On Sun, Oct 18, 2020 at 09:14:00AM -0700, Andy Lutomirski wrote: > On Sun, Oct 18, 2020 at 8:59 AM Michael S. Tsirkin <mst@xxxxxxxxxx> wrote: > > > > On Sun, Oct 18, 2020 at 08:54:36AM -0700, Andy Lutomirski wrote: > > > On Sun, Oct 18, 2020 at 8:52 AM Michael S. Tsirkin <mst@xxxxxxxxxx> wrote: > > > > > > > > On Sat, Oct 17, 2020 at 03:24:08PM +0200, Jason A. Donenfeld wrote: > > > > > 4c. The guest kernel maintains an array of physical addresses that are > > > > > MADV_WIPEONFORK. The hypervisor knows about this array and its > > > > > location through whatever protocol, and before resuming a > > > > > moved/snapshotted/duplicated VM, it takes the responsibility for > > > > > memzeroing this memory. The huge pro here would be that this > > > > > eliminates all races, and reduces complexity quite a bit, because the > > > > > hypervisor can perfectly synchronize its bringup (and SMP bringup) > > > > > with this, and it can even optimize things like on-disk memory > > > > > snapshots to simply not write out those pages to disk. > > > > > > > > > > A 4c-like approach seems like it'd be a lot of bang for the buck -- we > > > > > reuse the existing mechanism (MADV_WIPEONFORK), so there's no new > > > > > userspace API to deal with, and it'd be race free, and eliminate a lot > > > > > of kernel complexity. > > > > > > > > Clearly this has a chance to break applications, right? > > > > If there's an app that uses this as a non-system-calls way > > > > to find out whether there was a fork, it will break > > > > when wipe triggers without a fork ... > > > > For example, imagine: > > > > > > > > MADV_WIPEONFORK > > > > copy secret data to MADV_DONTFORK > > > > fork > > > > > > > > > > > > used to work, with this change it gets 0s instead of the secret data. > > > > > > > > > > > > I am also not sure it's wise to expose each guest process > > > > to the hypervisor like this. E.g. each process needs a > > > > guest physical address of its own then. This is a finite resource. > > > > > > > > > > > > The mmap interface proposed here is somewhat baroque, but it is > > > > certainly simple to implement ... > > > > > > Wipe of fork/vmgenid/whatever could end up being much more problematic > > > than it naively appears -- it could be wiped in the middle of a read. > > > Either the API needs to handle this cleanly, or we need something more > > > aggressive like signal-on-fork. > > > > > > --Andy > > > > > > Right, it's not on fork, it's actually when process is snapshotted. > > > > If we assume it's CRIU we care about, then I > > wonder what's wrong with something like > > MADV_CHANGEONPTRACE_SEIZE > > and basically say it's X bytes which change the value... > > I feel like we may be approaching this from the wrong end. Rather > than saying "what data structure can the kernel expose that might > plausibly be useful", how about we try identifying some specific > userspace needs and see what a good solution could look like. I can > identify two major cryptographic use cases: Well, I'm aware of a non-cryptographic use-case: https://bugzilla.redhat.com/show_bug.cgi?id=1118834 this seems to just ask for the guest to have a way to detect that a VM cloning triggered. -- MST
