On 17/11/2015 11:44, Wang, Wei W wrote: > On 17/11/2015 18:18, Paolo Bonzini wrote: >> On 17/11/2015 02:45, Zhang, Yang Z wrote: >>> We have a different version in hand which is using separate >>> EPTP. >> >> Can you say in advance what you are using EPTP switching for? >> Offlist if necessary. > > Hi Paolo, > > We are using EPTP switching for a protected inter-VM communication > design, as shown in the slides (#23) here: > http://events.linuxfoundation.org/sites/events/files/slides/Jun_Nakajima_NFV_KVM%202015_final.pdf [offlist, adding virt-intel-list@xxxxxxxxxx] If the EPTP switch is only adding extra data pages (e.g. mapping another guest's memory inside a PCI BAR), this can work. However, slides 24 and 25 suggest that the executable pages change between the two EPTP views, similar to Jun's KVM Forum 2014 presentation. Michael and I explained in Seattle that this only works if the guest is trusted. I am a bit disappointed that Intel continued developing this feature without contacting us or without urging us to present our issues more formally. I think I should make this very clear: I am not going to accept in KVM a feature that requires the guest to be trusted. A trusted guest kernel may make sense for other applications of VMFUNC (e.g. McAfee memory scan) but not for virtualization; if the guest is trusted, you don't have virtualization anymore. Michael and I are going to present our findings to Intel soon. This will hopefully clarify why the guest has to be trusted. We will also present possible extensions to VMFUNC that enable its usage with untrusted guests, albeit only at CPL=0. Asit Mallick is going to contact Jun about this so we can organize the meeting. Unfortunately it is going to be hard for everyone to attend since we have people in Europe, US and China, but we will share the slides. Thanks, Paolo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
