lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220719153530.GZ1379820@ls.amr.corp.intel.com>
Date:   Tue, 19 Jul 2022 08:35:30 -0700
From:   Isaku Yamahata <isaku.yamahata@...il.com>
To:     Kai Huang <kai.huang@...el.com>
Cc:     isaku.yamahata@...el.com, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org, isaku.yamahata@...il.com,
        Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH v7 044/102] KVM: x86/mmu: Add a private pointer to struct
 kvm_mmu_page

On Fri, Jul 01, 2022 at 11:12:44PM +1200,
Kai Huang <kai.huang@...el.com> wrote:

> On Mon, 2022-06-27 at 14:53 -0700, isaku.yamahata@...el.com wrote:
> > From: Isaku Yamahata <isaku.yamahata@...el.com>
> > 
> > For private GPA, CPU refers a private page table whose contents are
> > encrypted.  The dedicated APIs to operate on it (e.g. updating/reading its
> > PTE entry) are used and their cost is expensive.
> > 
> > When KVM resolves KVM page fault, it walks the page tables.  To reuse the
> > existing KVM MMU code and mitigate the heavy cost to directly walk
> > encrypted private page table, allocate a more page to mirror the existing
> > KVM page table.  Resolve KVM page fault with the existing code, and do
> > additional operations necessary for the mirrored private page table.  To
> > distinguish such cases, the existing KVM page table is called a shared page
> > table (i.e. no mirrored private page table), and the KVM page table with
> > mirrored private page table is called a private page table.  The
> > relationship is depicted below.
> > 
> > Add private pointer to struct kvm_mmu_page for mirrored private page table
> > and add helper functions to allocate/initialize/free a mirrored private
> > page table page.  Also, add helper functions to check if a given
> > kvm_mmu_page is private.  The later patch introduces hooks to operate on
> > the mirrored private page table.
> > 
> >               KVM page fault                     |
> >                      |                           |
> >                      V                           |
> >         -------------+----------                 |
> >         |                      |                 |
> >         V                      V                 |
> >      shared GPA           private GPA            |
> >         |                      |                 |
> >         V                      V                 |
> >  CPU/KVM shared PT root  KVM private PT root     |  CPU private PT root
> >         |                      |                 |           |
> >         V                      V                 |           V
> >      shared PT            private PT <----mirror----> mirrored private PT
> >         |                      |                 |           |
> >         |                      \-----------------+------\    |
> >         |                                        |      |    |
> >         V                                        |      V    V
> >   shared guest page                              |    private guest page
> >                                                  |
> >                            non-encrypted memory  |    encrypted memory
> >                                                  |
> > PT: page table
> > 
> > Both CPU and KVM refer to CPU/KVM shared page table.  Private page table
> > is used only by KVM.  CPU refers to mirrored private page table.
> 
> Shouldn't the private page table maintained by KVM be "mirrored private PT"?
> 
> To me "mirrored" normally implies it is fake, or backup which isn't actually
> used.  But here "mirrored private PT" is actually used by hardware.
> 
> And to me, "CPU and KVM" above are confusing.  For instance, "Both CPU and KVM
> refer to CPU/KVM shared page table" took me at least one minute to understand,
> with the help from the diagram -- otherwise I won't be able to understand.
> 
> I guess you can just say somewhere:
> 
> 1) Shared PT is visible to KVM and it is used by CPU;
> 1) Private PT is used by CPU but it is invisible to KVM;
> 2) Mirrored private PT is visible to KVM but not used by CPU.  It is used to
> mirror the actual private PT which is used by CPU.

I removed "mirror" word and use protected for encrypted page table.


    KVM: x86/mmu: Add a private pointer to struct kvm_mmu_page
    
    For private GPA, CPU refers a private page table whose contents are
    encrypted.  The dedicated APIs to operate on it (e.g. updating/reading its
    PTE entry) are used and their cost is expensive.
    
    When KVM resolves KVM page fault, it walks the page tables.  To reuse the
    existing KVM MMU code and mitigate the heavy cost to directly walk
    protected (encrypted) page table, allocate one more page to copy the
    protected page table for KVM MMU code to directly walk.  Resolve KVM page
    fault with the existing code, and do additional operations necessary for
    the protected page table.  To distinguish such cases, the existing KVM page
    table is called a shared page table (i.e. not associated with protected
    page table), and the page table with protected page table is called a
    private page table.  The relationship is depicted below.
    
    Add a private pointer to struct kvm_mmu_page for protected page table and
    add helper functions to allocate/initialize/free a protected page table
    page.  Also, add helper functions to check if a given kvm_mmu_page is
    private.  The later patch introduces hooks to operate on the protected page
    table.
    
                  KVM page fault                     |
                         |                           |
                         V                           |
            -------------+----------                 |
            |                      |                 |
            V                      V                 |
         shared GPA           private GPA            |
            |                      |                 |
            V                      V                 |
        shared PT root      private PT root          |    protected PT root
            |                      |                 |           |
            V                      V                 |           V
         shared PT            private PT ----propagate----> protected PT
            |                      |                 |           |
            |                      \-----------------+------\    |
            |                                        |      |    |
            V                                        |      V    V
      shared guest page                              |    private guest page
                                                     |
                               non-encrypted memory  |    encrypted memory
                                                     |
    PT: page table
    - Shared PT is visible to KVM and it is used by CPU.
    - Protected PT is used by CPU but it is invisible to KVM.
    - Private PT is visible to KVM but not used by CPU.  It is used to
      propagate PT change to the actual protected PT which is used by CPU.
    
    Signed-off-by: Isaku Yamahata <isaku.yamahata@...el.com>

-- 
Isaku Yamahata <isaku.yamahata@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ