Hi Sean,
On Fri May 19, 2023 at 6:23 PM UTC, Sean Christopherson wrote:
> On Fri, May 19, 2023, Nicolas Saenz Julienne wrote:
> > Hi,
> >
> > On Fri Dec 2, 2022 at 6:13 AM UTC, Chao Peng wrote:
> >
> > [...]
> > > +The user sets the per-page memory attributes to a guest memory range indicated
> > > +by address/size, and in return KVM adjusts address and size to reflect the
> > > +actual pages of the memory range have been successfully set to the attributes.
> > > +If the call returns 0, "address" is updated to the last successful address + 1
> > > +and "size" is updated to the remaining address size that has not been set
> > > +successfully. The user should check the return value as well as the size to
> > > +decide if the operation succeeded for the whole range or not. The user may want
> > > +to retry the operation with the returned address/size if the previous range was
> > > +partially successful.
> > > +
> > > +Both address and size should be page aligned and the supported attributes can be
> > > +retrieved with KVM_GET_SUPPORTED_MEMORY_ATTRIBUTES.
> > > +
> > > +The "flags" field may be used for future extensions and should be set to 0s.
> >
> > We have been looking into adding support for the Hyper-V VSM extensions
> > which Windows uses to implement Credential Guard. This interface seems
> > like a good fit for one of its underlying features. I just wanted to
> > share a bit about it, and see if we can expand it to fit this use-case.
> > Note that this was already briefly discussed between Sean and Alex some
> > time ago[1].
> >
> > VSM introduces isolated guest execution contexts called Virtual Trust
> > Levels (VTL) [2]. Each VTL has its own memory access protections,
> > virtual processors states, interrupt controllers and overlay pages. VTLs
> > are hierarchical and might enforce memory protections on less privileged
> > VTLs. Memory protections are enforced on a per-GPA granularity.
> >
> > The list of possible protections is:
> > - No access -- This needs a new memory attribute, I think.
>
> No, if KVM provides three bits for READ, WRITE, and EXECUTE, then userspace can
> get all the possible combinations. E.g. this is RWX=000b
That's not what the current implementation does, when attributes is
equal 0 it clears the entries from the xarray:
static int kvm_vm_ioctl_set_mem_attributes(struct kvm *kvm,
struct kvm_memory_attributes *attrs)
{
entry = attrs->attributes ? xa_mk_value(attrs->attributes) : NULL;
[...]
for (i = start; i < end; i++)
if (xa_err(xa_store(&kvm->mem_attr_array, i, entry,
GFP_KERNEL_ACCOUNT)))
break;
}
>From Documentation/core-api/xarray.rst:
"There is no difference between an entry that has never
been stored to, one that has been erased and one that has most recently
had ``NULL`` stored to it."
The way I understood the series, there needs to be a differentiation
between no attributes (regular page fault) and no-access.
> > We implemented this in the past by using a separate address space per
> > VTL and updating memory regions on protection changes. But having to
> > update the memory slot layout for every permission change scales poorly,
> > especially as we have to perform 100.000s of these operations at boot
> > (see [1] for a little more context).
> >
> > I believe the biggest barrier for us to use memory attributes is not
> > having the ability to target specific address spaces, or to the very
> > least having some mechanism to maintain multiple independent layers of
> > attributes.
>
> Can you elaborate on "specific address spaces"? In KVM, that usually means SMM,
> but the VTL comment above makes me think you're talking about something entirely
> different. E.g. can you provide a brief summary of the requirements/expectations?
I'll do so with a clear head on Monday. :)
Thanks!
Nicolas
