Re: [RFC PATCH] KVM: TDX: Decouple TDX init mem region from kvm_gmem_populate()

[Ira Weiny <ira.weiny@intel.com>]

Vishal Annapurve wrote:
> On Tue, Aug 5, 2025 at 12:59 PM Sean Christopherson <seanjc@google.com> wrote:
> >
> > On Mon, Aug 04, 2025, Vishal Annapurve wrote:
> > > On Mon, Aug 4, 2025 at 5:22 PM Sean Christopherson <seanjc@google.com> wrote:
> > > > : 4) For SNP, if src != null, make the target pfn to be shared, copy
> > > > : contents and then make the target pfn back to private.
> > > >
> > > > Copying from userspace under spinlock (rwlock) is illegal, as accessing userspace
> > > > memory might_fault() and thus might_sleep().
> > >
> > > I would think that a combination of get_user_pages() and
> > > kmap_local_pfn() will prevent this situation of might_fault().
> >
> > Yes, but if SNP is using get_user_pages(), then it looks an awful lot like the
> > TDX flow, at which point isn't that an argument for keeping populate()?
> 
> Ack, I agree we can't ditch kvm_gmem_populate() for SNP VMs. I am ok
> with using it for TDX/CCA VMs with the fixes discussed in this RFC.

Sean,

Where did this thread land?  Was there a follow on series which came out
of this?  I thought you sent a patch with the suggestions in this thread
but I can't find it.

Ira

> 
> >
> > > Memory population in my opinion is best solved either by users asserting
> > > ownership of the memory and writing to it directly or by using guest_memfd
> > > (to be) exposed APIs to populate memory ranges given a source buffer. IMO
> > > kvm_gmem_populate() is doing something different than both of these options.
> >
> > In a perfect world, yes, guest_memfd would provide a clean, well-defined API
> > without needing a complicated dance between vendor code and guest_memfd.  But,
> > sadly, the world of CoCo is anything but perfect.  It's not KVM's fault that
> > every vendor came up with a different CoCo architecture.  I.e. we can't "fix"
> > the underlying issue of SNP and TDX having significantly different ways for
> > initializing private memory.
> >
> > What we can do is shift as much code to common KVM as possible, e.g. to minimize
> > maintenance costs, reduce boilerplate and/or copy+paste code, provide a consistent
> > ABI, etc.  Those things always need to be balanced against overall complexity, but
> > IMO providing a vendor callback doesn't add anywhere near enough complexity to
> > justify open coding the same concept in every vendor implementation.
> 
> Ack. My goal was to steer this implementation towards reusing existing
> KVM synchronization to protect guest memory population within KVM
> vendor logic rather than relying on guest_memfd filemap lock to
> provide the needed protection here. That being said, I agree that we
> can't solve this problem cleanly in a manner that works for all
> architectures.