On Fri, Dec 21, 2018 at 10:28:09AM -0800, Sean Christopherson wrote: > > Why would you want to pass EPC through user space to KVM rather than > > KVM allocating it through kernel interfaces? > > Delegating EPC management to userspace fits better with KVM's existing > memory ABI. KVM provides a single ioctl(), KVM_SET_USER_MEMORY_REGION[1], > that allows userspace to create, move, modify and delete memory regions. > > Skipping over a lot of details, there are essentially three options for > exposing EPC to a KVM guest: > > 1) Provide a dedicated KVM ioctl() to manage EPC without routing it > through KVM_SET_USER_MEMORY_REGION. > > 2) Add a flag to 'struct kvm_userspace_memory_region' that denotes an > EPC memory region and mmap() / allocate EPC in KVM. > > 3) Provide an ABI to allocate raw EPC and let userspace manage it like > any other memory region. > > Option (1) requires duplicating all of KVM_SET_USER_MEMORY_REGION's > functionality unless the ioctl() is severly restricted. > > Option (2) is an ugly abuse of KVM_SET_USER_MEMORY_REGION since the EPC > flag would have completely different semantics than all other usage of > KVM_SET_USER_MEMORY_REGION. > > Thus, option (3). OK, thank you for patience explaining this. > Probably a better question to answer is why provide the ABI through > /dev/sgx and not /dev/kvm. IMO /dev/sgx is a more logical way to > advertise support to userspace, e.g. userspace can simply check if > /dev/sgx (or /dev/sgx/epc) exists vs. probing a KVM capability. You have to understand that for a KVM non-expert like me it was really important to get the context, which you kindly gave. I have never used KVM's memory management API but now that I know how it works all of this makes perfect sense. This is not a better question but it is definitely a good follow up question :-) I don't really understand you deduction here, however. If SGX was not supported, why couldn't the hypothetical /dev/kvm functionality just return an error? For me it sounds a bit messy that KVM functionality, which is a client to the SGX functionality, places some of its functionality to the SGX core. /Jarkko
