lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <19b85f45-4e8b-52fe-daf2-371e86310e6b@redhat.com>
Date:   Sun, 13 Mar 2022 15:00:19 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Christoph Hellwig <hch@...radead.org>, isaku.yamahata@...el.com
Cc:     kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
        isaku.yamahata@...il.com, Jim Mattson <jmattson@...gle.com>,
        erdemaktas@...gle.com, Connor Kuehl <ckuehl@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>
Subject: Re: [RFC PATCH v5 000/104] KVM TDX basic feature support

On 3/7/22 08:44, Christoph Hellwig wrote:
> A series of 104 patches is completely unreviewably, please split it into
> reasonable chunks.

It is split into 5-15 patch chunks, and I'm going to review it mostly 
according to the separation.  It's just posted together because it 
doesn't really accomplish anything until all the chunks are merged together.

 From the cover letter:

>> TDX, VMX coexistence:
>>         Infrastructure to allow TDX to coexist with VMX and trigger the
>>         initialization of the TDX module.
>>         This layer starts with
>>         "KVM: VMX: Move out vmx_x86_ops to 'main.c' to wrap VMX and TDX"
>> TDX architectural definitions:
>>         Add TDX architectural definitions and helper functions
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: TDX architectural definitions".
>> TD VM creation/destruction:
>>         Guest TD creation/destroy allocation and releasing of TDX specific vm
>>         and vcpu structure.  Create an initial guest memory image with TDX
>>         measurement.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: TD VM creation/destruction".
>> TD vcpu creation/destruction:
>>         guest TD creation/destroy Allocation and releasing of TDX specific vm
>>         and vcpu structure.  Create an initial guest memory image with TDX
>>         measurement.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: TD vcpu creation/destruction"
>> TDX EPT violation:
>>         Create an initial guest memory image with TDX measurement.  Handle
>>         secure EPT violations to populate guest pages with TDX SEAMCALLs.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: TDX EPT violation"
>> TD vcpu enter/exit:
>>         Allow TDX vcpu to enter into TD and exit from TD.  Save CPU state before
>>         entering into TD.  Restore CPU state after exiting from TD.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: TD vcpu enter/exit"
>> TD vcpu interrupts/exit/hypercall:
>>         Handle various exits/hypercalls and allow interrupts to be injected so
>>         that TD vcpu can continue running.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: TD vcpu exits/interrupts/hypercalls"
>> 
>> KVM MMU GPA stolen bits:
>>         Introduce framework to handle stolen repurposed bit of GPA TDX
>>         repurposed a bit of GPA to indicate shared or private. If it's shared,
>>         it's the same as the conventional VMX EPT case.  VMM can access shared
>>         guest pages.  If it's private, it's handled by Secure-EPT and the guest
>>         page is encrypted.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: KVM MMU GPA stolen bits"
>> KVM TDP refactoring for TDX:
>>         TDX Secure EPT requires different constants. e.g. initial value EPT
>>         entry value etc. Various refactoring for those differences.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: KVM TDP refactoring for TDX"
>> KVM TDP MMU hooks:
>>         Introduce framework to TDP MMU to add hooks in addition to direct EPT
>>         access TDX added Secure EPT which is an enhancement to VMX EPT.  Unlike
>>         conventional VMX EPT, CPU can't directly read/write Secure EPT. Instead,
>>         use TDX SEAMCALLs to operate on Secure EPT.
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: KVM TDP MMU hooks"
>> KVM TDP MMU MapGPA:
>>         Introduce framework to handle switching guest pages from private/shared
>>         to shared/private.  For a given GPA, a guest page can be assigned to a
>>         private GPA or a shared GPA exclusively.  With TDX MapGPA hypercall,
>>         guest TD converts GPA assignments from private (or shared) to shared (or
>>         private).
>>         This layer starts with
>>         "[MARKER] The start of TDX KVM patch series: KVM TDP MMU MapGPA "

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ