From: David Woodhouse <dwmw2@infradead.org>
To: Paolo Bonzini <pbonzini@redhat.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
kvm@vger.kernel.org, linux-mm@kvack.org, kvmarm@lists.linux.dev
Cc: rppt@kernel.org, graf@amazon.com, pratyush@kernel.org,
seanjc@google.com, maz@kernel.org, oupton@kernel.org,
alex.williamson@redhat.com, kevin.tian@intel.com,
rientjes@google.com, Tycho.Andersen@amd.com,
anthony.yznaga@oracle.com, baolu.lu@linux.intel.com,
david@kernel.org, dmatlack@google.com, mheyne@amazon.de,
jgowans@amazon.com, jgg@nvidia.com,
pankaj.gupta.linux@gmail.com, kpraveen.lkml@gmail.com,
vipinsh@google.com, vannapurve@google.com, corbet@lwn.net,
loeser@linux.microsoft.com, tglx@kernel.org, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org,
hpa@zytor.com, roman.gushchin@linux.dev,
akpm@linux-foundation.org, pjt@google.com
Subject: Re: [RFC] proposal: KVM: Orphaned VMs: The Caretaker approach for Live Update
Date: Thu, 30 Apr 2026 16:27:11 +0100 [thread overview]
Message-ID: <c004f333ed4f7dedae1383f22d43b009cd83837e.camel@infradead.org> (raw)
In-Reply-To: <0a71472c-b397-4699-a518-61faffcf4ab2@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1550 bytes --]
On Thu, 2026-04-30 at 15:28 +0200, Paolo Bonzini wrote:
> I even wonder if, for long term simplicity, the interface for
> host->caretaker should be just for the caretaker to swallow the host
> into non-root mode, again as in Arm nVHE.
There's a lot of merit in that approach.
I talked about wanting to use this 'caretaker' for secret hiding. But
why have *voluntary* secret hiding with the kernel hiding things from
its own address space, when you have have *mandatory* secret hiding
with something running in EL2, like pKVM. Or the Nitro Isolation Engine
which adds formal proof of correctness on top and is designed to allow
for live update of both itself *and* the kernel it hosts.
Honestly, I don't see the *caretaker* being much of an ABI at all,
except from one kernel to the next.
The *userspace* ABI considerations are all about how you make a vCPU
that runs asynchronously (should it conceptually just be an async
KVM_RUN call, which allows the vCPU to run in a kernel thread up to the
point of kexec? Why is it fundamentally tied to kexec at all?).
I'd love to start without kexec in the picture at all. Just show me the
KVM API for starting a *confidential* guest (pKVM, SEV-SNP, whatever),
leaving it running, completely stopping the VMM and then starting a new
VMM to pick up from where it left off.
Sometimes the vCPUs might all actually still be running. Sometimes they
might have hit an exit that couldn't be handled.
Doing kexec while the VMM is "hands-off" is then the *next* challenge.
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5069 bytes --]
next prev parent reply other threads:[~2026-04-30 16:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 22:29 [RFC] proposal: KVM: Orphaned VMs: The Caretaker approach for Live Update Pasha Tatashin
2026-04-29 8:13 ` Alexander Graf
2026-04-29 8:40 ` David Woodhouse
2026-04-29 16:13 ` Pasha Tatashin
2026-04-29 16:02 ` Pasha Tatashin
2026-04-30 13:28 ` Paolo Bonzini
2026-04-30 15:27 ` David Woodhouse [this message]
2026-05-01 3:32 ` Paolo Bonzini
2026-05-01 8:56 ` David Woodhouse
2026-05-01 22:07 ` Pasha Tatashin
2026-05-01 21:48 ` Pasha Tatashin
2026-05-03 16:57 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c004f333ed4f7dedae1383f22d43b009cd83837e.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=Tycho.Andersen@amd.com \
--cc=akpm@linux-foundation.org \
--cc=alex.williamson@redhat.com \
--cc=anthony.yznaga@oracle.com \
--cc=baolu.lu@linux.intel.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=david@kernel.org \
--cc=dmatlack@google.com \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jgg@nvidia.com \
--cc=jgowans@amazon.com \
--cc=kevin.tian@intel.com \
--cc=kexec@lists.infradead.org \
--cc=kpraveen.lkml@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=loeser@linux.microsoft.com \
--cc=maz@kernel.org \
--cc=mheyne@amazon.de \
--cc=mingo@redhat.com \
--cc=oupton@kernel.org \
--cc=pankaj.gupta.linux@gmail.com \
--cc=pasha.tatashin@soleen.com \
--cc=pbonzini@redhat.com \
--cc=pjt@google.com \
--cc=pratyush@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=tglx@kernel.org \
--cc=vannapurve@google.com \
--cc=vipinsh@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox