[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <hzif6tde7p5q3fyrmu5got25rwuiuea5pzbf2ubbqdfc5uof4y@7waunf3d65fo>
Date: Sun, 7 Sep 2025 17:39:53 +0800
From: Wei-Lin Chang <r09922117@...e.ntu.edu.tw>
To: Marc Zyngier <maz@...nel.org>
Cc: linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.linux.dev,
linux-kernel@...r.kernel.org, Oliver Upton <oliver.upton@...ux.dev>,
Joey Gouly <joey.gouly@....com>, Suzuki K Poulose <suzuki.poulose@....com>,
Zenghui Yu <yuzenghui@...wei.com>, Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>
Subject: Re: [PATCH] KVM: arm64: nv: Allow shadow stage 2 read fault
On Mon, Sep 01, 2025 at 12:06:22PM +0100, Marc Zyngier wrote:
> On Tue, 26 Aug 2025 14:49:27 +0100,
> Wei-Lin Chang <r09922117@...e.ntu.edu.tw> wrote:
> >
> > Hi Marc,
> >
> > On Fri, Aug 22, 2025 at 10:40:07AM +0100, Marc Zyngier wrote:
> > >
> > > This would imply taking the guest's S2 permission at face value, and
> > > only drop W permission when the memslot is RO -- you'd then need to
> > > keep track of the original W bit somewhere. And that's where things
> > > become much harder, because KVM can decide to remap arbitrary ranges
> > > of IPA space as RO, which implies we should track the W bit at all
> > > times, most likely as one of the SW bits in the PTE.
> >
> > But sorry, I struggle to understand this paragraph after reading it many
> > times, probably my experience with the code isn't enough for me to make
> > the connection. Why are we talking about the W bit suddenly?
> > If you don't mind, can you reword what's discussed here?
> > I only very vaguely get that there will be 2 W bits, one from what L1 set,
> > and one from the L0 memslot, if I didn't completely miss the point..
>
> Sorry, I quickly drifted into something related.
>
> My take on this category of problems is that we're better off always
> using the permissions that the guest gives us. This is the scheme that
> we have adopted with VNCR. It means we wouldn't have to rewalk the
> guest S2 on permission fault, since we'd be guaranteed to have the
> latest update.
Ah yes I get it now! Make the shadow S2 more TLB-like and use it to
dictate our actions instead of looking for info in the guest S2 by
rewalking it.
>
> However, S2 management implies that a S2 mapping can be made read-only
> at any point (dirty log, for example). Which means that on a
> permission fault, you'd need to find out whether the page is R/O
> because the guest said so, or because the host decided to make it so.
>
> Which means that somehow you need to work out why you have taken a
> permission fault. You can either
>
> - rewalk the guest S2 as if you missed in the TLB
> - or keep a copy of the W bit in the shadow SW
>
Makes sense. Yes with this we'll have to distinguish the reason of the fault.
> > > We'll need exactly that if we ever want to implement the
> > > Hardware-managed Dirty Bit, but I have the feeling we need an actual
> > > design for this, and not a quick hack. Your approach is therefore the
> > > correct one for the time being.
>
> And that's why I brought this up: to support HD in the guest S2, we
> need to mark the full shadow S2 as R/O, and update the guest S2 on the
> back of that fault.
Got it! Thanks for helping me understand this!
Thanks,
Wei-Lin Chang
>
> Thanks,
>
> M.
>
> --
> Without deviation from the norm, progress is not possible.
Powered by blists - more mailing lists