lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 28 Feb 2020 11:23:53 +1100
From:   David Gibson <david@...son.dropbear.id.au>
To:     Cornelia Huck <cohuck@...hat.com>
Cc:     Halil Pasic <pasic@...ux.ibm.com>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        Christoph Hellwig <hch@....de>,
        Christian Borntraeger <borntraeger@...ibm.com>,
        Jason Wang <jasowang@...hat.com>,
        Marek Szyprowski <m.szyprowski@...sung.com>,
        Robin Murphy <robin.murphy@....com>,
        linux-s390@...r.kernel.org,
        virtualization@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org, iommu@...ts.linux-foundation.org,
        Janosch Frank <frankja@...ux.ibm.com>,
        Viktor Mihajlovski <mihajlov@...ux.ibm.com>,
        Ram Pai <linuxram@...ibm.com>,
        Thiago Jung Bauermann <bauerman@...ux.ibm.com>,
        "Lendacky, Thomas" <Thomas.Lendacky@....com>,
        Michael Mueller <mimu@...ux.ibm.com>
Subject: Re: [PATCH 1/2] mm: move force_dma_unencrypted() to mem_encrypt.h

On Tue, Feb 25, 2020 at 07:08:02PM +0100, Cornelia Huck wrote:
> On Mon, 24 Feb 2020 19:49:53 +0100
> Halil Pasic <pasic@...ux.ibm.com> wrote:
> 
> > On Mon, 24 Feb 2020 14:33:14 +1100
> > David Gibson <david@...son.dropbear.id.au> wrote:
> > 
> > > On Fri, Feb 21, 2020 at 07:07:02PM +0100, Halil Pasic wrote:  
> > > > On Fri, 21 Feb 2020 10:48:15 -0500
> > > > "Michael S. Tsirkin" <mst@...hat.com> wrote:
> > > >   
> > > > > On Fri, Feb 21, 2020 at 02:06:39PM +0100, Halil Pasic wrote:  
> > > > > > On Fri, 21 Feb 2020 14:27:27 +1100
> > > > > > David Gibson <david@...son.dropbear.id.au> wrote:
> > > > > >   
> > > > > > > On Thu, Feb 20, 2020 at 05:31:35PM +0100, Christoph Hellwig wrote:  
> > > > > > > > On Thu, Feb 20, 2020 at 05:23:20PM +0100, Christian Borntraeger wrote:  
> > > > > > > > > >From a users perspective it makes absolutely perfect sense to use the  
> > > > > > > > > bounce buffers when they are NEEDED. 
> > > > > > > > > Forcing the user to specify iommu_platform just because you need bounce buffers
> > > > > > > > > really feels wrong. And obviously we have a severe performance issue
> > > > > > > > > because of the indirections.  
> > > > > > > > 
> > > > > > > > The point is that the user should not have to specify iommu_platform.
> > > > > > > > We need to make sure any new hypervisor (especially one that might require
> > > > > > > > bounce buffering) always sets it,  
> > > > > > > 
> > > > > > > So, I have draft qemu patches which enable iommu_platform by default.
> > > > > > > But that's really because of other problems with !iommu_platform, not
> > > > > > > anything to do with bounce buffering or secure VMs.
> > > > > > > 
> > > > > > > The thing is that the hypervisor *doesn't* require bounce buffering.
> > > > > > > In the POWER (and maybe s390 as well) models for Secure VMs, it's the
> > > > > > > *guest*'s choice to enter secure mode, so the hypervisor has no reason
> > > > > > > to know whether the guest needs bounce buffering.  As far as the
> > > > > > > hypervisor and qemu are concerned that's a guest internal detail, it
> > > > > > > just expects to get addresses it can access whether those are GPAs
> > > > > > > (iommu_platform=off) or IOVAs (iommu_platform=on).  
> > > > > > 
> > > > > > I very much agree!
> > > > > >   
> > > > > > >   
> > > > > > > > as was a rather bogus legacy hack  
> > > > > > > 
> > > > > > > It was certainly a bad idea, but it was a bad idea that went into a
> > > > > > > public spec and has been widely deployed for many years.  We can't
> > > > > > > just pretend it didn't happen and move on.
> > > > > > > 
> > > > > > > Turning iommu_platform=on by default breaks old guests, some of which
> > > > > > > we still care about.  We can't (automatically) do it only for guests
> > > > > > > that need bounce buffering, because the hypervisor doesn't know that
> > > > > > > ahead of time.  
> 
> We could default to iommu_platform=on on s390 when the host has active
> support for protected virtualization... but that's just another kind of
> horrible, so let's just pretend I didn't suggest it.

Yeah, that would break migration between hosts with the feature and
hosts without - for everything, not just protected guests.  In general
any kind of guest visible configuration change based on host
properties is incompatible with the qemu/KVM migration model.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ