From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3111CC433F5
	for <linux-mm@archiver.kernel.org>; Mon,  9 May 2022 18:47:49 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B0BC76B0072; Mon,  9 May 2022 14:47:48 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A946E6B007B; Mon,  9 May 2022 14:47:48 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8E7C16B007D; Mon,  9 May 2022 14:47:48 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 785186B0072
	for <linux-mm@kvack.org>; Mon,  9 May 2022 14:47:48 -0400 (EDT)
Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 2377231363
	for <linux-mm@kvack.org>; Mon,  9 May 2022 18:47:48 +0000 (UTC)
X-FDA: 79447088616.02.EA05D7D
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126])
	by imf06.hostedemail.com (Postfix) with ESMTP id 061EB18007E
	for <linux-mm@kvack.org>; Mon,  9 May 2022 18:47:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1652122066; x=1683658066;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=DgxFrV+YaA+Y0+KuhtxWQXk6HsnmyPhzD2ZlERyiq44=;
  b=TjFnzyw9CxhQy2x8ybnQSA4wqZwkvRF1ZdoUWp2EbDtPu7TN+q7mlCOD
   6FvIBNzoCFiSMzSN7p9rM7cAk21d0ECRAnKUGm5N8FhWGTV3Y4OP/Cmkd
   aXeUwdYge0Isqxx8Na3vp05stvQCN6KT3EUCBM0DzGC2SpXLWl3lIXgnO
   d51q8tBDmPOVfRa7OrF1W0qnYZrKuohvLoeb/qk/DTJx07n5bhbLr6aaI
   H7Ycg1zIKk+JQBOOS+BHpcxOUoHUiVGqjAgWrYSlgFurcqk3xXqEqocxH
   roWupfQeILdLra0XNioIf0BRJUoQ5tq95nD2WPWt2dTliCNtVqvdvPb2O
   g==;
X-IronPort-AV: E=McAfee;i="6400,9594,10342"; a="251188292"
X-IronPort-AV: E=Sophos;i="5.91,212,1647327600"; 
   d="scan'208";a="251188292"
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 May 2022 11:47:42 -0700
X-IronPort-AV: E=Sophos;i="5.91,212,1647327600"; 
   d="scan'208";a="634140944"
Received: from dmansurr-mobl.amr.corp.intel.com (HELO [10.212.251.158]) ([10.212.251.158])
  by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 May 2022 11:47:41 -0700
Message-ID: <ec93952f-d09a-2dda-bfa9-5d667a257fdc@intel.com>
Date: Mon, 9 May 2022 11:47:43 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.8.1
Subject: Re: [PATCH v8 0/8] x86: Show in sysfs if a memory node is able to do
 encryption
Content-Language: en-US
To: Boris Petkov <bp@alien8.de>, Dan Williams <dan.j.williams@intel.com>
Cc: Martin Fernandez <martin.fernandez@eclypsium.com>,
 Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
 linux-efi <linux-efi@vger.kernel.org>, platform-driver-x86@vger.kernel.org,
 Linux MM <linux-mm@kvack.org>, "H. Peter Anvin" <hpa@zytor.com>,
 daniel.gutson@eclypsium.com, Darren Hart <dvhart@infradead.org>,
 Andy Shevchenko <andy@infradead.org>, Kees Cook <keescook@chromium.org>,
 Andrew Morton <akpm@linux-foundation.org>, Ard Biesheuvel <ardb@kernel.org>,
 Ingo Molnar <mingo@redhat.com>, Thomas Gleixner <tglx@linutronix.de>,
 Dave Hansen <dave.hansen@linux.intel.com>,
 "Rafael J. Wysocki" <rafael@kernel.org>, X86 ML <x86@kernel.org>,
 "Schofield, Alison" <alison.schofield@intel.com>, hughsient@gmail.com,
 alex.bazhaniuk@eclypsium.com, Greg KH <gregkh@linuxfoundation.org>,
 Mike Rapoport <rppt@kernel.org>, Ben Widawsky <ben.widawsky@intel.com>,
 "Huang, Kai" <kai.huang@intel.com>, Sean Christopherson <seanjc@google.com>,
 "Shutemov, Kirill" <kirill.shutemov@intel.com>,
 Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
References: <20220429201717.1946178-1-martin.fernandez@eclypsium.com>
 <YnKr+aMf4PspDpHZ@zn.tnic>
 <CAKgze5YDD02AsrF0yESv2sptZ4qxyTMgCDmnOKcbQWjKQsJRsw@mail.gmail.com>
 <YnUYLDjIThbIz/Uf@zn.tnic> <6d90c832-af4a-7ed6-4f72-dae08bb69c37@intel.com>
 <CAPcyv4i73m6iPPfJE9CBdxf-OWGXahvGqvh6G-pqVO=3LB6ktQ@mail.gmail.com>
 <47140A56-D3F8-4292-B355-5F92E3BA9F67@alien8.de>
 <6abea873-52a2-f506-b21b-4b567bee1874@intel.com>
 <FDABC5C8-B80A-4977-9F97-5A8FC47F69D6@alien8.de>
 <4bc56567-e2ce-40ec-19ab-349c8de8d969@intel.com>
 <CE52D65A-C9F4-408D-B18A-72D87495A433@alien8.de>
From: Dave Hansen <dave.hansen@intel.com>
In-Reply-To: <CE52D65A-C9F4-408D-B18A-72D87495A433@alien8.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 061EB18007E
X-Stat-Signature: 95nhm3fnwnr4iyw46x9ur8rf8sb86tmy
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=intel.com header.s=Intel header.b=TjFnzyw9;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=none (imf06.hostedemail.com: domain of dave.hansen@intel.com has no SPF policy when checking 134.134.136.126) smtp.mailfrom=dave.hansen@intel.com
X-Rspam-User: 
X-HE-Tag: 1652122063-698877
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

... adding some KVM/TDX folks

On 5/6/22 12:02, Boris Petkov wrote:
>> This node attribute punts the problem back out to userspace.  It
>> gives userspace the ability to steer allocations to compatible NUMA
>> nodes.  If something goes wrong, they can use other NUMA ABIs to
>> inspect the situation, like /proc/$pid/numa_maps.
> That's all fine and dandy but I still don't see the *actual*,
> real-life use case of why something would request memory of
> particular encryption capabilities. Don't get me wrong  - I'm not
> saying there are not such use cases - I'm saying we should go all the
> way and fully define properly  *why* we're doing this whole hoopla.

Let's say TDX is running on a system with mixed encryption
capabilities*.  Some NUMA nodes support TDX and some don't.  If that
happens, your guest RAM can come from anywhere.  When the host kernel
calls into the TDX module to add pages to the guest (via
TDH.MEM.PAGE.ADD) it might get an error back from the TDX module.  At
that point, the host kernel is stuck.  It's got a partially created
guest and no recourse to fix the error.

This new ABI provides a way to avoid that situation in the first place.
 Userspace can look at sysfs to figure out which NUMA nodes support
"encryption" (aka. TDX) and can use the existing NUMA policy ABI to
avoid TDH.MEM.PAGE.ADD failures.

So, here's the question for the TDX folks: are these mixed-capability
systems a problem for you?  Does this ABI help you fix the problem?
Will your userspace (qemu and friends) actually use consume from this ABI?

* There are three ways we might hit a system with this issue:
  1. NVDIMMs that don't support  TDX, like lack of memory integrity
     protection.
  2. CXL-attached memory controllers that can't do encryption at all
  3. Nominally TDX-compatible memory that was not covered/converted by
     the kernel for some reason (memory hot-add, or ran out of TDMR
     resources)