[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZilyxFnJvaWUJOkc@google.com>
Date: Wed, 24 Apr 2024 13:59:48 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Michael Roth <michael.roth@....com>
Cc: kvm@...r.kernel.org, linux-coco@...ts.linux.dev, linux-mm@...ck.org,
linux-crypto@...r.kernel.org, x86@...nel.org, linux-kernel@...r.kernel.org,
tglx@...utronix.de, mingo@...hat.com, jroedel@...e.de,
thomas.lendacky@....com, hpa@...or.com, ardb@...nel.org, pbonzini@...hat.com,
vkuznets@...hat.com, jmattson@...gle.com, luto@...nel.org,
dave.hansen@...ux.intel.com, slp@...hat.com, pgonda@...gle.com,
peterz@...radead.org, srinivas.pandruvada@...ux.intel.com,
rientjes@...gle.com, dovmurik@...ux.ibm.com, tobin@....com, bp@...en8.de,
vbabka@...e.cz, kirill@...temov.name, ak@...ux.intel.com, tony.luck@...el.com,
sathyanarayanan.kuppuswamy@...ux.intel.com, alpergun@...gle.com,
jarkko@...nel.org, ashish.kalra@....com, nikunj.dadhania@....com,
pankaj.gupta@....com, liam.merwick@...cle.com,
Brijesh Singh <brijesh.singh@....com>
Subject: Re: [PATCH v14 09/22] KVM: SEV: Add support to handle MSR based Page
State Change VMGEXIT
On Sun, Apr 21, 2024, Michael Roth wrote:
> +static int snp_begin_psc_msr(struct kvm_vcpu *vcpu, u64 ghcb_msr)
> +{
> + u64 gpa = gfn_to_gpa(GHCB_MSR_PSC_REQ_TO_GFN(ghcb_msr));
> + u8 op = GHCB_MSR_PSC_REQ_TO_OP(ghcb_msr);
> + struct vcpu_svm *svm = to_svm(vcpu);
> +
> + if (op != SNP_PAGE_STATE_PRIVATE && op != SNP_PAGE_STATE_SHARED) {
> + set_ghcb_msr(svm, GHCB_MSR_PSC_RESP_ERROR);
> + return 1; /* resume guest */
> + }
> +
> + vcpu->run->exit_reason = KVM_EXIT_VMGEXIT;
> + vcpu->run->vmgexit.type = KVM_USER_VMGEXIT_PSC_MSR;
> + vcpu->run->vmgexit.psc_msr.gpa = gpa;
> + vcpu->run->vmgexit.psc_msr.op = op;
Argh, no.
This is the same crud that TDX tried to push[*]. Use KVM's existing user exits,
and extend as *needed*. There is no good reason page state change requests need
*two* exit reasons. The *only* thing KVM supports right now is private<=>shared
conversions, and that can be handled with either KVM_HC_MAP_GPA_RANGE or
KVM_EXIT_MEMORY_FAULT.
The non-MSR flavor can batch requests, but I'm willing to bet that the overwhelming
majority of requests are contiguous, i.e. can be combined into a range by KVM,
and that handling any outliers by performing multiple exits to userspace will
provide sufficient performance.
And the non-MSR version that comes in later patch is a complete mess. It kicks
the PSC out to userspace without *any* validation. As I complained in the TDX
thread, that will create an unmaintable ABI for KVM.
KVM needs to have its own, well-defined ABI. Splitting functionality between
KVM and userspace at seemingly random points is not maintainable.
E.g. if/when KVM supports UNSMASH, upgrading to the KVM would arguably break
userspace as PSC requests that previously exited would suddenly be handled by
KVM. Maybe. It's impossible to review this because there's no KVM ABI, KVM is
little more than a dumb pipe parroting information to userspace.
I truly do not understand why we would even consider allowing this. We push back
on people wanting new hypercalls for some specific use case, because we already
have generic ways to achieve things, but then CoCo comes along and we apparently
throw out any thought of maintainability. I don't get it.
[*] https://lore.kernel.org/all/Zg18ul8Q4PGQMWam@google.com
Powered by blists - more mailing lists