From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82296C433FE for ; Fri, 1 Apr 2022 17:14:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349786AbiDARQT (ORCPT ); Fri, 1 Apr 2022 13:16:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345581AbiDARQQ (ORCPT ); Fri, 1 Apr 2022 13:16:16 -0400 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 599D018116F for ; Fri, 1 Apr 2022 10:14:26 -0700 (PDT) Received: by mail-pl1-x62a.google.com with SMTP id j13so2970846plj.8 for ; Fri, 01 Apr 2022 10:14:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=TmJlBi2lOKilVyCE4rEH1RU4SqqxsckJUfBoRuoJ5iA=; b=XswIK2+VM16bs1EyCAixrX89EKH93ezG3dB1CWqPGTee1snfa+If/AZijfKqsxCqtT czAJM7L+aUj6khEGJ6GV9s++PLrO8RH4lZkcJg2KUogkm/dx0FOh6Bdu3+L9kSytbNEF XG0woWBUkeuEHiLxkjZVlGyLcAV8wCqkBCs5NYAogpMbDENpW1paD3SiXOo3FOHbC/BE WYgluaeEO6OycFsdtzk13mJ436B8Tm+WeKW9KRWPo6GkYNWY936IsCliUkUrYOsiKniH rexTSPppoR//hQcB3ze8glrIZD0dmsOyJ/XHIq6k4cBlE7q4ChILUSTyVJwIVcd9BGxN YFAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=TmJlBi2lOKilVyCE4rEH1RU4SqqxsckJUfBoRuoJ5iA=; b=BErFBKU1hqFgAWIWxuo4MIKc6w1pVk+UweZ0UjZ1zvBvDrPzCfuTY5/Nao+82UqY0N 38mL3CaFFDe/uV1DIPRYpiRp9nR3N4Rjd+Ui9h7RAaBg/sHaRa6lluGFUB1sjyFsmmvV KDb2dZyRenwGCBzMgfRYWgUxMO7NEd9aE5zsHMgJgG/8BRWVMrT9+Ik917EnvQdzwriq 8slBAwpG8AfPuqguAqg9bjHLl9q/Qi3jv6nzcWml08WEPKW4AR5mkjQYvri9cCosfHhD I9GSEbv8zMOsCjkM9le9Bdw6fbRyDbey/tu3ZYx7xJa0vfiYbfDZwnotUxXH9BZQCXVf uuNg== X-Gm-Message-State: AOAM530V6zht85qlsxsn78tp6QrpZtErP8IWHgEwW/JLzjrRHhoABrnx +I1oBv5G2TqIuzJ1dLMHTU/jgQ== X-Google-Smtp-Source: ABdhPJz12AHLKCpitPA4TCd4Qr7wvOzdMzS4bQmVFvgCp7soE2Mp/gjwDqcr67uNH6+9bYjsC7+Dhg== X-Received: by 2002:a17:902:ec8c:b0:154:2e86:dd51 with SMTP id x12-20020a170902ec8c00b001542e86dd51mr11082426plg.99.1648833265465; Fri, 01 Apr 2022 10:14:25 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id z5-20020a056a00240500b004e15d39f15fsm3669103pfh.83.2022.04.01.10.14.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Apr 2022 10:14:24 -0700 (PDT) Date: Fri, 1 Apr 2022 17:14:21 +0000 From: Sean Christopherson To: Quentin Perret Cc: Andy Lutomirski , Steven Price , Chao Peng , kvm list , Linux Kernel Mailing List , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, Linux API , qemu-devel@nongnu.org, Paolo Bonzini , Jonathan Corbet , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , the arch/x86 maintainers , "H. Peter Anvin" , Hugh Dickins , Jeff Layton , "J . Bruce Fields" , Andrew Morton , Mike Rapoport , "Maciej S . Szmigiero" , Vlastimil Babka , Vishal Annapurve , Yu Zhang , "Kirill A. Shutemov" , "Nakajima, Jun" , Dave Hansen , Andi Kleen , David Hildenbrand , Marc Zyngier , Will Deacon Subject: Re: [PATCH v5 00/13] KVM: mm: fd-based approach for supporting KVM guest private memory Message-ID: References: <88620519-029e-342b-0a85-ce2a20eaf41b@arm.com> <80aad2f9-9612-4e87-a27a-755d3fa97c92@www.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org On Fri, Apr 01, 2022, Quentin Perret wrote: > The typical flow is as follows: > > - the host asks the hypervisor to run a guest; > > - the hypervisor does the context switch, which includes switching > stage-2 page-tables; > > - initially the guest has an empty stage-2 (we don't require > pre-faulting everything), which means it'll immediately fault; > > - the hypervisor switches back to host context to handle the guest > fault; > > - the host handler finds the corresponding memslot and does the > ipa->hva conversion. In our current implementation it uses a longterm > GUP pin on the corresponding page; > > - once it has a page, the host handler issues a hypercall to donate the > page to the guest; > > - the hypervisor does a bunch of checks to make sure the host owns the > page, and if all is fine it will unmap it from the host stage-2 and > map it in the guest stage-2, and do some bookkeeping as it needs to > track page ownership, etc; > > - the guest can then proceed to run, and possibly faults in many more > pages; > > - when it wants to, the guest can then issue a hypercall to share a > page back with the host; > > - the hypervisor checks the request, maps the page back in the host > stage-2, does more bookkeeping and returns back to the host to notify > it of the share; > > - the host kernel at that point can exit back to userspace to relay > that information to the VMM; > > - rinse and repeat. I assume there is a scenario where a page can be converted from shared=>private? If so, is there a use case where that happens post-boot _and_ the contents of the page are preserved? > We currently don't allow the host punching holes in the guest IPA space. The hole doesn't get punched in guest IPA space, it gets punched in the private backing store, which is host PA space. > Once it has donated a page to a guest, it can't have it back until the > guest has been entirely torn down (at which point all of memory is > poisoned by the hypervisor obviously). The guest doesn't have to know that it was handed back a different page. It will require defining the semantics to state that the trusted hypervisor will clear that page on conversion, but IMO the trusted hypervisor should be doing that anyways. IMO, forcing on the guest to correctly zero pages on conversion is unnecessarily risky because converting private=>shared and preserving the contents should be a very, very rare scenario, i.e. it's just one more thing for the guest to get wrong. If there is a use case where the page contents need to be preserved, then that can and should be an explicit request from the guest, and can be handled through export/import style functions. Export/import would be slow-ish due to memcpy(), which is why I asked if there's a need to do this specific action frequently (or at all).