Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST

[RFC v2 PATCH 00/13] KVM: mm: fd-based approach for supporting KVM guest private memory · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Chao Peng <hidden> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · David Hildenbrand <hidden> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Kirill A. Shutemov <hidden> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · David Hildenbrand <hidden> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · David Hildenbrand <hidden> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · David Hildenbrand <hidden> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · David Hildenbrand <hidden> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · David Hildenbrand <hidden> · 2021-11-22
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Sean Christopherson <seanjc@google.com> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Sean Christopherson <seanjc@google.com> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-19
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Sean Christopherson <seanjc@google.com> · 2021-11-20
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-21
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Paolo Bonzini <pbonzini@redhat.com> · 2021-11-23
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Chao Peng <hidden> · 2021-11-23
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · David Hildenbrand <hidden> · 2021-11-23
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Jason Gunthorpe <jgg@ziepe.ca> · 2021-11-23
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Paolo Bonzini <hidden> · 2021-11-23
Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST · Andy Lutomirski <luto@kernel.org> · 2021-12-03
[RFC v2 PATCH 02/13] KVM: Add KVM_EXIT_MEMORY_ERROR exit · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 03/13] KVM: Extend kvm_userspace_memory_region to support fd based memslot · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 05/13] KVM: Implement fd-based memory using new memfd interfaces · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 04/13] KVM: Add fd-based memslot data structure and utils · Chao Peng <hidden> · 2021-11-19
Re: [RFC v2 PATCH 04/13] KVM: Add fd-based memslot data structure and utils · Paolo Bonzini <pbonzini@redhat.com> · 2021-11-23
Re: [RFC v2 PATCH 04/13] KVM: Add fd-based memslot data structure and utils · Chao Peng <hidden> · 2021-11-23
[RFC v2 PATCH 06/13] KVM: Register/unregister memfd backed memslot · Chao Peng <hidden> · 2021-11-19
Re: [RFC v2 PATCH 06/13] KVM: Register/unregister memfd backed memslot · Steven Price <steven.price@arm.com> · 2021-11-25
[RFC v2 PATCH 07/13] KVM: Handle page fault for fd based memslot · Chao Peng <hidden> · 2021-11-19
Re: [RFC v2 PATCH 07/13] KVM: Handle page fault for fd based memslot · Yao Yuan <hidden> · 2021-11-20
Re: [RFC v2 PATCH 07/13] KVM: Handle page fault for fd based memslot · Chao Peng <hidden> · 2021-11-22
[RFC v2 PATCH 08/13] KVM: Rename hva memory invalidation code to cover fd-based offset · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 09/13] KVM: Introduce kvm_memfd_invalidate_range · Chao Peng <hidden> · 2021-11-19
Re: [RFC v2 PATCH 09/13] KVM: Introduce kvm_memfd_invalidate_range · Paolo Bonzini <pbonzini@redhat.com> · 2021-11-23
Re: [RFC v2 PATCH 09/13] KVM: Introduce kvm_memfd_invalidate_range · Chao Peng <hidden> · 2021-11-23
[RFC v2 PATCH 10/13] KVM: Match inode for invalidation of fd-based slot · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 11/13] KVM: Add kvm_map_gfn_range · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 12/13] KVM: Introduce kvm_memfd_fallocate_range · Chao Peng <hidden> · 2021-11-19
[RFC v2 PATCH 13/13] KVM: Enable memfd based page invalidation/fallocate · Chao Peng <hidden> · 2021-11-19
Re: [RFC v2 PATCH 13/13] KVM: Enable memfd based page invalidation/fallocate · Kirill A. Shutemov <hidden> · 2021-11-22
Re: [RFC v2 PATCH 13/13] KVM: Enable memfd based page invalidation/fallocate · Chao Peng <hidden> · 2021-11-23
Re: [RFC v2 PATCH 13/13] KVM: Enable memfd based page invalidation/fallocate · Paolo Bonzini <pbonzini@redhat.com> · 2021-11-23
Re: [RFC v2 PATCH 13/13] KVM: Enable memfd based page invalidation/fallocate · Chao Peng <hidden> · 2021-11-23
Re: [RFC v2 PATCH 13/13] KVM: Enable memfd based page invalidation/fallocate · Paolo Bonzini <pbonzini@redhat.com> · 2021-11-23
Re: [RFC v2 PATCH 00/13] KVM: mm: fd-based approach for supporting KVM guest private memory · Andy Lutomirski <luto@kernel.org> · 2021-12-03

From: Jason Gunthorpe <jgg@ziepe.ca>
Date: 2021-11-21 00:05:32
Also in: kvm, linux-fsdevel, lkml, qemu-devel

On Sat, Nov 20, 2021 at 01:23:16AM +0000, Sean Christopherson wrote:

On Fri, Nov 19, 2021, Jason Gunthorpe wrote:

quoted

On Fri, Nov 19, 2021 at 10:21:39PM +0000, Sean Christopherson wrote:

quoted

On Fri, Nov 19, 2021, Jason Gunthorpe wrote:

quoted

On Fri, Nov 19, 2021 at 07:18:00PM +0000, Sean Christopherson wrote:

quoted

No ideas for the kernel API, but that's also less concerning since
it's not set in stone.  I'm also not sure that dedicated APIs for
each high-ish level use case would be a bad thing, as the semantics
are unlikely to be different to some extent.  E.g. for the KVM use
case, there can be at most one guest associated with the fd, but
there can be any number of VFIO devices attached to the fd.

Even the kvm thing is not a hard restriction when you take away
confidential compute.

Why can't we have multiple KVMs linked to the same FD if the memory
isn't encrypted? Sure it isn't actually useful but it should work
fine.

Hmm, true, but I want the KVM semantics to be 1:1 even if memory
isn't encrypted.

That is policy and it doesn't belong hardwired into the kernel.

Agreed.  I had a blurb typed up about that policy just being an "exclusive" flag
in the kernel API that KVM would set when creating a confidential
VM,

I still think that is policy in the kernel, what is wrong with
userspace doing it?

quoted

Your explanation makes me think that the F_SEAL_XX isn't defined
properly. It should be a userspace trap door to prevent any new
external accesses, including establishing new kvms, iommu's, rdmas,
mmaps, read/write, etc.

Hmm, the way I was thinking of it is that it the F_SEAL_XX itself would prevent
mapping/accessing it from userspace, and that any policy beyond that would be
done via kernel APIs and thus handled by whatever in-kernel agent can access the
memory.  E.g. in the confidential VM case, without support for trusted devices,
KVM would require that it be the sole owner of the file.

And how would kvm know if there is support for trusted devices?
Again seems like policy choices that should be left in userspace.

Especially for what could be a general in-kernel mechanism with many
users and not tightly linked to KVM as imagined here.

Jason

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help