qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Jörg Rödel" <joro@8bytes.org>
To: Alexander Graf <graf@amazon.com>
Cc: "Ani Sinha" <anisinha@redhat.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Eduardo Habkost" <eduardo@habkost.net>,
	"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
	"Philippe Mathieu-Daudé" <philmd@linaro.org>,
	"Yanan Wang" <wangyanan55@huawei.com>,
	"Zhao Liu" <zhao1.liu@intel.com>,
	"Richard Henderson" <richard.henderson@linaro.org>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Fabiano Rosas" <farosas@suse.de>,
	"Laurent Vivier" <lvivier@redhat.com>,
	"Gerd Hoffman" <kraxel@redhat.com>,
	"Igor Mammedov" <imammedo@redhat.com>,
	"Vitaly Kuznetsov" <vkuznets@redhat.com>,
	qemu-devel@nongnu.org
Subject: Re: [PATCH v6] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support
Date: Thu, 13 Mar 2025 18:38:44 +0100	[thread overview]
Message-ID: <Z9MYJEG5RtTTXfpa@8bytes.org> (raw)
In-Reply-To: <b91881ee-69cb-46dc-82ff-b9781f480096@amazon.com>

Hey Alex,

On Thu, Mar 13, 2025 at 05:30:30PM +0100, Alexander Graf wrote:
> I have a few concerns with IGVM:
> 
> 1) Parsing is non-trivial. Parsing them in QEMU may open security issues.

There is an IGVM parsing library under MIT license and written in Rust
with C-bindings. The currently proposed IGVM support patches for
QEMU also make of it as well as (I believe) the implementations in the
two other hypervisors I am aware of.

That it's written in Rust is no guarantee that there are no issues, but
certain classes of common security bugs should already be avoided by
that.

> 2) Their data structures are tied to the target CPU structures like VMSA
> which FWIW are not fully owned by QEMU, are they?

Yes, those data structures are aligned with what the hardware consumes.
That makes it a lot easier to pre-calculate the launch-measurements, as
the tooling just needs to hash what is in the file without constructing
the hardware representation first.

Not sure what you mean by "owned by QEMU", all data in the IGVM file is
at least _consumed_ by QEMU and KVM to build the initial memory image of
the CVM. Once the CVM is launched all of the data belongs to the guest.

> 3) I don't want to allocate a bounce buffer for an IGVM in the hypervisor.
> So we would need to ensure that the memory allocated by the loader for the
> IGVM does not overlap any memory the IGVM wants to consume. If the loader
> considers the IGVM as opaque, that is difficult to achieve.

Right, I think that is a reasonable constraint that should be built into
the vmfwupdate protocol. The placement of the file in guest memory must
not overlap with any memory region that is deployed by the file. That
saves QEMU from the copying and allocating the space on the host side.

Regards,

	Joerg


  reply	other threads:[~2025-03-13 17:39 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-14 15:34 [PATCH v6] hw/misc/vmfwupdate: Introduce hypervisor fw-cfg interface support Ani Sinha
2025-02-24 15:47 ` Gerd Hoffman
2025-02-25  5:21   ` Ani Sinha
2025-02-25  8:39     ` Gerd Hoffman
2025-02-25  9:54       ` Ani Sinha
2025-02-25 10:23         ` Gerd Hoffman
2025-02-25 10:28   ` Igor Mammedov
2025-02-25 11:00     ` Gerd Hoffman
2025-02-25 11:33       ` Igor Mammedov
2025-03-13  9:02 ` Jörg Rödel
2025-03-13  9:37   ` Ani Sinha
2025-03-13 10:10     ` Jörg Rödel
2025-03-13 10:32       ` Ani Sinha
2025-03-13 10:59         ` Jörg Rödel
2025-03-13 11:09           ` Ani Sinha
2025-03-13 11:27             ` Jörg Rödel
2025-03-13 11:28               ` Jörg Rödel
2025-03-13 11:56               ` Ani Sinha
2025-03-13 14:53               ` Ani Sinha
2025-03-13 15:39                 ` Jörg Rödel
2025-03-13 16:30                   ` Alexander Graf
2025-03-13 17:38                     ` Jörg Rödel [this message]
2025-03-13 17:49                       ` Daniel P. Berrangé
  -- strict thread matches above, loose matches on Subject: below --
2025-03-13 12:05 Gerd Hoffman
2025-03-13 13:31 ` Jörg Rödel
2025-03-13 14:06   ` Ani Sinha
2025-03-14 11:27     ` Gerd Hoffman
2025-03-14 12:47       ` Alexander Graf
2025-03-14 14:08         ` Gerd Hoffman
2025-03-14 14:50           ` Alexander Graf
2025-03-17  9:56             ` Gerd Hoffman
2025-03-17 17:29               ` Alexander Graf
2025-03-18  7:00                 ` Gerd Hoffman
2025-03-18 11:11                   ` Gerd Hoffman
2025-03-20  8:34                     ` Jörg Rödel
2025-03-21  8:22                       ` Gerd Hoffman
2025-03-24 16:08                         ` Daniel P. Berrangé
2025-03-20 13:53                     ` Alexander Graf
2025-03-21  3:36                       ` Ani Sinha
2025-03-21  8:09                         ` Alexander Graf
2025-03-21  9:14                       ` Gerd Hoffman
2025-03-20  8:31               ` Jörg Rödel
2025-03-21 10:08                 ` Gerd Hoffman
2025-03-21 12:44                   ` Ani Sinha
2025-03-24  7:43                     ` Gerd Hoffman
2025-03-24 11:12                       ` Ani Sinha
2025-03-24 15:48                         ` Gerd Hoffman
2025-03-24 16:31                           ` Alexander Graf
2025-03-24 17:53                             ` Gerd Hoffman
2025-03-24 18:07                               ` Daniel P. Berrangé
2025-03-25  8:04                               ` Alexander Graf
2025-03-26 12:27                                 ` Gerd Hoffman
2025-03-26 15:22                                   ` Alexander Graf
2025-03-26 21:51                                     ` Gerd Hoffman
2025-04-07 16:21                                       ` Dionna Amalie Glaze
2025-04-08  8:33                                         ` Gerd Hoffman
2025-04-08 21:42                                           ` Dionna Amalie Glaze
2025-04-09  6:21                                             ` Gerd Hoffman
2025-04-10  6:31                                               ` Ani Sinha
2025-04-10 10:44                                                 ` Gerd Hoffmann
2025-04-16 11:40                                                   ` Ani Sinha
2025-04-09 11:59                                             ` Ani Sinha
2025-03-27 12:12                                     ` Ani Sinha
2025-04-08  8:11                       ` Gerd Hoffman
2025-05-21  7:50                         ` Ani Sinha
2025-03-21 12:45                   ` Daniel P. Berrangé
2025-03-14 15:16           ` Jörg Rödel
2025-03-15  6:08             ` Ani Sinha

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z9MYJEG5RtTTXfpa@8bytes.org \
    --to=joro@8bytes.org \
    --cc=anisinha@redhat.com \
    --cc=eduardo@habkost.net \
    --cc=farosas@suse.de \
    --cc=graf@amazon.com \
    --cc=imammedo@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=lvivier@redhat.com \
    --cc=marcel.apfelbaum@gmail.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=philmd@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=vkuznets@redhat.com \
    --cc=wangyanan55@huawei.com \
    --cc=zhao1.liu@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).