| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Mar 2024 10:23:35 +1300 From: "Huang, Kai" <kai.huang@...el.com> To: Isaku Yamahata <isaku.yamahata@...el.com>, "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> CC: "kvm@...r.kernel.org" <kvm@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "Zhang, Tina" <tina.zhang@...el.com>, "seanjc@...gle.com" <seanjc@...gle.com>, "Yuan, Hang" <hang.yuan@...el.com>, "Chen, Bo2" <chen.bo@...el.com>, "sagis@...gle.com" <sagis@...gle.com>, "isaku.yamahata@...il.com" <isaku.yamahata@...il.com>, "Aktas, Erdem" <erdemaktas@...gle.com>, "pbonzini@...hat.com" <pbonzini@...hat.com>, "binbin.wu@...ux.intel.com" <binbin.wu@...ux.intel.com>, <isaku.yamahata@...ux.intel.com> Subject: Re: [PATCH v19 058/130] KVM: x86/mmu: Add a private pointer to struct kvm_mmu_page On 15/03/2024 7:10 am, Isaku Yamahata wrote: > On Wed, Mar 13, 2024 at 08:51:53PM +0000, > "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> wrote: > >> On Mon, 2024-02-26 at 00:26 -0800, isaku.yamahata@...el.com wrote: >>> From: Isaku Yamahata <isaku.yamahata@...el.com> >>> >>> For private GPA, CPU refers a private page table whose contents are >>> encrypted. The dedicated APIs to operate on it (e.g. >>> updating/reading its >>> PTE entry) are used and their cost is expensive. >>> >>> When KVM resolves KVM page fault, it walks the page tables. To reuse >>> the >>> existing KVM MMU code and mitigate the heavy cost to directly walk >>> private >>> page table, allocate one more page to copy the dummy page table for >>> KVM MMU >>> code to directly walk. Resolve KVM page fault with the existing >>> code, and >>> do additional operations necessary for the private page table. >> >>> To >>> distinguish such cases, the existing KVM page table is called a >>> shared page >>> table (i.e. not associated with private page table), and the page >>> table >>> with private page table is called a private page table. >> >> This makes it sound like the dummy page table for the private alias is >> also called a shared page table, but in the drawing below it looks like >> only the shared alias is called "shared PT". > > How about this, > Call the existing KVM page table associated with shared GPA as shared page table. > Call the KVM page table associate with private GPA as private page table. > For the second one, are you talking about the *true* secure/private EPT page table used by hardware, or the one visible to KVM but not used by hardware? We have 3 page tables as you mentioned: PT: page table - Shared PT is visible to KVM and it is used by CPU. - Private PT is used by CPU but it is invisible to KVM. - Dummy PT is visible to KVM but not used by CPU. It is used to propagate PT change to the actual private PT which is used by CPU. If I recall correctly, we used to call the last one "mirrored (private) page table". I lost the tracking when we changed to use "dummy page table", but it seems to me "mirrored" is better than "dummy" because the latter means it is useless but in fact it is used to propagate changes to the real private page table used by hardware. Btw, one nit, perhaps: "Shared PT is visible to KVM and it is used by CPU." -> "Shared PT is visible to KVM and it is used by CPU for shared mappings". To make it more clearer it is used for "shared mappings". But this may be unnecessary to others, so up to you.
Powered by blists - more mailing lists