| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68dee81d79199_296d74294b9@iweiny-mobl.notmuch> Date: Thu, 2 Oct 2025 16:01:17 -0500 From: Ira Weiny <ira.weiny@...el.com> To: Vishal Annapurve <vannapurve@...gle.com>, Sean Christopherson <seanjc@...gle.com> CC: Ira Weiny <ira.weiny@...el.com>, Yan Zhao <yan.y.zhao@...el.com>, "Michael Roth" <michael.roth@....com>, <pbonzini@...hat.com>, <kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <rick.p.edgecombe@...el.com>, <kai.huang@...el.com>, <adrian.hunter@...el.com>, <reinette.chatre@...el.com>, <xiaoyao.li@...el.com>, <tony.lindgren@...el.com>, <binbin.wu@...ux.intel.com>, <dmatlack@...gle.com>, <isaku.yamahata@...el.com>, <david@...hat.com>, <ackerleytng@...gle.com>, <tabba@...gle.com>, <chao.p.peng@...el.com> Subject: Re: [RFC PATCH] KVM: TDX: Decouple TDX init mem region from kvm_gmem_populate() Vishal Annapurve wrote: > On Tue, Aug 5, 2025 at 12:59 PM Sean Christopherson <seanjc@...gle.com> wrote: > > > > On Mon, Aug 04, 2025, Vishal Annapurve wrote: > > > On Mon, Aug 4, 2025 at 5:22 PM Sean Christopherson <seanjc@...gle.com> wrote: > > > > : 4) For SNP, if src != null, make the target pfn to be shared, copy > > > > : contents and then make the target pfn back to private. > > > > > > > > Copying from userspace under spinlock (rwlock) is illegal, as accessing userspace > > > > memory might_fault() and thus might_sleep(). > > > > > > I would think that a combination of get_user_pages() and > > > kmap_local_pfn() will prevent this situation of might_fault(). > > > > Yes, but if SNP is using get_user_pages(), then it looks an awful lot like the > > TDX flow, at which point isn't that an argument for keeping populate()? > > Ack, I agree we can't ditch kvm_gmem_populate() for SNP VMs. I am ok > with using it for TDX/CCA VMs with the fixes discussed in this RFC. Sean, Where did this thread land? Was there a follow on series which came out of this? I thought you sent a patch with the suggestions in this thread but I can't find it. Ira > > > > > > Memory population in my opinion is best solved either by users asserting > > > ownership of the memory and writing to it directly or by using guest_memfd > > > (to be) exposed APIs to populate memory ranges given a source buffer. IMO > > > kvm_gmem_populate() is doing something different than both of these options. > > > > In a perfect world, yes, guest_memfd would provide a clean, well-defined API > > without needing a complicated dance between vendor code and guest_memfd. But, > > sadly, the world of CoCo is anything but perfect. It's not KVM's fault that > > every vendor came up with a different CoCo architecture. I.e. we can't "fix" > > the underlying issue of SNP and TDX having significantly different ways for > > initializing private memory. > > > > What we can do is shift as much code to common KVM as possible, e.g. to minimize > > maintenance costs, reduce boilerplate and/or copy+paste code, provide a consistent > > ABI, etc. Those things always need to be balanced against overall complexity, but > > IMO providing a vendor callback doesn't add anywhere near enough complexity to > > justify open coding the same concept in every vendor implementation. > > Ack. My goal was to steer this implementation towards reusing existing > KVM synchronization to protect guest memory population within KVM > vendor logic rather than relying on guest_memfd filemap lock to > provide the needed protection here. That being said, I agree that we > can't solve this problem cleanly in a manner that works for all > architectures.
Powered by blists - more mailing lists