On Mon, May 13, 2024, Patrick Roy wrote: > For non-CoCo VMs, where memory is not encrypted, and the threat model assumes a > trusted host userspace, we would like to avoid changing the VM model so > completely. If we adopt CoCo’s approaches where KVM / Userspace touches guest > memory we would get all the complexity, yet none of the encryption. > Particularly the complexity on the MMIO path seems nasty, but x86 does not Uber nit, modern AMD CPUs do provide the byte stream, though there is at least one related erratum. Intel CPUs don't provide the byte stream or pre-decode in any way. > pre-decode instructions on MMIO exits (which are just EPT_VIOLATIONs) like it > does for PIO exits, so I also don’t really see a way around it in the > guest_memfd model. ... > Sean, you mentioned that you envision guest_memfd also supporting non-CoCo VMs. > Do you have some thoughts about how to make the above cases work in the > guest_memfd context? Yes. The hand-wavy plan is to allow selectively mmap()ing guest_memfd(). There is a long thread[*] discussing how exactly we want to do that. The TL;DR is that the basic functionality is also straightforward; the bulk of the discussion is around gup(), reclaim, page migration, etc. [*] https://lore.kernel.org/all/ZdfoR3nCEP3HTtm1@xxxxxxxxxxxxxxxxxxxx
