On Fri, Jun 23, 2023 at 05:24:20PM +0200, Ard Biesheuvel wrote: > (cc Marc and Quentin) > > On Mon, 5 Jun 2023 at 11:05, Russell King (Oracle) > <linux@xxxxxxxxxxxxxxx> wrote: > > > > Hi, > > > > Are there any comments on this? > > > > Hi Russell, > > I think the proposed approach is sound, but it is rather intrusive, as > you've pointed out already (wrt KASLR and KASAN etc). And once my LPA2 > work gets merged (which uses root level -1 when booted on LPA2 capable > hardware, and level 0 otherwise), we'll have yet another combination > that is either fully incompatible, or cumbersome to support at the > very least. > > I wonder if it would be worthwhile to explore an alternative approach, > using pKVM and the host stage2: > > - all stage1 kernel mappings remain as they are, and the kernel code > running at EL1 has no awareness of the replication beyond being > involved in allocating the memory; > - host is booted in protected KVM mode, which means that the host > kernel executes under a stage 2 mapping; > - each NUMA node has its own set of stage 2 page tables, and maps the > kernel's code/rodata IPA range to a NUMA local PA range > - the kernel's code and rodata are mapped read-only in the primary > stage-2 mapping so updates trap to EL2, permitting the hypervisor to > replicate those update to all clones. > > Note that pKVM retains the capabilities of ordinary KVM, so as long as > you boot at EL2, the only downside compared to your approach would be > the increased TLB footprint due to the stage 2 mappings for the host > kernel. > > Marc, Quentin, Will: any thoughts? Thanks for taking a look. That sounds great, but my initial question would be whether, with such a setup, one could then run VMs under such a kernel without hardware that supports nested virtualisation? I suspect the answer would be no. -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
