From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CA20C32771 for ; Mon, 26 Sep 2022 14:28:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C5A9C8E005D; Mon, 26 Sep 2022 10:28:25 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C0B7F8E0047; Mon, 26 Sep 2022 10:28:25 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A83F58E005D; Mon, 26 Sep 2022 10:28:25 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 981258E0047 for ; Mon, 26 Sep 2022 10:28:25 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 5EC05140C5D for ; Mon, 26 Sep 2022 14:28:25 +0000 (UTC) X-FDA: 79954466970.17.6C090E8 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by imf21.hostedemail.com (Postfix) with ESMTP id A6CED1C0004 for ; Mon, 26 Sep 2022 14:28:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1664202503; x=1695738503; h=date:from:to:cc:subject:message-id:reply-to:references: mime-version:in-reply-to; bh=popbE19nKyEVwEGLpuPjkB9hubnGI4/mt3D2DsIdq20=; b=CyNL8zHfI+1F4ZZ33hRMmAJk/hMVM1xpdHTfY4LwAEizZF7HSpkz6QNE HY+L1WSjzDw2mn16e2E1e4ojMWcuW6BF+PDU2we4+RrQD2FGlrkCRMQH4 E0ZJQqXkFD5ba9SRm+NvRFhq1XoHaqUO8fvZYp56SItAImwIfWElw6w7A 998t0cZ5NwhWKaZ837NkrteksoFODZ9uZPbgi6HsQfg9xMbd8tf2trJa3 5rV5jBMT2wGc8sartk8Qpbkf/6tKtn1yX6yEmS9Z7kOyhoW8iG/mmkB7M UgmGErAjq9XJTCD8gokz5AAMz105dYmjzoCeVZl8IsvV+FDtepRLAdGgJ Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10482"; a="301941747" X-IronPort-AV: E=Sophos;i="5.93,346,1654585200"; d="scan'208";a="301941747" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 26 Sep 2022 07:28:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10482"; a="598755672" X-IronPort-AV: E=Sophos;i="5.93,346,1654585200"; d="scan'208";a="598755672" Received: from chaop.bj.intel.com (HELO localhost) ([10.240.193.75]) by orsmga006.jf.intel.com with ESMTP; 26 Sep 2022 07:28:07 -0700 Date: Mon, 26 Sep 2022 22:23:30 +0800 From: Chao Peng To: Fuad Tabba Cc: Sean Christopherson , David Hildenbrand , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, linux-doc@vger.kernel.org, qemu-devel@nongnu.org, Paolo Bonzini , Jonathan Corbet , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H . Peter Anvin" , Hugh Dickins , Jeff Layton , "J . Bruce Fields" , Andrew Morton , Shuah Khan , Mike Rapoport , Steven Price , "Maciej S . Szmigiero" , Vlastimil Babka , Vishal Annapurve , Yu Zhang , "Kirill A . Shutemov" , luto@kernel.org, jun.nakajima@intel.com, dave.hansen@intel.com, ak@linux.intel.com, aarcange@redhat.com, ddutile@redhat.com, dhildenb@redhat.com, Quentin Perret , Michael Roth , mhocko@suse.com, Muchun Song , wei.w.wang@intel.com, Will Deacon , Marc Zyngier Subject: Re: [PATCH v8 1/8] mm/memfd: Introduce userspace inaccessible memfd Message-ID: <20220926142330.GC2658254@chaop.bj.intel.com> Reply-To: Chao Peng References: <20220915142913.2213336-1-chao.p.peng@linux.intel.com> <20220915142913.2213336-2-chao.p.peng@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1664202504; a=rsa-sha256; cv=none; b=DL5+OW/0qjBV2fdcqcLQ7q+mKSo5JURvznVLqeBNlPNnZQwksc/Xe1Uo+3xdBpmyIqAmRQ EBH6dWvao30T2aMxp1E/V6zQX50nS9dR7bAgZSeMuRhBvyXtMaTDY6V/qQkhdSZ79pVWzu onsv6lOqonNsbt773fQ/4txySgc14IY= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=CyNL8zHf; dmarc=fail reason="No valid SPF" header.from=intel.com (policy=none); spf=none (imf21.hostedemail.com: domain of chao.p.peng@linux.intel.com has no SPF policy when checking 134.134.136.24) smtp.mailfrom=chao.p.peng@linux.intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1664202504; h=from:from:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=gNpGFe/eTPcUdlAy/fbk284j3GMmKTWYOfsJOOwSqI0=; b=GyNyuP4KdjejhVk4BnNwVrNUQUJIRpGFTW7LISd2TJByOiZNXvURW3F3bgsrqmQbVAXeSW ph3CYIuREDii+exasMvC0hf0qEgseemZpckdMhEgN3Ouz6LY3VCExz4blD7mRKeqDwrPHz SvhhnJ64JPQiXUrFS/UylSecickp/6g= X-Rspam-User: X-Rspamd-Queue-Id: A6CED1C0004 X-Rspamd-Server: rspam08 X-Stat-Signature: ty3sda31dn5c8c7d1nw9tscb4ugi7wo1 Authentication-Results: imf21.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=CyNL8zHf; dmarc=fail reason="No valid SPF" header.from=intel.com (policy=none); spf=none (imf21.hostedemail.com: domain of chao.p.peng@linux.intel.com has no SPF policy when checking 134.134.136.24) smtp.mailfrom=chao.p.peng@linux.intel.com X-HE-Tag: 1664202503-384491 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 23, 2022 at 04:19:46PM +0100, Fuad Tabba wrote: > > Regarding pKVM's use case, with the shim approach I believe this can be done by > > allowing userspace mmap() the "hidden" memfd, but with a ton of restrictions > > piled on top. > > > > My first thought was to make the uAPI a set of KVM ioctls so that KVM could tightly > > tightly control usage without taking on too much complexity in the kernel, but > > working through things, routing the behavior through the shim itself might not be > > all that horrific. > > > > IIRC, we discarded the idea of allowing userspace to map the "private" fd because > > things got too complex, but with the shim it doesn't seem _that_ bad. > > > > E.g. on the memfd side: > > > > 1. The entire memfd must be mapped, and at most one mapping is allowed, i.e. > > mapping is all or nothing. > > > > 2. Acquiring a reference via get_pfn() is disallowed if there's a mapping for > > the restricted memfd. > > > > 3. Add notifier hooks to allow downstream users to further restrict things. > > > > 4. Disallow splitting VMAs, e.g. to force userspace to munmap() everything in > > one shot. > > > > 5. Require that there are no outstanding references at munmap(). Or if this > > can't be guaranteed by userspace, maybe add some way for userspace to wait > > until it's ok to convert to private? E.g. so that get_pfn() doesn't need > > to do an expensive check every time. > > > > static int memfd_restricted_mmap(struct file *file, struct vm_area_struct *vma) > > { > > if (vma->vm_pgoff) > > return -EINVAL; > > > > if ((vma->vm_end - vma->vm_start) != ) > > return -EINVAL; > > > > mutex_lock(&data->lock); > > > > if (data->has_mapping) { > > r = -EINVAL; > > goto err; > > } > > list_for_each_entry(notifier, &data->notifiers, list) { > > r = notifier->ops->mmap_start(notifier, ...); > > if (r) > > goto abort; > > } > > > > notifier->ops->mmap_end(notifier, ...); > > mutex_unlock(&data->lock); > > return 0; > > > > abort: > > list_for_each_entry_continue_reverse(notifier &data->notifiers, list) > > notifier->ops->mmap_abort(notifier, ...); > > err: > > mutex_unlock(&data->lock); > > return r; > > } > > > > static void memfd_restricted_close(struct vm_area_struct *vma) > > { > > mutex_lock(...); > > > > /* > > * Destroy the memfd and disable all future accesses if there are > > * outstanding refcounts (or other unsatisfied restrictions?). > > */ > > if ( || ???) > > memfd_restricted_destroy(...); > > else > > data->has_mapping = false; > > > > mutex_unlock(...); > > } > > > > static int memfd_restricted_may_split(struct vm_area_struct *area, unsigned long addr) > > { > > return -EINVAL; > > } > > > > static int memfd_restricted_mapping_mremap(struct vm_area_struct *new_vma) > > { > > return -EINVAL; > > } > > > > Then on the KVM side, its mmap_start() + mmap_end() sequence would: > > > > 1. Not be supported for TDX or SEV-SNP because they don't allow adding non-zero > > memory into the guest (after pre-boot phase). > > > > 2. Be mutually exclusive with shared<=>private conversions, and is allowed if > > and only if the entire gfn range of the associated memslot is shared. > > In general I think that this would work with pKVM. However, limiting > private<->shared conversions to the granularity of a whole memslot > might be difficult to handle in pKVM, since the guest doesn't have the > concept of memslots. For example, in pKVM right now, when a guest > shares back its restricted DMA pool with the host it does so at the > page-level. pKVM would also need a way to make an fd accessible again > when shared back, which I think isn't possible with this patch. But does pKVM really want to mmap/munmap a new region at the page-level, that can cause VMA fragmentation if the conversion is frequent as I see. Even with a KVM ioctl for mapping as mentioned below, I think there will be the same issue. > > You were initially considering a KVM ioctl for mapping, which might be > better suited for this since KVM knows which pages are shared and > which ones are private. So routing things through KVM might simplify > things and allow it to enforce all the necessary restrictions (e.g., > private memory cannot be mapped). What do you think? > > Thanks, > /fuad