA2 capable
>> hardware, and level 0 otherwise), we'll have yet another combination
>> that is either fully incompatible, or cumbersome to support at the
>> very least.
>> 
>> I wonder if it would be worthwhile to explore an alternative approach,
>> using pKVM and the host stage2:
>> 
>> - all stage1 kernel mappings remain as they are, and the kernel code
>> running at EL1 has no awareness of the replication beyond being
>> involved in allocating the memory;
>> - host is booted in protected KVM mode, which means that the host
>> kernel executes under a stage 2 mapping;
>> - each NUMA node has its own set of stage 2 page tables, and maps the
>> kernel's code/rodata IPA range to a NUMA local PA range
>> - the kernel's code and rodata are mapped read-only in the primary
>> stage-2 mapping so updates trap to EL2, permitting the hypervisor to
>> replicate those update to all clones.
>> 
>> Note that pKVM retains the capabilities of ordinary KVM, so as long as
>> you boot at EL2, the only downside compared to your approach would be
>> the increased TLB footprint due to the stage 2 mappings for the host
>> kernel.
>> 
>> Marc, Quentin, Will: any thoughts?
> 
> Thanks for taking a look.
> 
> That sounds great, but my initial question would be whether, with such 
> a
> setup, one could then run VMs under such a kernel without hardware that
> supports nested virtualisation? I suspect the answer would be no.

The answer is yes. All you need to do is to switch between the host
and guest stage-2s in the hypervisor, which is what KVM running in
protected mode does.

         M.

-- 
Jazz is not dead. It just smells funny...