From: Jue Wang <juew@google.com>
To: Dave Hansen <dave.hansen@intel.com>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>,
Tony Luck <tony.luck@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Jiaqi Yan <jiaqiyan@google.com>,
Greg Thelen <gthelen@google.com>,
Mina Almasry <almasrymina@google.com>,
linux-mm@kvack.org, Sean Christopherson <seanjc@google.com>
Subject: Re: [RFC] Expose a memory poison detector ioctl to user space.
Date: Tue, 26 Apr 2022 12:50:56 -0700 [thread overview]
Message-ID: <CAPcxDJ4qOavxHLQjKGvH44KV_9em4WoKZ8TPmTmF1EXoh7VNMg@mail.gmail.com> (raw)
In-Reply-To: <fccd0784-4c58-453f-1f34-9d4038431531@intel.com>
On Tue, Apr 26, 2022 at 12:36 PM Dave Hansen <dave.hansen@intel.com> wrote:
>
> On 4/26/22 12:23, Jue Wang wrote:
> > On Tue, Apr 26, 2022 at 11:18 AM Dave Hansen <dave.hansen@intel.com> wrote:
> >> What if you're in a normal (non-TDX) guest and some of the physical
> >> address space has been ballooned away?
> >
> > Accessing to memory that gets ballooned away will cause extra EPT
> > violations and have the memory faulted in on the host side, which is
> > transparent to the guest.
>
> Yeah, but it completely subverts the whole purpose of ballooning. In
> other words, this is for all intents and purposes also mutually
> exclusive with ballooning.
True. We haven't thought too much about the TDX/SEV-SNP use cases.
For "normal" guests, the operating model is that it's sufficient for
the scanning to happen just on the host side with the ability to
inform / inject without interrupting execution the detected errors in
"real" time via UCNA injection being added to KVM.
>
> >> What does the kernel do when userspace asks it to poke a non-"System
> >> RAM" address?
> >
> > I expect the kernel should reject the request with -EINVAL.
>
> Right. Only the kernel has the knowledge of what can actually _be_
> scanned. So, why even bother exposing physical addresses to userspace?
> Why is exposing the actual physical address any better than exposing a
> cookie?
Then the API needs some re-design, naively I can see it works this way:
init_as_start_page(&cookie);
while(cookie != END_SCAN) {
ret = ioctl(, SCAN_SIZE, numa_id, &cookie /*input_output*/ );
/* Handle errors, poison detected etc. */
... ...
}
>
> > Just curious, what could be recommendations from Intel's perspective
> > to make proactively poison detection work on TDX / SEV-SNP?
>
> I shouldn't speak for Intel as a whole, but I'll give you my personal
> perspective.
>
> Right now, hosts can't scan TDX private memory, period. If you wanted
> to do scanning, the guest has to do it or you have to kill the guest and
> make the memory non-private.
>
> Going forward, guest memory scanning could be accomplished by allowing
> the VMM to migrate guest pages. Let's say you want to scan page "A",
> you could move A->B and B->A. That would certainly touch the page.
> This would need to be implemented in the TDX module.
>
> Or, the TDX module could have a special call to just touch the page.
>
> It would probably also need more work in the TDX module to be able to
> handle machine checks. I don't think the handling in there is very
> robust today.
>
> It could also be implemented with some new VMM-side ISA which promises
> to touch the physical memory, but doesn't return any data, ignores the
> "TD bit" and doesn't do any integrity checking.
Thanks for the suggestions, Dave.
We will follow up offline with Google colleagues and look to bring
this up to some RAS discussion venue with Intel.
next prev parent reply other threads:[~2022-04-26 19:51 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-25 16:34 Jue Wang
2022-04-26 15:40 ` Dave Hansen
2022-04-26 17:57 ` Jue Wang
2022-04-26 18:02 ` Jue Wang
2022-04-26 18:21 ` Dave Hansen
2022-04-26 19:25 ` Jue Wang
2022-04-26 19:52 ` Luck, Tony
2022-04-26 20:06 ` Jue Wang
2022-04-26 18:20 ` Dave Hansen
2022-04-26 19:23 ` Jue Wang
2022-04-26 19:39 ` Dave Hansen
2022-04-26 19:50 ` Jue Wang [this message]
2022-04-28 16:15 ` Erdem Aktas
2022-04-28 16:34 ` Dave Hansen
2022-04-29 19:46 ` Jue Wang
2022-04-29 21:10 ` Dave Hansen
2022-04-29 21:32 ` Jue Wang
2022-04-29 21:44 ` Jue Wang
2022-04-29 22:29 ` Dave Hansen
2022-04-29 22:53 ` Jue Wang
2022-05-02 15:30 ` Dave Hansen
2022-05-02 17:19 ` David Hildenbrand
2022-05-02 17:30 ` Jue Wang
2022-05-02 17:33 ` David Hildenbrand
2022-05-02 17:36 ` Jue Wang
2022-05-02 17:38 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPcxDJ4qOavxHLQjKGvH44KV_9em4WoKZ8TPmTmF1EXoh7VNMg@mail.gmail.com \
--to=juew@google.com \
--cc=almasrymina@google.com \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=gthelen@google.com \
--cc=jiaqiyan@google.com \
--cc=linux-mm@kvack.org \
--cc=naoya.horiguchi@nec.com \
--cc=seanjc@google.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox