From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1CE7C369D9 for ; Wed, 30 Apr 2025 16:57:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 314A26B00B1; Wed, 30 Apr 2025 12:57:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2BD9B6B00B3; Wed, 30 Apr 2025 12:57:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 15FD66B00C9; Wed, 30 Apr 2025 12:57:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E656D6B00B1 for ; Wed, 30 Apr 2025 12:56:59 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 6DC841405C0 for ; Wed, 30 Apr 2025 16:57:00 +0000 (UTC) X-FDA: 83391315000.05.23D8EB0 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) by imf15.hostedemail.com (Postfix) with ESMTP id A9F1CA000B for ; Wed, 30 Apr 2025 16:56:58 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Hmc00Cs5; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf15.hostedemail.com: domain of 3WVYSaAUKCJYJ01106EE6B4.2ECB8DKN-CCAL02A.EH6@flex--tabba.bounces.google.com designates 209.85.128.74 as permitted sender) smtp.mailfrom=3WVYSaAUKCJYJ01106EE6B4.2ECB8DKN-CCAL02A.EH6@flex--tabba.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1746032218; a=rsa-sha256; cv=none; b=EZmesxaD3YiYSMqlk2udimt2fZBBZpSdHIyr6Od8CMfxf/X2aorU3rzB56ZUK/YNLZVqiE VgUDxPzWDCuISXxAdxEdjUl9u8LUctjfEJK/vbCf1taIQwGomwE+H0OE0epfNdzFVj4POQ LVwzmqQwN5+tyI5/GXemI/RwRZp8keQ= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Hmc00Cs5; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf15.hostedemail.com: domain of 3WVYSaAUKCJYJ01106EE6B4.2ECB8DKN-CCAL02A.EH6@flex--tabba.bounces.google.com designates 209.85.128.74 as permitted sender) smtp.mailfrom=3WVYSaAUKCJYJ01106EE6B4.2ECB8DKN-CCAL02A.EH6@flex--tabba.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1746032218; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=T43Ue4g6bjq/nL4SqLo7xv0mu1p0WiGDtOfd7HkqUpc=; b=dwLPGG3106TXmynMozfGUPZsNQN25Ii/TV3URzLmFijG0zajPuWucYdauolYp4OPainnny EepukPBaiVcdVpQFQLKdDzqhk5EcGLLn6beisuihKptlM+HJn9M1aeWNV5hx+3ICuFl/6i 8CkJN432U3duMHnCFkHMtDlrcT+zXfM= Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-43d0a037f97so57285e9.2 for ; Wed, 30 Apr 2025 09:56:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1746032217; x=1746637017; darn=kvack.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=T43Ue4g6bjq/nL4SqLo7xv0mu1p0WiGDtOfd7HkqUpc=; b=Hmc00Cs5SgAbAe3+lz8DiS6wlnCyhEg59KoOixTysReezoDsxr+GJ4tZh6wL+3O+HU EVSxDDP67PCVusTWDwbSm9Szkk3THzFZ4dMZDER0JcsePoYLv53jmxVd9w3yDOMKT/gZ Tl/tVB3JEC19nkO+aNJSFI4OQP/u+cwoklcoUzHMcKY2/30GvBVooP6dhvvSoHkeIS6i p9860b9bWTmCvw5emtmd+kGGpnGKjXhklXviJMJZkwj44TgAC97NbR44W3pLW2hqcWKm W2qlopowNqu2B48E9N+xMNnxcYzKGO9yFzn1f2lByHmaaPY8d41ktNpuqLErI0wzA9sp NtUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746032217; x=1746637017; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=T43Ue4g6bjq/nL4SqLo7xv0mu1p0WiGDtOfd7HkqUpc=; b=kIp/n9a5jeSGeq8wO1F3sIiIiBu1ynAQC1jF1OJ4jiuaBmJw4QTdOhI+koYY6vHW8/ yxIsPmAycuc9b7ruRXydtjFeRU6/M+j99dbsy5KIUOOpA34yuNQCW3bC8i2qXP+7tCqx EST9NSo7+4O1LlYkl02SzKXbQYa8rCNT+VxLJRaA5NB8Hjo/mLyz97f7aHiHiLwgAoXV xA1Hc4Moi/pKobqDlFi2yBJSqpLgog0uyRSrqeY1KQm85TPbqts1q0E79lXznnCPCEZ2 zZJLqwIU896iQ6B6v3yEAnnOr6L6G+/s0yxLSuyLOzjeFuT6F4Il0SoGhOwcYCLx/4JD ESFQ== X-Forwarded-Encrypted: i=1; AJvYcCWABo5I0WstZ73kNieZu2wkYwwSMfbDrbjCft3FQSIyzQ75jxnkZ1OsmEhJLjhfcH2On7cl+BsebQ==@kvack.org X-Gm-Message-State: AOJu0YyF0fDXDMsYa/a22eW6u6EKyDxXGv/MnwIgOCycWSr1yfdO70aJ 3obqacPrOiI1atYoLe4nOf+k/N+5Wgwdbvk/iJHe80LzVIiYnECami5uDxngyFDXl+2VSQsiig= = X-Google-Smtp-Source: AGHT+IGLbLHWJLTtxQ2+hsAfuFL0SmsYOOUwmglTFnrn34i6deXuovfrm0Yy4rbWq9iAjli8ARhAHInyhw== X-Received: from wmbay26.prod.google.com ([2002:a05:600c:1e1a:b0:440:58dd:3795]) (user=tabba job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:8507:b0:440:94a2:95b8 with SMTP id 5b1f17b1804b1-441b265a0b4mr44426365e9.16.1746032217088; Wed, 30 Apr 2025 09:56:57 -0700 (PDT) Date: Wed, 30 Apr 2025 17:56:42 +0100 Mime-Version: 1.0 X-Mailer: git-send-email 2.49.0.967.g6a0df3ecc3-goog Message-ID: <20250430165655.605595-1-tabba@google.com> Subject: [PATCH v8 00/13] KVM: Mapping guest_memfd backed memory at the host for software protected VMs From: Fuad Tabba To: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-mm@kvack.org Cc: pbonzini@redhat.com, chenhuacai@kernel.org, mpe@ellerman.id.au, anup@brainfault.org, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, seanjc@google.com, viro@zeniv.linux.org.uk, brauner@kernel.org, willy@infradead.org, akpm@linux-foundation.org, xiaoyao.li@intel.com, yilun.xu@intel.com, chao.p.peng@linux.intel.com, jarkko@kernel.org, amoorthy@google.com, dmatlack@google.com, isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz, vannapurve@google.com, ackerleytng@google.com, mail@maciej.szmigiero.name, david@redhat.com, michael.roth@amd.com, wei.w.wang@intel.com, liam.merwick@oracle.com, isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com, suzuki.poulose@arm.com, steven.price@arm.com, quic_eberman@quicinc.com, quic_mnalajal@quicinc.com, quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com, quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com, quic_pheragu@quicinc.com, catalin.marinas@arm.com, james.morse@arm.com, yuzenghui@huawei.com, oliver.upton@linux.dev, maz@kernel.org, will@kernel.org, qperret@google.com, keirf@google.com, roypat@amazon.co.uk, shuah@kernel.org, hch@infradead.org, jgg@nvidia.com, rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com, hughd@google.com, jthoughton@google.com, peterx@redhat.com, pankaj.gupta@amd.com, tabba@google.com Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Queue-Id: A9F1CA000B X-Rspamd-Server: rspam04 X-Stat-Signature: 8dgxf6dqe76satr77psgk4eirhomo8ou X-HE-Tag: 1746032218-971693 X-HE-Meta: U2FsdGVkX19/dUI7XVnri9dpl28baFUoFcciiiWQxtggNFeAuVMGvAqeL1V6HcKjjb/vuiHS97RXALGsp2cV4FXQhI8NeMF+2kkggkuwq1Y5W0n6ZKqFVaqGSCDSf6DPNaGEaVGC+66OYhSiv8FOXvKna6d1ORCdY3AI2LdsTGYZjEf7G7FjlS/l7qMFKl2GW20Jt1OVkwwI3wwo4SHWEUj3wQ+Ek4S1/OygA1j688T7DeLrLry/heqz8IBepfwNaC0wnkPjK11sspuFIaB5cL85rOO82CZq7xtRJrKg73lOaAqzs2EcBH5Mp9R2/2Ac483pS9QkiZh9qlMjQ4MzAfsXjfa4rq0RrTWT/7F7dbtv6goCmTa0t6aZeqEAVseIkX1LwNgKn9d/jgbl1/w7tlXfZjn+wV+W54M7T4EixuyauT32ovXWKltWg3Mv+xzO1XmunLNNRef7u9yD6RZntSCVEp1+FtVX/I4RqgHHdPQS462GI+5W2vyTOIlu5/iotfoPVPauiYjkpbYISCmiEDi2XdR10nK38/cAd6HmtvdAorXSkyQtdOSLqYEz8GkppjFkYkx3ROFPGRDLLN4YnoSb+j7+1G/hPQRJiM2xpmCXYh04JcrE3MaRKWazdoGjdWskPxOeb9j+q6ppetSF6pULjqWUW0q1Zo4aEF76LnjVoRqGsp2hMGTKY3uZmlOB+wQcuM40YdQCq/oJBHJpqWD3ODYylGmxqFvUqJvHcqJjRFMSet2ZaMHZexRVRzlTqCTxb8wFLE6Q5GB2t/lv319wLFBKpQPZy0mDg9VLxjmj/c4f7QVMPyinDdchPLIB7FbFVQ0UIzeAYj7/hWIBQ4jR4E1f9E5G11wXXOem7mD1hgZSKCbJuKMSVPhOLMkFOFdEezzFIorEwuMpsROw7gtBO9LpeohZDH4hzp8l6turEF4EpS2npS4G0qSlKQp25QF0KwH081JRFOC3+I7 m6NS93L3 5Az+4T5Lt52aZAVoSFlRlvMxL+fDqN5qnUiyif35eEavCfSvYJJcpKUkiH/G4aDpnaDH4PGWi3T3gw5dBbbrYVU4Xj1/Ip/m/imOJVLuwwd6yBuzQLTLJ30QGHVDDsyVdh7gSI0JKpR0PEtmk96C4m7L8M36VbhW6okqM3eguieLyBA6eCql9Vnny3GGVWbyWdIC8u7s+7KWx6kQzDfygvZCUmRM7rAsE5G7dqC7yUIBxmHLuPyWaDWgmwR3zQnYSQqyAM1zDWfTWk9qbXBpw61hbZGdqQXPbCTqANb315nFNhfBe652woA/TnHWBamDdcnr4/VzaAwzgkN7iRQm2+UlZ7eYui6L5RiR2qubdEowiF0Dih7Sf7nTfvopV4hAgEDUtZju2cOy5tL+/J6wJRxKrW2nKUN9bwC2BXhytQxgPjrl0dqWKGpVHVe/n1fT/RDibZhDCKyLz9AOaJRJ26qK9x+weClbGnNWNHEvlezkLSN46bqaBsT+VkcrXBCy8lGK0ceWxDwSwNeLgQFyWzUznN+zQaLgYbDi5deE2/b3z0ZkWgLwxPm7dG6VCJHl5QTkKm/0Xxu54xWKQZuLKewZ3mMwhLWestWC091RdhHa4MC1AmwJgGpgmUR9vBeNlcYVfFC1jopPNkPMZx7Je2IN3NJ/vGTMeAqYtoflelYlPygGS4k2hJHi/TDlyBxaLGi7jMUueAeEV1h+RgYFZ6lf/FdZO7Z9XnGWtVY4xJZjgUc7vwRRmhxfY+6NixmzLnvE4m9K9nda8lxlZ+1Aw3RgmFPWpAeDsii8/lcTUq6WUfSA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Main changes since v7 [1]: - Renaming/refactoring to decouple guest memory from whether the underlying memory is private vs being backed by guest_memfd - Drop folio_put() callback patches - Fixes based on feedback from the previous series - Rebase on Linux 6.15-rc4 The purpose of this series is to allow mapping guest_memfd backed memory at the host. This support enables VMMs like Firecracker to run VM guests backed completely by guest_memfd [2]. Combined with Patrick's series for direct map removal in guest_memfd [3], this would allow running VMs that offer additional hardening against Spectre-like transient execution attacks. This series will also serve as a base for _restricted_ mmap() support for guest_memfd backed memory at the host for CoCos that allow sharing guest memory in-place with the host [4]. Patches 1 to 7 are mainly about decoupling the concept of guest memory being private vs guest memory being backed by guest_memfd. They are mostly refactoring and renaming. Patch 8 adds support for in-place shared memory, as well as the ability to map it by the host as long as it is shared, gated by a new configuration option, and adviertised to userspace by a new capability. Patches 9 to 12 add arm64 and x86 support for in-place shared memory. Patch 13 expands the guest_memfd selftest to test in-place shared memory when avaialble. To test this patch series on x86 (I use a standard Debian image): Build: - Build the kernel with the following config options enabled: defconfigs: x86_64_defconfig kvm_guest.config Additional config options to enable: KVM_SW_PROTECTED_VM KVM_GMEM_SHARED_MEM - Build the kernel kvm selftest tools/testing/selftests/kvm, you only need guest_memfd_test, e.g.: make EXTRA_CFLAGS="-static -DDEBUG" -C tools/testing/selftests/kvm - Build kvmtool [5] lkvm-static (I build it on a different machine). make lkvm-static Run: Boot your Linux image with the kernel you built above. The selftest you can run as it is: ./guest_memfd_test For kvmtool, where bzImage is the same as the host's: ./lkvm-static run -c 2 -m 512 -p "break=mount" --kernel bzImage --debug --guest_memfd --sw_protected To test this patch series on arm64 (I use a standard Debian image): Build: - Build the kernel with defconfig - Build the kernel kvm selftest tools/testing/selftests/kvm, you only need guest_memfd_test. - Build kvmtool [5] lkvm-static (I cross compile it on a different machine). You are likely to need libfdt as well. For libfdt (in the same directory as kvmtool): git clone git://git.kernel.org/pub/scm/utils/dtc/dtc.git cd dtc export CC=aarch64-linux-gnu-gcc make cd .. Then for kvmtool: make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- LIBFDT_DIR=./dtc/libfdt/ lkvm-static Run: Boot your Linux image with the kernel you built above. The selftest you can run as it is: ./guest_memfd_test For kvmtool, where Image is the same as the host's, and rootfs is your rootfs image (in case kvmtool can't figure it out): ./lkvm-static run -c 2 -m 512 -d rootfs --kernel Image --force-pci --irqchip gicv3 --debug --guest_memfd --sw_protected You can find (potentially slightly outdated) instructions on how to a full arm64 system stack under QEMU here [6]. Cheers, /fuad [1] https://lore.kernel.org/all/20250318161823.4005529-1-tabba@google.com/ [2] https://github.com/firecracker-microvm/firecracker/tree/feature/secret-hiding [3] https://lore.kernel.org/all/20250221160728.1584559-1-roypat@amazon.co.uk/ [4] https://lore.kernel.org/all/20250328153133.3504118-1-tabba@google.com/ [5] https://android-kvm.googlesource.com/kvmtool/+/refs/heads/tabba/guestmem-basic-6.15 [6] https://mirrors.edge.kernel.org/pub/linux/kernel/people/will/docs/qemu/qemu-arm64-howto.html Fuad Tabba (13): KVM: Rename CONFIG_KVM_PRIVATE_MEM to CONFIG_KVM_GMEM KVM: Rename CONFIG_KVM_GENERIC_PRIVATE_MEM to CONFIG_KVM_GENERIC_GMEM_POPULATE KVM: Rename kvm_arch_has_private_mem() to kvm_arch_supports_gmem() KVM: x86: Rename kvm->arch.has_private_mem to kvm->arch.supports_gmem KVM: Rename kvm_slot_can_be_private() to kvm_slot_has_gmem() KVM: x86: Generalize private fault lookups to guest_memfd fault lookups KVM: Fix comments that refer to slots_lock KVM: guest_memfd: Allow host to map guest_memfd() pages KVM: arm64: Refactor user_mem_abort() calculation of force_pte KVM: arm64: Handle guest_memfd()-backed guest page faults KVM: arm64: Enable mapping guest_memfd in arm64 KVM: x86: KVM_X86_SW_PROTECTED_VM to support guest_memfd shared memory KVM: guest_memfd: selftests: guest_memfd mmap() test when mapping is allowed arch/arm64/include/asm/kvm_host.h | 12 +++ arch/arm64/kvm/Kconfig | 1 + arch/arm64/kvm/mmu.c | 76 +++++++++------ arch/x86/include/asm/kvm_host.h | 17 ++-- arch/x86/kvm/Kconfig | 4 +- arch/x86/kvm/mmu/mmu.c | 31 +++--- arch/x86/kvm/svm/sev.c | 4 +- arch/x86/kvm/svm/svm.c | 4 +- arch/x86/kvm/x86.c | 3 +- include/linux/kvm_host.h | 44 +++++++-- include/uapi/linux/kvm.h | 1 + tools/testing/selftests/kvm/Makefile.kvm | 1 + .../testing/selftests/kvm/guest_memfd_test.c | 75 +++++++++++++-- virt/kvm/Kconfig | 15 ++- virt/kvm/Makefile.kvm | 2 +- virt/kvm/guest_memfd.c | 96 ++++++++++++++++++- virt/kvm/kvm_main.c | 21 ++-- virt/kvm/kvm_mm.h | 4 +- 18 files changed, 316 insertions(+), 95 deletions(-) base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e -- 2.49.0.901.g37484f566f-goog