From: Fuad Tabba <tabba@google.com>
To: David Hildenbrand <david@redhat.com>
Cc: kvm@vger.kernel.org, linux-arm-msm@vger.kernel.org,
linux-mm@kvack.org, pbonzini@redhat.com, chenhuacai@kernel.org,
mpe@ellerman.id.au, anup@brainfault.org,
paul.walmsley@sifive.com, palmer@dabbelt.com,
aou@eecs.berkeley.edu, seanjc@google.com,
viro@zeniv.linux.org.uk, brauner@kernel.org,
willy@infradead.org, akpm@linux-foundation.org,
xiaoyao.li@intel.com, yilun.xu@intel.com,
chao.p.peng@linux.intel.com, jarkko@kernel.org,
amoorthy@google.com, dmatlack@google.com,
isaku.yamahata@intel.com, mic@digikod.net, vbabka@suse.cz,
vannapurve@google.com, ackerleytng@google.com,
mail@maciej.szmigiero.name, michael.roth@amd.com,
wei.w.wang@intel.com, liam.merwick@oracle.com,
isaku.yamahata@gmail.com, kirill.shutemov@linux.intel.com,
suzuki.poulose@arm.com, steven.price@arm.com,
quic_eberman@quicinc.com, quic_mnalajal@quicinc.com,
quic_tsoni@quicinc.com, quic_svaddagi@quicinc.com,
quic_cvanscha@quicinc.com, quic_pderrin@quicinc.com,
quic_pheragu@quicinc.com, catalin.marinas@arm.com,
james.morse@arm.com, yuzenghui@huawei.com,
oliver.upton@linux.dev, maz@kernel.org, will@kernel.org,
qperret@google.com, keirf@google.com, roypat@amazon.co.uk,
shuah@kernel.org, hch@infradead.org, jgg@nvidia.com,
rientjes@google.com, jhubbard@nvidia.com, fvdl@google.com,
hughd@google.com, jthoughton@google.com, peterx@redhat.com,
pankaj.gupta@amd.com, ira.weiny@intel.com
Subject: Re: [PATCH v9 14/17] KVM: arm64: Enable mapping guest_memfd in arm64
Date: Wed, 21 May 2025 14:15:38 +0100 [thread overview]
Message-ID: <CA+EHjTzaE_vGPsB20eJ99fG4_gck9Gb7iaVQ3ie5YUnNe5wHgw@mail.gmail.com> (raw)
In-Reply-To: <f6005b96-d408-450c-ad80-6241e35c6d26@redhat.com>
Hi David,
On Wed, 21 May 2025 at 13:44, David Hildenbrand <david@redhat.com> wrote:
>
> On 21.05.25 12:29, Fuad Tabba wrote:
> > On Wed, 21 May 2025 at 11:26, David Hildenbrand <david@redhat.com> wrote:
> >>
> >> On 21.05.25 12:12, Fuad Tabba wrote:
> >>> Hi David,
> >>>
> >>> On Wed, 21 May 2025 at 09:05, David Hildenbrand <david@redhat.com> wrote:
> >>>>
> >>>> On 13.05.25 18:34, Fuad Tabba wrote:
> >>>>> Enable mapping guest_memfd in arm64. For now, it applies to all
> >>>>> VMs in arm64 that use guest_memfd. In the future, new VM types
> >>>>> can restrict this via kvm_arch_gmem_supports_shared_mem().
> >>>>>
> >>>>> Signed-off-by: Fuad Tabba <tabba@google.com>
> >>>>> ---
> >>>>> arch/arm64/include/asm/kvm_host.h | 10 ++++++++++
> >>>>> arch/arm64/kvm/Kconfig | 1 +
> >>>>> 2 files changed, 11 insertions(+)
> >>>>>
> >>>>> diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h
> >>>>> index 08ba91e6fb03..2514779f5131 100644
> >>>>> --- a/arch/arm64/include/asm/kvm_host.h
> >>>>> +++ b/arch/arm64/include/asm/kvm_host.h
> >>>>> @@ -1593,4 +1593,14 @@ static inline bool kvm_arch_has_irq_bypass(void)
> >>>>> return true;
> >>>>> }
> >>>>>
> >>>>> +static inline bool kvm_arch_supports_gmem(struct kvm *kvm)
> >>>>> +{
> >>>>> + return IS_ENABLED(CONFIG_KVM_GMEM);
> >>>>> +}
> >>>>> +
> >>>>> +static inline bool kvm_arch_vm_supports_gmem_shared_mem(struct kvm *kvm)
> >>>>> +{
> >>>>> + return IS_ENABLED(CONFIG_KVM_GMEM_SHARED_MEM);
> >>>>> +}
> >>>>> +
> >>>>> #endif /* __ARM64_KVM_HOST_H__ */
> >>>>> diff --git a/arch/arm64/kvm/Kconfig b/arch/arm64/kvm/Kconfig
> >>>>> index 096e45acadb2..8c1e1964b46a 100644
> >>>>> --- a/arch/arm64/kvm/Kconfig
> >>>>> +++ b/arch/arm64/kvm/Kconfig
> >>>>> @@ -38,6 +38,7 @@ menuconfig KVM
> >>>>> select HAVE_KVM_VCPU_RUN_PID_CHANGE
> >>>>> select SCHED_INFO
> >>>>> select GUEST_PERF_EVENTS if PERF_EVENTS
> >>>>> + select KVM_GMEM_SHARED_MEM
> >>>>> help
> >>>>> Support hosting virtualized guest machines.
> >>>>>
> >>>>
> >>>> Do we have to reject somewhere if we are given a guest_memfd that was
> >>>> *not* created using the SHARED flag? Or will existing checks already
> >>>> reject that?
> >>>
> >>> We don't reject, but I don't think we need to. A user can create a
> >>> guest_memfd that's private in arm64, it would just be useless.
> >>
> >> But the arm64 fault routine would not be able to handle that properly, no?
> >
> > Actually it would. The function user_mem_abort() doesn't care whether
> > it's private or shared. It would fault it into the guest correctly
> > regardless.
>
>
> I think what I meant is that: if it's !shared (private only), shared
> accesses (IOW all access without CoCo) should be taken from the user
> space mapping.
>
> But user_mem_abort() would blindly go to kvm_gmem_get_pfn() because
> "is_gmem = kvm_slot_has_gmem(memslot) = true".
Yes, since it is a gmem-backed slot.
> In other words, arm64 would have to *ignore* guest_memfd that does not
> support shared?
>
> That's why I was wondering whether we should just immediately refuse
> such guest_memfds.
My thinking is that if a user deliberately creates a
guest_memfd-backed slot without designating it as being sharable, then
either they would find out when they try to map that memory to the
host userspace (mapping it would fail), or it could be that they
deliberately want to set up a VM with memslots that not mappable at
all by the host. Perhaps to add some layer of security (although a
very flimsy one, since it's not a confidential guest).
I'm happy to a check to prevent this. The question is, how to do it
exactly (I assume it would be in kvm_gmem_create())? Would it be
arch-specific, i.e., prevent arm64 from creating non-shared
guest_memfd backed memslots? Or do it by VM type? Even if we do it by
VM-type it would need to be arch-specific, since we allow private
guest_memfd slots for the default VM in x86, but we wouldn't for
arm64.
We could add another function, along the lines of
kvm_arch_supports_gmem_only_shared_mem(), but considering that it
actually works, and (arguably) would behave as intended, I'm not sure
if it's worth the complexity.
What do you think?
Cheers,
/fuad
>
> --
> Cheers,
>
> David / dhildenb
>
next prev parent reply other threads:[~2025-05-21 13:16 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 16:34 [PATCH v9 00/17] KVM: Mapping guest_memfd backed memory at the host for software protected VMs Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 01/17] KVM: Rename CONFIG_KVM_PRIVATE_MEM to CONFIG_KVM_GMEM Fuad Tabba
2025-05-21 7:14 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 02/17] KVM: Rename CONFIG_KVM_GENERIC_PRIVATE_MEM to CONFIG_KVM_GENERIC_GMEM_POPULATE Fuad Tabba
2025-05-13 21:56 ` Ira Weiny
2025-05-21 7:14 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 03/17] KVM: Rename kvm_arch_has_private_mem() to kvm_arch_supports_gmem() Fuad Tabba
2025-05-21 7:15 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 04/17] KVM: x86: Rename kvm->arch.has_private_mem to kvm->arch.supports_gmem Fuad Tabba
2025-05-21 7:15 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 05/17] KVM: Rename kvm_slot_can_be_private() to kvm_slot_has_gmem() Fuad Tabba
2025-05-21 7:16 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 06/17] KVM: Fix comments that refer to slots_lock Fuad Tabba
2025-05-21 7:16 ` Gavin Shan
2025-05-13 16:34 ` [PATCH v9 07/17] KVM: guest_memfd: Allow host to map guest_memfd() pages Fuad Tabba
2025-05-13 18:37 ` Ackerley Tng
2025-05-16 19:21 ` James Houghton
2025-05-18 15:17 ` Fuad Tabba
2025-05-21 7:36 ` David Hildenbrand
2025-05-14 8:03 ` Shivank Garg
2025-05-14 9:45 ` Fuad Tabba
2025-05-14 10:07 ` Roy, Patrick
2025-05-14 11:30 ` Fuad Tabba
2025-05-14 20:40 ` James Houghton
2025-05-15 7:25 ` Fuad Tabba
2025-05-15 23:42 ` Gavin Shan
2025-05-16 7:31 ` Fuad Tabba
2025-05-16 6:08 ` Gavin Shan
2025-05-16 7:56 ` Fuad Tabba
2025-05-16 11:12 ` Gavin Shan
2025-05-16 14:20 ` Fuad Tabba
2025-05-21 7:41 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 08/17] KVM: guest_memfd: Check that userspace_addr and fd+offset refer to same range Fuad Tabba
2025-05-13 20:30 ` James Houghton
2025-05-14 7:33 ` Fuad Tabba
2025-05-14 13:32 ` Sean Christopherson
2025-05-14 13:47 ` Ackerley Tng
2025-05-14 13:52 ` Sean Christopherson
2025-05-14 17:39 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 09/17] KVM: x86/mmu: Handle guest page faults for guest_memfd with shared memory Fuad Tabba
2025-05-21 7:48 ` David Hildenbrand
2025-05-22 0:40 ` Ackerley Tng
2025-05-22 7:16 ` David Hildenbrand
2025-05-22 7:46 ` Fuad Tabba
2025-05-22 8:14 ` David Hildenbrand
2025-05-22 10:24 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 10/17] KVM: x86: Compute max_mapping_level with input from guest_memfd Fuad Tabba
2025-05-14 7:13 ` Shivank Garg
2025-05-14 7:24 ` Fuad Tabba
2025-05-14 15:27 ` kernel test robot
2025-05-21 8:01 ` David Hildenbrand
2025-05-22 0:45 ` Ackerley Tng
2025-05-22 13:22 ` Sean Christopherson
2025-05-22 13:49 ` David Hildenbrand
2025-05-22 7:22 ` Fuad Tabba
2025-05-22 8:56 ` David Hildenbrand
2025-05-22 9:34 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 11/17] KVM: arm64: Refactor user_mem_abort() calculation of force_pte Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 12/17] KVM: arm64: Rename variables in user_mem_abort() Fuad Tabba
2025-05-21 2:25 ` Gavin Shan
2025-05-21 9:57 ` Fuad Tabba
2025-05-21 8:02 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 13/17] KVM: arm64: Handle guest_memfd()-backed guest page faults Fuad Tabba
2025-05-14 21:26 ` James Houghton
2025-05-15 9:27 ` Fuad Tabba
2025-05-21 8:04 ` David Hildenbrand
2025-05-21 11:10 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 14/17] KVM: arm64: Enable mapping guest_memfd in arm64 Fuad Tabba
2025-05-15 23:50 ` James Houghton
2025-05-16 7:07 ` Fuad Tabba
2025-05-21 8:05 ` David Hildenbrand
2025-05-21 10:12 ` Fuad Tabba
2025-05-21 10:26 ` David Hildenbrand
2025-05-21 10:29 ` Fuad Tabba
2025-05-21 12:44 ` David Hildenbrand
2025-05-21 13:15 ` Fuad Tabba [this message]
2025-05-21 13:21 ` David Hildenbrand
2025-05-21 13:32 ` Fuad Tabba
2025-05-21 13:45 ` David Hildenbrand
2025-05-21 14:14 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 15/17] KVM: Introduce the KVM capability KVM_CAP_GMEM_SHARED_MEM Fuad Tabba
2025-05-21 2:46 ` Gavin Shan
2025-05-21 8:24 ` Fuad Tabba
2025-05-21 8:06 ` David Hildenbrand
2025-05-13 16:34 ` [PATCH v9 16/17] KVM: selftests: guest_memfd mmap() test when mapping is allowed Fuad Tabba
2025-05-21 6:53 ` Gavin Shan
2025-05-21 9:38 ` Fuad Tabba
2025-05-13 16:34 ` [PATCH v9 17/17] KVM: selftests: Test guest_memfd same-range validation Fuad Tabba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+EHjTzaE_vGPsB20eJ99fG4_gck9Gb7iaVQ3ie5YUnNe5wHgw@mail.gmail.com \
--to=tabba@google.com \
--cc=ackerleytng@google.com \
--cc=akpm@linux-foundation.org \
--cc=amoorthy@google.com \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=chao.p.peng@linux.intel.com \
--cc=chenhuacai@kernel.org \
--cc=david@redhat.com \
--cc=dmatlack@google.com \
--cc=fvdl@google.com \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=ira.weiny@intel.com \
--cc=isaku.yamahata@gmail.com \
--cc=isaku.yamahata@intel.com \
--cc=james.morse@arm.com \
--cc=jarkko@kernel.org \
--cc=jgg@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=jthoughton@google.com \
--cc=keirf@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=liam.merwick@oracle.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mail@maciej.szmigiero.name \
--cc=maz@kernel.org \
--cc=mic@digikod.net \
--cc=michael.roth@amd.com \
--cc=mpe@ellerman.id.au \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=pankaj.gupta@amd.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=qperret@google.com \
--cc=quic_cvanscha@quicinc.com \
--cc=quic_eberman@quicinc.com \
--cc=quic_mnalajal@quicinc.com \
--cc=quic_pderrin@quicinc.com \
--cc=quic_pheragu@quicinc.com \
--cc=quic_svaddagi@quicinc.com \
--cc=quic_tsoni@quicinc.com \
--cc=rientjes@google.com \
--cc=roypat@amazon.co.uk \
--cc=seanjc@google.com \
--cc=shuah@kernel.org \
--cc=steven.price@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=vannapurve@google.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
--cc=wei.w.wang@intel.com \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=xiaoyao.li@intel.com \
--cc=yilun.xu@intel.com \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox