[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <68dee81d79199_296d74294b9@iweiny-mobl.notmuch>
Date: Thu, 2 Oct 2025 16:01:17 -0500
From: Ira Weiny <ira.weiny@...el.com>
To: Vishal Annapurve <vannapurve@...gle.com>, Sean Christopherson
<seanjc@...gle.com>
CC: Ira Weiny <ira.weiny@...el.com>, Yan Zhao <yan.y.zhao@...el.com>, "Michael
Roth" <michael.roth@....com>, <pbonzini@...hat.com>, <kvm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <rick.p.edgecombe@...el.com>,
<kai.huang@...el.com>, <adrian.hunter@...el.com>,
<reinette.chatre@...el.com>, <xiaoyao.li@...el.com>,
<tony.lindgren@...el.com>, <binbin.wu@...ux.intel.com>,
<dmatlack@...gle.com>, <isaku.yamahata@...el.com>, <david@...hat.com>,
<ackerleytng@...gle.com>, <tabba@...gle.com>, <chao.p.peng@...el.com>
Subject: Re: [RFC PATCH] KVM: TDX: Decouple TDX init mem region from
kvm_gmem_populate()
Vishal Annapurve wrote:
> On Tue, Aug 5, 2025 at 12:59 PM Sean Christopherson <seanjc@...gle.com> wrote:
> >
> > On Mon, Aug 04, 2025, Vishal Annapurve wrote:
> > > On Mon, Aug 4, 2025 at 5:22 PM Sean Christopherson <seanjc@...gle.com> wrote:
> > > > : 4) For SNP, if src != null, make the target pfn to be shared, copy
> > > > : contents and then make the target pfn back to private.
> > > >
> > > > Copying from userspace under spinlock (rwlock) is illegal, as accessing userspace
> > > > memory might_fault() and thus might_sleep().
> > >
> > > I would think that a combination of get_user_pages() and
> > > kmap_local_pfn() will prevent this situation of might_fault().
> >
> > Yes, but if SNP is using get_user_pages(), then it looks an awful lot like the
> > TDX flow, at which point isn't that an argument for keeping populate()?
>
> Ack, I agree we can't ditch kvm_gmem_populate() for SNP VMs. I am ok
> with using it for TDX/CCA VMs with the fixes discussed in this RFC.
Sean,
Where did this thread land? Was there a follow on series which came out
of this? I thought you sent a patch with the suggestions in this thread
but I can't find it.
Ira
>
> >
> > > Memory population in my opinion is best solved either by users asserting
> > > ownership of the memory and writing to it directly or by using guest_memfd
> > > (to be) exposed APIs to populate memory ranges given a source buffer. IMO
> > > kvm_gmem_populate() is doing something different than both of these options.
> >
> > In a perfect world, yes, guest_memfd would provide a clean, well-defined API
> > without needing a complicated dance between vendor code and guest_memfd. But,
> > sadly, the world of CoCo is anything but perfect. It's not KVM's fault that
> > every vendor came up with a different CoCo architecture. I.e. we can't "fix"
> > the underlying issue of SNP and TDX having significantly different ways for
> > initializing private memory.
> >
> > What we can do is shift as much code to common KVM as possible, e.g. to minimize
> > maintenance costs, reduce boilerplate and/or copy+paste code, provide a consistent
> > ABI, etc. Those things always need to be balanced against overall complexity, but
> > IMO providing a vendor callback doesn't add anywhere near enough complexity to
> > justify open coding the same concept in every vendor implementation.
>
> Ack. My goal was to steer this implementation towards reusing existing
> KVM synchronization to protect guest memory population within KVM
> vendor logic rather than relying on guest_memfd filemap lock to
> provide the needed protection here. That being said, I agree that we
> can't solve this problem cleanly in a manner that works for all
> architectures.
Powered by blists - more mailing lists