On Tue, Aug 17, 2021 at 10:51 PM Tobin Feldman-Fitzthum <tobin@xxxxxxxxxxxxx> wrote: > This is essentially what we do in our prototype, although we have an > even simpler approach. We have a 1:1 mapping that maps an address to > itself with the cbit set. During Migration QEMU asks the migration > handler to import/export encrypted pages and provides the GPA for said > page. Since the migration handler only exports/imports encrypted pages, > we can have the cbit set for every page in our mapping. We can still use > OVMF functions with these mappings because they are on encrypted pages. > The MH does need to use a few shared pages (to communicate with QEMU, > for instance), so we have another mapping without the cbit that is at a > large offset. > > I think this is basically equivalent to what you suggest. As you point > out above, this approach does require that any page that will be > exported/imported by the MH is mapped in the guest. Is this a bad > assumption? It should work well enough in the common case; and with SNP it looks like it is a necessary assumption anyway. *shrug* It would be a bit ugly because QEMU has to constantly convert ram_addr_t's to guest physical addresses and back. But that's not a performance problem. The only important bit is that the encryption status bitmap be indexed by ram_addr_t. This lets QEMU detect the problem of a ram_addr_t that is marked encrypted but is not currently mapped, and abort migration. > The Migration Handler in OVMF is not a contiguous region of memory. The > MH uses OVMF helper functions that are allocated in various regions of > runtime memory. I guess I can see how separating the memory of the MH > and the guest OS could be positive. On the other hand, since the MH is > in OVMF, it is fundamentally designed to coexist with the guest OS. IIRC runtime services are not SMP-safe, so the migration helper cannot coexist with the guest OS without extra care. I checked quickly and CryptoPkg/Library/BaseCryptLib/SysCall/RuntimeMemAllocation.c does not use any lock, so it would be bad if both OS-invoked runtime services and the MH invoked the CryptoPkg malloc at the same time. Paolo
