On 10.02.20 19:28, Christian Borntraeger wrote:
>
>
> On 10.02.20 19:17, David Hildenbrand wrote:
>> On 07.02.20 12:39, Christian Borntraeger wrote:
>>> From: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx>
>>>
>>> With the introduction of protected KVM guests on s390 there is now a
>>> concept of inaccessible pages. These pages need to be made accessible
>>> before the host can access them.
>>>
>>> While cpu accesses will trigger a fault that can be resolved, I/O
>>> accesses will just fail. We need to add a callback into architecture
>>> code for places that will do I/O, namely when writeback is started or
>>> when a page reference is taken.
>>
>> My question would be: What guarantees that the page will stay accessible
>> (for I/O)? IIRC, pages can be converted back to secure/inaccessible
>> whenever the guest wants to access them. How will that be dealt with?
>
> Yes, in patch 5 we do use the page lock, PageWriteBack and page_ref_freeze
> to only make the page secure again if no I/O is going to be started or
> still running.
>
> We have minimized the common code impact (just these 3 callbacks) so that
> architecture code can do the right thing.
So the magic is
+static int expected_page_refs(struct page *page)
+{
+ int res;
+
+ res = page_mapcount(page);
+ if (PageSwapCache(page))
+ res++;
+ else if (page_mapping(page)) {
+ res++;
+ if (page_has_private(page))
+ res++;
+ }
+ return res;
+}
[...]
+static int make_secure_pte(pte_t *ptep, unsigned long addr, void *data)
[...]
+ if (PageWriteback(page))
+ return -EAGAIN;
+ expected = expected_page_refs(page);
+ if (!page_ref_freeze(page, expected))
+ return -EBUSY;
[...]
+ rc = uv_call(0, (u64)params->uvcb);
+ page_ref_unfreeze(page, expected);
As long as a page is does not have the expected refcount, it cannot be
convert to secure and not used by the guest.
I assume this implies, that if a guest page is pinned somewhere (e.g.,
in KVM), it won't be usable by the guest.
Please add all these details to the patch description. I think they are
crucial to understand how this is expected to work and to be used.
--
Thanks,
David / dhildenb
