| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <92c6e142-5911-4e0c-ac13-af251e048215@redhat.com> Date: Mon, 29 Sep 2025 11:01:53 +0200 From: David Hildenbrand <david@...hat.com> To: Fuad Tabba <tabba@...gle.com> Cc: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>, Christian Borntraeger <borntraeger@...ux.ibm.com>, Janosch Frank <frankja@...ux.ibm.com>, Claudio Imbrenda <imbrenda@...ux.ibm.com>, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, Ackerley Tng <ackerleytng@...gle.com> Subject: Re: [PATCH 1/6] KVM: guest_memfd: Add DEFAULT_SHARED flag, reject user page faults if not set On 29.09.25 10:57, Fuad Tabba wrote: > Hi David. > > On Mon, 29 Sept 2025 at 09:38, David Hildenbrand <david@...hat.com> wrote: >> >> On 26.09.25 18:31, Sean Christopherson wrote: >>> Add a guest_memfd flag to allow userspace to state that the underlying >>> memory should be configured to be shared by default, and reject user page >>> faults if the guest_memfd instance's memory isn't shared by default. >>> Because KVM doesn't yet support in-place private<=>shared conversions, all >>> guest_memfd memory effectively follows the default state. >> >> I recall we discussed exactly that in the past (e.g., on April 17) in the call: >> >> "Current plan: >> * guest_memfd creation flag to specify “all memory starts as shared” >> * Compatible with the old behavior where all memory started as private >> * Initially, only these can be mmap (no in-place conversion) >> " >> >>> >>> Alternatively, KVM could deduce the default state based on MMAP, which for >>> all intents and purposes is what KVM currently does. However, implicitly >>> deriving the default state based on MMAP will result in a messy ABI when >>> support for in-place conversions is added. >> >> I don't recall the details, but I faintly remember that we discussed later that with >> mmap support, the default will be shared for now, and that no other flag would be >> required for the time being. >> >> We could always add a "DEFAULT_PRIVATE" flag when we realize that we would have >> to change the default later. > > I remember discussing this. For many confidential computing usecases, > e.g., pKVM and TDX, it would make more sense for the default case to > be private, since it's the more common state, and the initial state. > It also makes sense since sharing is usually triggered by the guest. > Ensuring that the initial state is private reduces the changes of the > VMM forgetting to convert the memory to being private later on, > potentially exposing all guest memory from the get go. > > I think it makes sense to clarify things now. Especially since with > memory attributes, the default attribute is > KVM_MEMORY_ATTRIBUTE_SHARED, which adds even more confusion. Makes sense to me then, thanks. -- Cheers David / dhildenb
Powered by blists - more mailing lists