From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E737C3DA42 for ; Wed, 10 Jul 2024 21:53:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 03D176B009E; Wed, 10 Jul 2024 17:53:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F2DD86B00A0; Wed, 10 Jul 2024 17:53:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DF5306B00A1; Wed, 10 Jul 2024 17:53:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id C343F6B009E for ; Wed, 10 Jul 2024 17:53:30 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 55382140294 for ; Wed, 10 Jul 2024 21:53:30 +0000 (UTC) X-FDA: 82325194980.20.BB1FE66 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) by imf15.hostedemail.com (Postfix) with ESMTP id 92F7DA0023 for ; Wed, 10 Jul 2024 21:53:28 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=aE+TwbPM; spf=pass (imf15.hostedemail.com: domain of 31wKPZgYKCFQE0w95y2AA270.yA8749GJ-886Hwy6.AD2@flex--seanjc.bounces.google.com designates 209.85.215.202 as permitted sender) smtp.mailfrom=31wKPZgYKCFQE0w95y2AA270.yA8749GJ-886Hwy6.AD2@flex--seanjc.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1720648383; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=InpQCCUUg6h/c2Mju1pPG/Gh6Z0/TXgBiLbO46ZNx3Y=; b=pS/s9YeQ7And6lzm270beHneY6ykyMRO2TMLWhcKKdS2VLXhmEahXz+kop2+Ik/nlJkS6K ie/m7TRuLmKTxsB6iS0gc/qkg8zq1Tl9HSF/XedH1EB11WF/M6T67G+F5eoRcqfPEWHr0P YtFAwQmZXww/nsU/5jwWCsN4rWIKPWE= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=aE+TwbPM; spf=pass (imf15.hostedemail.com: domain of 31wKPZgYKCFQE0w95y2AA270.yA8749GJ-886Hwy6.AD2@flex--seanjc.bounces.google.com designates 209.85.215.202 as permitted sender) smtp.mailfrom=31wKPZgYKCFQE0w95y2AA270.yA8749GJ-886Hwy6.AD2@flex--seanjc.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1720648383; a=rsa-sha256; cv=none; b=fX7mkHpEN0ekateZlFFLlsPeQjIEvKrL0i8WSpMfZ3OKuoJCUjHf1ohw0lgSVeWJK6Bi5f V0+/iI5mRAuUFfDgRI2Sj/FaWQbPGPwIaU0jUJ7HUexzj2Z18bAIzPsiyFAr+F53nO33Y3 5rsx8vnItVKbYP69cC1gmRHNOg/c2lQ= Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-5e4df21f22dso183397a12.0 for ; Wed, 10 Jul 2024 14:53:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1720648407; x=1721253207; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=InpQCCUUg6h/c2Mju1pPG/Gh6Z0/TXgBiLbO46ZNx3Y=; b=aE+TwbPMcKqs32w30urVNO3Oh95gVO6hPl+w5xV2baEomSQdYTDoSbjiVqHnMbjR/U EMOV1cmIfYpmprcmhmOGs+DOKAPrvJkPdq6a+sAJJ5WWjkFh9JqIIH9lEU19JGnJaDvt BhQzOYx5wv3ShZ7wD+AB2u7WiUCIey6pMRQE20F4AkogEU/lCf4ioagI2PQzK2ex9t2+ sEN2s1BDtA4f5ZgFKykdDzj+AXvv6u/lpS4LOQREBibfVD09gk+uEKlaltGc1PmgTsBC Uf+HeNdUtlXPbmEChevMDIVd4ly65WNTX1p+WPnBn/tiCVO/C4aT5KCO+2ZCM+5hEKln ICGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720648407; x=1721253207; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=InpQCCUUg6h/c2Mju1pPG/Gh6Z0/TXgBiLbO46ZNx3Y=; b=rmGZY/iK/3nFCArbYhQuD7DiFtD9/H3h3LZFVYcGSgkXBn1LdgnaXidTKtws1D4AEH TedzaKRYU4mbNGQFGG8X9gcTaHI4MbEu8NQ2ZLejTtgHNM9Joeyz0UCnZNSqc3HNrT64 MkVuZn4ZR/sYmrxunBmZv4ZzFztXD16F48zIXjxQU+APWDgAa8NJt1PHZZfPQXjmanNU Nlm5RcYNmI3u+L4RWSCmBfnT90yXJH7G98hfFk9it9R66W16rQMB/kvTDpY4HMb18zJw H8LViICFmFHaeW/kH4hq+Swr10jNsMjLI7Qrzd4VIT5mcAUdQwoBBGtHsVJezgTcAFil EvHw== X-Forwarded-Encrypted: i=1; AJvYcCVKC7JFNDNCPY+fd5EFOAJNf3YHJzkjX+F6xjet+bJ6Tl5/7YkPNTuPrsSdpt2f3R+RstKxGj8YUQYjl/MTzHoJFHs= X-Gm-Message-State: AOJu0YzpLcgQkd8ACb3GvI9QL4u++ZwzpYf6VLYJKUemLSwqr6kiVZ0I HUscbUSkgiQacqJUWD/heEJuNKe2pzlglj1UOrLzerMFLlzASj9vMjz0/Ubk5SdoD/5k0+QPSuq jrg== X-Google-Smtp-Source: AGHT+IEwT2V+os5fEtYUvDtdlJeCju0gv45EdxSCP2qzxKCXe+3yA10Yig7Ufm297VojhP8eft5okw/sizI= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a63:3759:0:b0:718:84ed:abe7 with SMTP id 41be03b00d2f7-78734697abcmr2123a12.4.1720648407063; Wed, 10 Jul 2024 14:53:27 -0700 (PDT) Date: Wed, 10 Jul 2024 14:53:25 -0700 In-Reply-To: Mime-Version: 1.0 References: <20240709132041.3625501-1-roypat@amazon.co.uk> <20240709132041.3625501-9-roypat@amazon.co.uk> <47ce1b10-e031-4ac1-b88f-9d4194533745@redhat.com> Message-ID: Subject: Re: [RFC PATCH 8/8] kvm: gmem: Allow restricted userspace mappings From: Sean Christopherson To: David Hildenbrand Cc: Patrick Roy , Fuad Tabba , pbonzini@redhat.com, akpm@linux-foundation.org, dwmw@amazon.co.uk, rppt@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, willy@infradead.org, graf@amazon.com, derekmn@amazon.com, kalyazin@amazon.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, dmatlack@google.com, chao.p.peng@linux.intel.com, xmarcalx@amazon.co.uk, James Gowans Content-Type: text/plain; charset="us-ascii" X-Stat-Signature: rgrp8re6zwpuxhu6fzqdop9o89ec3g4n X-Rspam-User: X-Rspamd-Queue-Id: 92F7DA0023 X-Rspamd-Server: rspam02 X-HE-Tag: 1720648408-260999 X-HE-Meta: U2FsdGVkX18oo8GyH6T1viyaSO7dlelNbAAwQC9lNn1wKNGyjL0Wc2XccnqUVc//eDOIngBAE4+QAkOjjvduFj2iLupsJzRm3cKQhDK/DfjiKoL0B5oAtD/BBYHE7zFgA8Al1DhamvIe4Cbj9oRWKBIENlEbXhdcsiglSCglJSNxmsM2NaYRIWnQp2Shr8FpLTjDGLZYNHz03DI4wW36N5pMOo9QVJgFDra7cKo1Nn6wwCxA7qxOe6fh/KSCq17UG4uIyGqHt9O9Wl9ekvwU8JfwM0THcRIlZvMmj0qwIa7oO7WP2j5nPRnVBaWZVvj3yr/agQwO8xTzMygUz+K7+0NyUPAYs4lutZ/HMl1crdEfcYBvMSfnk2OmS2xE9ziLZJVwFzIjmkCqTv7+3DJnYXoQJCZGIJ6haUiybySms1sdL1UGfBl3tPVF6UYPq08dh0vuCnWkXXmP2+yBfCnTys1h7m5QSuVpGcgSC6nda1DkEQUcr0K4KOlAEhxSI5MJnRYrtSpalWUYQLE12sAT0nf8lDXmCKWN7cw5PPY8QRxlvCV0EBmO0MFx4Uft+kSSvU/3qBcexX9ymymNWh4ehMEdlafWNN7xAhUS6LMSkgeNZOS+2kxPYeaoLwlAHDelhMBKcDSXS/D0VGSEkeN8mNkatVzMIr/1MKqpKAAKrASXmi9YJ//FKKePXX3Kd8IYayXcUWzBiHgxF1aepQD/BTnxLGcxyq73j4LpNc+zCYDsCWdt+92Sjt94xfXGdiwAWyt+MYSDlrLd58aATR1s7ob/VVfQwiKZqoRkuF9eIxZ94swdX4zs/N+JATF0qBEtalTDRUVuWQJIeoYSB2wcX8VvenaVj8ge92rV6+C2gaETcRJZGPlsUb5cS7WU+TY1CB8dQcvbE1lxRLPVHbe/babBB4e4dMUKDHMEhLvmjG18kS9xKKSj0mKJROqHwD6hMLUIYYtgztt3vTHE7ko /9cecord RTtCRdSTsL8JHIFlUTqRDDKPBpJV2OnEpdVqQgizlUib8sekffQVlcM+KXC1DA2KfT74YmULUKQ8yFaSF1BlHRm8VGHnQ2N9mk3BycVmPEY0n6ShRz56JLLnq4OMxR+tb2xhu6L5+ZoDPPOvj5FALEa7coM0YuAqnFLRgSVdbXrGrXJ/nllxS4fH/c1BSwASs8zbmbaQpfSl/N3dB27ywW1M+kc8CaD/AOS5SPjXguzfsf5/CASEvHG4J3G+52U7NhSHaAvPXFENjO1iLkkZhzw7kvgk6SYn/fp1xDpP3bW667pc4CgJUpWxhm9RG95oI3mr6Hax743FGCRfkaiwcFxFS/7tvioLS39sAdEznUyLkvpJSZdqav/dwIvHeSLdk/7EgTi8dWeI1D55FZopGRXgHAfJeTO5bVFq9JiOtKR2Vg9kzq3yhmSyrZOd/fpTbyeAHLBxJo3GrGhGJy3hbbntlTu7Ync6kqMrIab63Z0x1ODPnnFNM2Y7KWgiqv//o6wtLOCce7ft/vIX8+hA4t9lrYQebR4ZWbRKP2H7hbocCf/NfNWazFahemgNsHoNQXQF2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000070, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jul 10, 2024, David Hildenbrand wrote: > On 10.07.24 11:51, Patrick Roy wrote: > > On 7/9/24 22:13, David Hildenbrand wrote: > > > Note that just from staring at this commit, I don't understand the > > > motivation *why* we would want to do that. > > > > Fair - I admittedly didn't get into that as much as I probably should > > have. In our usecase, we do not have anything that pKVM would (I think) > > call "guest-private" memory. I think our memory can be better described > > as guest-owned, but always shared with the VMM (e.g. userspace), but > > ideally never shared with the host kernel. This model lets us do a lot > > of simplifying assumptions: Things like I/O can be handled in userspace > > without the guest explicitly sharing I/O buffers (which is not exactly > > what we would want long-term anyway, as sharing in the guest_memfd > > context means sharing with the host kernel), we can easily do VM > > snapshotting without needing things like TDX's TDH.EXPORT.MEM APIs, etc. > > Okay, so essentially you would want to use guest_memfd to only contain shard > memory and disallow any pinning like for secretmem. > > If so, I wonder if it wouldn't be better to simply add KVM support to > consume *real* secretmem memory? IIRC so far there was only demand to > probably remove the directmap of private memory in guest_memfd, not of > shared memory. It's also desirable to remove shared memory from the directmap, e.g. to prevent using the directmap in a cross-VM attack. I don't think we want to allow KVM to consume secretmem. That would require letting KVM gup() secretmem, which AIUI defeats the entire purpose of secretmem, and I don't think KVM should be special.