lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Feb 2020 22:28:25 +0000
From:   Ashish Kalra <ashish.kalra@....com>
To:     Andy Lutomirski <luto@...capital.net>
Cc:     Paolo Bonzini <pbonzini@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Radim Krcmar <rkrcmar@...hat.com>,
        Joerg Roedel <joro@...tes.org>, Borislav Petkov <bp@...e.de>,
        Tom Lendacky <thomas.lendacky@....com>,
        David Rientjes <rientjes@...gle.com>, X86 ML <x86@...nel.org>,
        kvm list <kvm@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 10/12] mm: x86: Invoke hypercall when page encryption
 status is changed

On Wed, Feb 12, 2020 at 09:42:02PM -0800, Andy Lutomirski wrote:
>> On Wed, Feb 12, 2020 at 5:18 PM Ashish Kalra <Ashish.Kalra@....com> wrote:
>> >
>> > From: Brijesh Singh <brijesh.singh@....com>
> >
> > Invoke a hypercall when a memory region is changed from encrypted ->
> > decrypted and vice versa. Hypervisor need to know the page encryption
> > status during the guest migration.
>> 
>> What happens if the guest memory status doesn't match what the
>> hypervisor thinks it is?  What happens if the guest gets migrated
>> between the hypercall and the associated flushes?

This is basically same as the dirty page tracking and logging being done
during Live Migration. As with dirty page tracking and logging we
maintain a page encryption bitmap in the kernel which keeps tracks of
guest's page encrypted/decrypted state changes and this bitmap is
sync'ed regularly from kernel to qemu and also during the live migration
process, therefore any dirty pages whose encryption status will change
during migration, should also have their page status updated when the
page encryption bitmap is sync'ed. 

Also i think that when the amount of dirty pages reach a low threshold,
QEMU stops the source VM and then transfers all the remaining dirty
pages, so at that point, there will also be a final sync of the page
encryption bitmap, there won't be any hypercalls after this as the
source VM has been stopped and the remaining VM state gets transferred.

Thanks,
Ashish

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ