From: David Woodhouse <dwmw2@infradead.org>
To: Alexander Graf <graf@amazon.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
kvm@vger.kernel.org, linux-mm@kvack.org, kvmarm@lists.linux.dev
Cc: rppt@kernel.org, pratyush@kernel.org, pbonzini@redhat.com,
seanjc@google.com, maz@kernel.org, oupton@kernel.org,
alex.williamson@redhat.com, kevin.tian@intel.com,
rientjes@google.com, Tycho.Andersen@amd.com,
anthony.yznaga@oracle.com, baolu.lu@linux.intel.com,
david@kernel.org, dmatlack@google.com, mheyne@amazon.de,
jgowans@amazon.com, jgg@nvidia.com,
pankaj.gupta.linux@gmail.com, kpraveen.lkml@gmail.com,
vipinsh@google.com, vannapurve@google.com, corbet@lwn.net,
loeser@linux.microsoft.com, tglx@kernel.org, mingo@redhat.com,
bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org,
hpa@zytor.com, roman.gushchin@linux.dev,
akpm@linux-foundation.org, pjt@google.com, "Petrongonas,
Evangelos" <epetron@amazon.de>
Subject: Re: [RFC] proposal: KVM: Orphaned VMs: The Caretaker approach for Live Update
Date: Wed, 29 Apr 2026 09:40:32 +0100 [thread overview]
Message-ID: <cd0ae5795cf14a7b20c90840b0a3eba7db160e72.camel@infradead.org> (raw)
In-Reply-To: <b52e7d0a-4275-48a0-850f-6ceccfd5204e@amazon.com>
[-- Attachment #1: Type: text/plain, Size: 1331 bytes --]
On Wed, 2026-04-29 at 10:13 +0200, Alexander Graf wrote:
> I would prefer we only attach the whole caretaker and all of its
> specialties right around the point when live update happens. Why keep it
> dangling and active forever? That way you can also late load the kernel
> module that contains it, so you can be sure it's an up to date version.
"Why keep it dangling and active forever?"
I've always wanted to tie this to address space isolation.
The only way to truly stay in front of the constant stream of new
speculation vulnerabilities has been to just make sure there's nothing
sensitive accessible in the address space at all. Hence all the work on
secret hiding, XPFO, proclocal, etc. — and hence the occasional
researcher finding their shiny new (5-year-old) vulnerability and being
confused when it doesn't leak anything *interesting* in certain
environments.
I'd like to see the inner KVM_RUN loop switch to a completely separate
address space, in which there's a kind of caretaker which can handle
the bare minimum of interrupts and timers and the most common exits,
and which *relatively* rarely has to come back into the real Linux
address space.
And once you have that caretaker running in its own address space...
why not just let it keep going while Linux does its kexec?
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5069 bytes --]
next prev parent reply other threads:[~2026-04-29 8:40 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 22:29 [RFC] proposal: KVM: Orphaned VMs: The Caretaker approach for Live Update Pasha Tatashin
2026-04-29 8:13 ` Alexander Graf
2026-04-29 8:40 ` David Woodhouse [this message]
2026-04-29 16:13 ` Pasha Tatashin
2026-04-29 16:02 ` Pasha Tatashin
2026-04-30 13:28 ` Paolo Bonzini
2026-04-30 15:27 ` David Woodhouse
2026-05-01 3:32 ` Paolo Bonzini
2026-05-01 8:56 ` David Woodhouse
2026-05-01 22:07 ` Pasha Tatashin
2026-05-01 21:48 ` Pasha Tatashin
2026-05-03 16:57 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd0ae5795cf14a7b20c90840b0a3eba7db160e72.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=Tycho.Andersen@amd.com \
--cc=akpm@linux-foundation.org \
--cc=alex.williamson@redhat.com \
--cc=anthony.yznaga@oracle.com \
--cc=baolu.lu@linux.intel.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=david@kernel.org \
--cc=dmatlack@google.com \
--cc=epetron@amazon.de \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=jgg@nvidia.com \
--cc=jgowans@amazon.com \
--cc=kevin.tian@intel.com \
--cc=kexec@lists.infradead.org \
--cc=kpraveen.lkml@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=loeser@linux.microsoft.com \
--cc=maz@kernel.org \
--cc=mheyne@amazon.de \
--cc=mingo@redhat.com \
--cc=oupton@kernel.org \
--cc=pankaj.gupta.linux@gmail.com \
--cc=pasha.tatashin@soleen.com \
--cc=pbonzini@redhat.com \
--cc=pjt@google.com \
--cc=pratyush@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rppt@kernel.org \
--cc=seanjc@google.com \
--cc=tglx@kernel.org \
--cc=vannapurve@google.com \
--cc=vipinsh@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox