Hi Sean, On Fri May 19, 2023 at 6:23 PM UTC, Sean Christopherson wrote: > On Fri, May 19, 2023, Nicolas Saenz Julienne wrote: > > Hi, > > > > On Fri Dec 2, 2022 at 6:13 AM UTC, Chao Peng wrote: > > > > [...] > > > +The user sets the per-page memory attributes to a guest memory range indicated > > > +by address/size, and in return KVM adjusts address and size to reflect the > > > +actual pages of the memory range have been successfully set to the attributes. > > > +If the call returns 0, "address" is updated to the last successful address + 1 > > > +and "size" is updated to the remaining address size that has not been set > > > +successfully. The user should check the return value as well as the size to > > > +decide if the operation succeeded for the whole range or not. The user may want > > > +to retry the operation with the returned address/size if the previous range was > > > +partially successful. > > > + > > > +Both address and size should be page aligned and the supported attributes can be > > > +retrieved with KVM_GET_SUPPORTED_MEMORY_ATTRIBUTES. > > > + > > > +The "flags" field may be used for future extensions and should be set to 0s. > > > > We have been looking into adding support for the Hyper-V VSM extensions > > which Windows uses to implement Credential Guard. This interface seems > > like a good fit for one of its underlying features. I just wanted to > > share a bit about it, and see if we can expand it to fit this use-case. > > Note that this was already briefly discussed between Sean and Alex some > > time ago[1]. > > > > VSM introduces isolated guest execution contexts called Virtual Trust > > Levels (VTL) [2]. Each VTL has its own memory access protections, > > virtual processors states, interrupt controllers and overlay pages. VTLs > > are hierarchical and might enforce memory protections on less privileged > > VTLs. Memory protections are enforced on a per-GPA granularity. > > > > The list of possible protections is: > > - No access -- This needs a new memory attribute, I think. > > No, if KVM provides three bits for READ, WRITE, and EXECUTE, then userspace can > get all the possible combinations. E.g. this is RWX=000b That's not what the current implementation does, when attributes is equal 0 it clears the entries from the xarray: static int kvm_vm_ioctl_set_mem_attributes(struct kvm *kvm, struct kvm_memory_attributes *attrs) { entry = attrs->attributes ? xa_mk_value(attrs->attributes) : NULL; [...] for (i = start; i < end; i++) if (xa_err(xa_store(&kvm->mem_attr_array, i, entry, GFP_KERNEL_ACCOUNT))) break; } >From Documentation/core-api/xarray.rst: "There is no difference between an entry that has never been stored to, one that has been erased and one that has most recently had ``NULL`` stored to it." The way I understood the series, there needs to be a differentiation between no attributes (regular page fault) and no-access. > > We implemented this in the past by using a separate address space per > > VTL and updating memory regions on protection changes. But having to > > update the memory slot layout for every permission change scales poorly, > > especially as we have to perform 100.000s of these operations at boot > > (see [1] for a little more context). > > > > I believe the biggest barrier for us to use memory attributes is not > > having the ability to target specific address spaces, or to the very > > least having some mechanism to maintain multiple independent layers of > > attributes. > > Can you elaborate on "specific address spaces"? In KVM, that usually means SMM, > but the VTL comment above makes me think you're talking about something entirely > different. E.g. can you provide a brief summary of the requirements/expectations? I'll do so with a clear head on Monday. :) Thanks! Nicolas