On 22.02.24 17:10, Fuad Tabba wrote:
This series adds restricted mmap() support to guest_memfd [1], as
well as support guest_memfd on pKVM/arm64.
This series is based on Linux 6.8-rc4 + our pKVM core series [2].
The KVM core patches apply to Linux 6.8-rc4 (patches 1-6), but
the remainder (patches 7-26) require the pKVM core series. A git
repo with this series applied can be found here [3]. We have a
(WIP) kvmtool port capable of running the code in this series
[4]. For a technical deep dive into pKVM, please refer to Quentin
Perret's KVM Forum Presentation [5, 6].
I've covered some of the issues presented here in my LPC 2023
presentation [7].
We haven't started using this in Android yet, but we aim to move
away from anonymous memory to guest_memfd once we have the
necessary support merged upstream. Others (e.g., Gunyah [8]) are
also looking into guest_memfd for similar reasons as us.
By design, guest_memfd cannot be mapped, read, or written by the
host userspace. In pKVM, memory shared between a protected guest
and the host is shared in-place, unlike the other confidential
computing solutions that guest_memfd was originally envisaged for
(e.g, TDX).
Can you elaborate (or point to a summary) why pKVM has to be special
here? Why can't you use guest_memfd only for private memory and another
(ordinary) memfd for shared memory, like the other confidential
computing technologies are planning to?
What's the main reason for that decision and can it be avoided?
(s390x also shares in-place, but doesn't need any special-casing like
guest_memfd provides)
--
Cheers,
David / dhildenb
