On Mon, Jun 15, 2020 at 02:22:19PM +0100, Marc Zyngier wrote: > Hi Dave, > > On 2020-06-15 13:59, Dave Martin wrote: > >On Mon, Jun 15, 2020 at 09:19:50AM +0100, Marc Zyngier wrote: > >>Not having PtrAuth on non-VHE KVM (for whatever reason VHE is not > >>enabled on a v8.3 system) has always looked like an oddity. This > >>trivial series remedies it, and allows a non-VHE KVM to offer PtrAuth > >>to its guests. > > > >How likely do you think it is that people will use such a configuration? > > Depending on the use case, very. See below. > > >The only reason I can see for people to build a kernel with CONFIG_VHE=n > >is as a workaround for broken hardware, or because the kernel is too old > >to support VHE (in which case it doesn't understand ptrauth either, so > >it is irrelevant whether ptrauth depends on VHE). > > Part of the work happening around running protected VMs (which cannot > be tampered with from EL1/0 host) makes it mandatory to disable VHE, > so that we can wrap the host EL1 in its own Stage-2 page tables. > We (the Android kernel team) are actively working on enabling this > feature. > > >I wonder whether it's therefore better to "encourage" people to turn > >VHE on by making subsequent features depend on it where appropriate. > >We do want multiplatform kernels to be configured with CONFIG_VHE=y for > >example. > > I'm all for having VHE on for platforms that support it. Which is why > CONFIG_VHE=y is present in defconfig. However, we cannot offer the same > level of guarantee as we can hopefully achieve with non-VHE (we can > drop mappings from Stage-1, but can't protect VMs from an evil or > compromised host). This is a very different use case from the usual > "reduced hypervisor overhead" that we want in the general case. > > >I ask this, because SVE suffers the same "oddity". If SVE can be > >enabled for non-VHE kernels straightforwardly then there's no reason not > >to do so, but I worried in the past that this would duplicate complex > >code that would never be tested or used. > > It is a concern. I guess that if we manage to get some traction on > Android, then the feature will get some testing! And yes, SVE is > next on my list. > > >If supporting ptrauth with !VHE is as simple as this series suggests, > >then it's low-risk. Perhaps SVE isn't much worse. I was chasing nasty > >bugs around at the time the SVE KVM support was originally written, and > >didn't want to add more unknowns into the mix... > > I think having started with a slightly smaller problem space was the > right thing to do at the time. We are now reasonably confident that > KVM and SVE are working correctly together, and we can now try to enable > it on !VHE. Cool, now I understand. Cheers ---Dave
