To add a layer of paint to the shed, the usage of SIGBUS for
something that is really a permission access problem doesn't feel
SIGBUS stands for "BUS error (bad memory access)."
Which makes sense, if you try accessing something that can no longer be
accessed. It's now inaccessible. Even if it is temporarily.
Just like a page with an MCE error. Swapin errors. Etc. You cannot access
it.
It might be a permission problem on the pKVM side, but it's not the
traditional "permission problem" as in mprotect() and friends. You cannot
resolve that permission problem yourself. It's a higher entity that turned
that memory inaccessible.
Well that's where I'm not sure to agree. Userspace can, in fact, get
back all of that memory by simply killing the protected VM. With the
Right, but that would likely "wipe" the pages so they can be made
accessible again, right?
That's the whole point why we are handing the pages over to the "higher
entity", and allow someone else (the VM) to turn them into a state where
we can no longer read them.
(if you follow the other discussion, it would actually be nice if we
could read them and would get encrypted content back, like s390x does;
but that's a different discussion and I assume pretty much out of scope :) )
approach suggested here, the guestmem pages are entirely accessible to
the host until they are attached to a running protected VM which
triggers the protection. It is very much userspace saying "I promise not
to touch these pages from now on" when it does that, in a way that I
personally find very comparable to the mprotect case. It is not some
other entity that pulls the carpet from under userspace's feet, it is
userspace being inconsistent with itself that causes the issue here, and
that's why SIGBUS feels kinda wrong as it tends to be used to report
external errors of some sort.
I recall that user space can also trigger SIGBUS when doing some
mmap()+truncate() thingies, and probably a bunch more, that could be
fixed up later.
I don't see a problem with SIUGBUS here, but I do understand your view.
I consider the exact signal a minor detail, though.
appropriate. Allocating memory via guestmem and donating that to a
protected guest is a way for userspace to voluntarily relinquish access
permissions to the memory it allocated. So a userspace process violating
that could, IMO, reasonably expect a SEGV instead of SIGBUS. By the
point that signal would be sent, the page would have been accounted
against that userspace process, so not sure the paging examples that
were discussed earlier are exactly comparable. To illustrate that
differently, given that pKVM and Gunyah use MMU-based protection, there
is nothing architecturally that prevents a guest from sharing a page
back with Linux as RO.
Sure, then allow page faults that allow for reads and give a signal on write
faults.
In the scenario, it even makes more sense to not constantly require new
mmap's from user space just to access a now-shared page.
Note that we don't currently support this, so I
don't want to conflate this use case, but that hopefully makes it a
little more obvious that this is a "there is a page, but you don't
currently have the permission to access it" problem rather than "sorry
but we ran out of pages" problem.
We could user other signals, at least as the semantics are clear and it's
documented. Maybe SIGSEGV would be warranted.
I consider that a minor detail, though.
Requiring mmap()/munmap() dances just to access a page that is now shared
from user space sounds a bit suboptimal. But I don't know all the details of
the user space implementation.
Agreed, if we could save having to mmap() each page that gets shared
back that would be a nice performance optimization.
"mmap() the whole thing once and only access what you are supposed to
access" sounds reasonable to me. If you don't play by the rules, you get a
signal.
"... you get a signal, or maybe you don't". But yes I understand your
point, and as per the above there are real benefits to this approach so
why not.
What do we expect userspace to do when a page goes from shared back to
being guest-private, because e.g. the guest decides to unshare? Use
munmap() on that page? Or perhaps an madvise() call of some sort? Note
that this will be needed when starting a guest as well, as userspace
needs to copy the guest payload in the guestmem file prior to starting
the protected VM.
Let's assume we have the whole guest_memfd mapped exactly once in our
process, a single VMA.
When setting up the VM, we'll write the payload and then fire up the VM.
That will (I assume) trigger some shared -> private conversion.
When we want to convert shared -> private in the kernel, we would first
check if the page is currently mapped. If it is, we could try unmapping
that page using an rmap walk.
Then, we'd make sure that there are really no other references and
protect against concurrent mapping of the page. Now we can convert the
page to private.
As we want to avoid the rmap walk, user space can be nice and simply
MADV_DONTNEED the shared memory portions once it's done with it. For
example, after writing the payload.
Just a thought, maybe I am missing some details.
--
Cheers,
David / dhildenb
