From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Yang Zhong <yang.zhong@intel.com>,
qemu-devel@nongnu.org, kai.huang@intel.com
Subject: Re: [RESEND PATCH 05/32] vl: Add "sgx-epc" option to expose SGX EPC sections to guest
Date: Tue, 4 May 2021 16:20:13 +0000 [thread overview]
Message-ID: <YJF0PXZc3/X8hJ4P@google.com> (raw)
In-Reply-To: <d0785500-d007-9d96-1ee1-ce0e4a71c88c@redhat.com>
On Tue, May 04, 2021, Paolo Bonzini wrote:
> On 04/05/21 02:09, Sean Christopherson wrote:
> > Is there a way to process "-device sgx-epc..." before vCPUs are realized? The
> > ordering problem was the only reason I added a dedicated option.
>
> If it's just CPUID, one possibility could be to mark the EPC sections
> specially in KVM_SET_USER_MEMORY_REGION and synthesize the leaves within
> KVM; or even look inside the VMA structs and detect EPC regions that way.
I experimented with those options, and a few others, and they all lack the
flexibility of making EPC just another memory backend.
For synthesizing CPUID within KVM:
- Requires a vendor specific memory region flag for all architectures to work
around a quirk of one userspace VMM.
- Pushes a lot of complexity into KVM, e.g. KVM needs to update CPUID in
response to memslot changes, and needs to query memslots in response to
CPUID changes.
- Does KVM or userspace define the section attributes, e.g. confidentiality,
integrity, etc...? If KVM, are they hardcoded to match the host? What
happens if a future Intel platform supports multiple EPC sections with
different attributes? If userspace, how does userspace communicate the
attributes?
- How does userspace know what KVM enumerated to the guest? See the whole
KVM_GET_CPUID2 fiasco...
- Prevents userspace from enumerating EPC without a memslot, e.g. to trap on
the first EPC access for tracking purposes.
For probing VMAs:
- In addition to the above issues, requires MMU notifier integration to update
CPUID in response to a VMA change.
- Requires SGX subsystem to provide a helper to identify EPC VMAs.
In short, I feel very strongly that this is QEMU's problem to solve.
> Otherwise, the -M solution would work.
>
> Paolo
>
> > From the changelog:
> >
> > Because SGX EPC is enumerated through CPUID, EPC "devices" need to be
> > realized prior to realizing the vCPUs themselves, i.e. long before
> > generic devices are parsed and realized.
> >
> > So even though EPC sections could be realized through the generic
> > -devices command, they need to be created much earlier for them to
> > actually be usable by the guest.
>
next prev parent reply other threads:[~2021-05-04 16:22 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-30 6:24 [RESEND PATCH 00/32] Qemu SGX virtualization Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 01/32] memory: Add RAM_PROTECTED flag to skip IOMMU mappings Yang Zhong
2021-05-03 17:01 ` Paolo Bonzini
2021-05-07 5:24 ` Yang Zhong
2021-05-07 12:45 ` Paolo Bonzini
2021-05-08 6:30 ` Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 02/32] hostmem: Add hostmem-epc as a backend for SGX EPC Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 03/32] qom: Add memory-backend-epc ObjectOptions support Yang Zhong
2021-05-03 17:56 ` Eric Blake
2021-05-06 12:38 ` Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 04/32] i386: Add 'sgx-epc' device to expose EPC sections to guest Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 05/32] vl: Add "sgx-epc" option to expose SGX " Yang Zhong
2021-05-03 17:06 ` Paolo Bonzini
2021-05-03 17:08 ` Paolo Bonzini
2021-05-04 0:09 ` Sean Christopherson
2021-05-04 6:58 ` Paolo Bonzini
2021-05-04 16:20 ` Sean Christopherson [this message]
2021-05-04 16:33 ` Paolo Bonzini
2021-04-30 6:24 ` [RESEND PATCH 06/32] i386: Add primary SGX CPUID and MSR defines Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 07/32] i386: Add SGX CPUID leaf FEAT_SGX_12_0_EAX Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 08/32] i386: Add SGX CPUID leaf FEAT_SGX_12_0_EBX Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 09/32] i386: Add SGX CPUID leaf FEAT_SGX_12_1_EAX Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 10/32] i386: Add get/set/migrate support for SGX_LEPUBKEYHASH MSRs Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 11/32] i386: Add feature control MSR dependency when SGX is enabled Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 12/32] i386: Update SGX CPUID info according to hardware/KVM/user input Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 13/32] linux-headers: Add placeholder for KVM_CAP_SGX_ATTRIBUTE Yang Zhong
2021-05-06 2:17 ` Kai Huang
2021-05-06 7:11 ` Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 14/32] i386: kvm: Add support for exposing PROVISIONKEY to guest Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 15/32] i386: Propagate SGX CPUID sub-leafs to KVM Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 16/32] Adjust min CPUID level to 0x12 when SGX is enabled Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 17/32] hw/i386/fw_cfg: Set SGX bits in feature control fw_cfg accordingly Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 18/32] hw/i386/pc: Account for SGX EPC sections when calculating device memory Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 19/32] i386/pc: Add e820 entry for SGX EPC section(s) Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 20/32] i386: acpi: Add SGX EPC entry to ACPI tables Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 21/32] q35: Add support for SGX EPC Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 22/32] i440fx: " Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 23/32] hostmem: Add the reset interface for EPC backend reset Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 24/32] sgx-epc: Add the reset interface for sgx-epc virt device Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 25/32] qmp: Add query-sgx command Yang Zhong
2021-05-03 17:58 ` Eric Blake
2021-05-06 9:08 ` Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 26/32] hmp: Add 'info sgx' command Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 27/32] i386: Add sgx_get_info() interface Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 28/32] bitops: Support 32 and 64 bit mask macro Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 29/32] qmp: Add the qmp_query_sgx_capabilities() Yang Zhong
2021-05-03 18:00 ` Eric Blake
2021-05-06 8:57 ` Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 30/32] Kconfig: Add CONFIG_SGX support Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 31/32] sgx-epc: Add the fill_device_info() callback support Yang Zhong
2021-05-03 18:01 ` Eric Blake
2021-05-06 8:46 ` Yang Zhong
2021-04-30 6:24 ` [RESEND PATCH 32/32] doc: Add the SGX doc Yang Zhong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YJF0PXZc3/X8hJ4P@google.com \
--to=seanjc@google.com \
--cc=kai.huang@intel.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=yang.zhong@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).