| Message ID | 20230127112932.38045-9-steven.price@arm.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp783341wrn;
Fri, 27 Jan 2023 03:33:32 -0800 (PST)
X-Google-Smtp-Source:
AK7set8E7M4tz0dxYq2SaayI0sNxq8Fd7U8FMmxjGGRrnW4QQ3n7b1+gvmTCkadxOp/IzTYv845p
X-Received: by 2002:a17:903:18c:b0:196:4624:1691 with SMTP id
z12-20020a170903018c00b0019646241691mr4971381plg.54.1674819212591;
Fri, 27 Jan 2023 03:33:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674819212; cv=none;
d=google.com; s=arc-20160816;
b=TwrFKno4bPX0GsqWPzMh7KaOiU9gg+9DMIkb4iJYPExm0zPPnxeT/DwChyjA0eVBNw
iyLq8auKjxtEBfC3tzDVlV48r29FKZh2amTrGcsZigMQwxyhB0mX93hS4bk35jpTPYkx
itjcj+WwFOIY8nRb27eqN427b8i3+8+sjAgUPOGuhxdWSjlLbGXW2/BD2rtknRLnV2Gv
OaLkuvwpgkweP7GX9oF2MISI0mZLerd+ATC6BiL3DaqYUzycVYTL4nAhbNTYNGKXoz2Z
/WBLXPkHoRTlsWpYFeVmWfS5HlJ1fuVfgDV3CoNZeh3WfPyiJWz4I3VgBGbdSphX6grx
Jwjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from;
bh=2I2n08TofPGijBSH9wVqYCWX98/c9uubddafT2lBccI=;
b=T0X0TeZ/Zj8RREOf/7dT9fxa4V3nqTWWAihvVMpMcCxbxWP87LgJgwHWiIOCLa2Z74
P+pMU3M9Nro4UwPYoQHprcoLZP60iDTKrHQVwBCmdOTr1vf4/cIOOI2asx5uZdlt7V6y
lPEM21NoPztHrDxz4ITENVBk8XmMCvsM52fFf0+S46+6sjH0lI3UnvzZ3k2H43qUk91u
kTqjgD/E54gZBYCxQ94R+th3wanS+datfJsTIhKd7ZJB2jK1peH0KGdRlVw86A9E+SZr
aYDol6/F18Adlu0AvxWUZkHglVXvgWx4xZ/oQsMEfj4UJKOVisUK/itcfXVergalWwFM
7SSA==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
w11-20020a170902d3cb00b0019488aa379asi4494527plb.181.2023.01.27.03.33.19;
Fri, 27 Jan 2023 03:33:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233604AbjA0Lcv (ORCPT <rfc822;lekhanya01809@gmail.com>
+ 99 others); Fri, 27 Jan 2023 06:32:51 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43374 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231928AbjA0LcZ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 27 Jan 2023 06:32:25 -0500
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id 90DB17D28F;
Fri, 27 Jan 2023 03:30:56 -0800 (PST)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C1A3E165C;
Fri, 27 Jan 2023 03:30:45 -0800 (PST)
Received: from e122027.cambridge.arm.com (e122027.cambridge.arm.com
[10.1.35.16])
by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id
912C53F64C;
Fri, 27 Jan 2023 03:30:01 -0800 (PST)
From: Steven Price <steven.price@arm.com>
To: kvm@vger.kernel.org, kvmarm@lists.linux.dev
Cc: Steven Price <steven.price@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Marc Zyngier <maz@kernel.org>, Will Deacon <will@kernel.org>,
James Morse <james.morse@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>,
linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
Joey Gouly <joey.gouly@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Christoffer Dall <christoffer.dall@arm.com>,
Fuad Tabba <tabba@google.com>, linux-coco@lists.linux.dev
Subject: [RFC PATCH 08/28] arm64: RME: Keep a spare page delegated to the RMM
Date: Fri, 27 Jan 2023 11:29:12 +0000
Message-Id: <20230127112932.38045-9-steven.price@arm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230127112932.38045-1-steven.price@arm.com>
References: <20230127112248.136810-1-suzuki.poulose@arm.com>
<20230127112932.38045-1-steven.price@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1756175230358472282?=
X-GMAIL-MSGID: =?utf-8?q?1756175230358472282?=
|
| Series |
arm64: Support for Arm CCA in KVM
|
|
Commit Message
Steven Price
Jan. 27, 2023, 11:29 a.m. UTC
Pages can only be populated/destroyed on the RMM at the 4KB granule,
this requires creating the full depth of RTTs. However if the pages are
going to be combined into a 4MB huge page the last RTT is only
temporarily needed. Similarly when freeing memory the huge page must be
temporarily split requiring temporary usage of the full depth oF RTTs.
To avoid needing to perform a temporary allocation and delegation of a
page for this purpose we keep a spare delegated page around. In
particular this avoids the need for memory allocation while destroying
the realm guest.
Signed-off-by: Steven Price <steven.price@arm.com>
---
arch/arm64/include/asm/kvm_rme.h | 3 +++
arch/arm64/kvm/rme.c | 6 ++++++
2 files changed, 9 insertions(+)
Comments
On Fri, 27 Jan 2023 11:29:12 +0000 Steven Price <steven.price@arm.com> wrote: > Pages can only be populated/destroyed on the RMM at the 4KB granule, > this requires creating the full depth of RTTs. However if the pages are > going to be combined into a 4MB huge page the last RTT is only > temporarily needed. Similarly when freeing memory the huge page must be > temporarily split requiring temporary usage of the full depth oF RTTs. > > To avoid needing to perform a temporary allocation and delegation of a > page for this purpose we keep a spare delegated page around. In > particular this avoids the need for memory allocation while destroying > the realm guest. > > Signed-off-by: Steven Price <steven.price@arm.com> > --- > arch/arm64/include/asm/kvm_rme.h | 3 +++ > arch/arm64/kvm/rme.c | 6 ++++++ > 2 files changed, 9 insertions(+) > > diff --git a/arch/arm64/include/asm/kvm_rme.h b/arch/arm64/include/asm/kvm_rme.h > index 055a22accc08..a6318af3ed11 100644 > --- a/arch/arm64/include/asm/kvm_rme.h > +++ b/arch/arm64/include/asm/kvm_rme.h > @@ -21,6 +21,9 @@ struct realm { > void *rd; > struct realm_params *params; > > + /* A spare already delegated page */ > + phys_addr_t spare_page; > + > unsigned long num_aux; > unsigned int vmid; > unsigned int ia_bits; > diff --git a/arch/arm64/kvm/rme.c b/arch/arm64/kvm/rme.c > index 9f8c5a91b8fc..0c9d70e4d9e6 100644 > --- a/arch/arm64/kvm/rme.c > +++ b/arch/arm64/kvm/rme.c > @@ -148,6 +148,7 @@ static int realm_create_rd(struct kvm *kvm) > } > > realm->rd = rd; > + realm->spare_page = PHYS_ADDR_MAX; > realm->ia_bits = VTCR_EL2_IPA(kvm->arch.vtcr); > > if (WARN_ON(rmi_rec_aux_count(rd_phys, &realm->num_aux))) { > @@ -357,6 +358,11 @@ void kvm_destroy_realm(struct kvm *kvm) > free_page((unsigned long)realm->rd); > realm->rd = NULL; > } > + if (realm->spare_page != PHYS_ADDR_MAX) { > + if (!WARN_ON(rmi_granule_undelegate(realm->spare_page))) > + free_page((unsigned long)phys_to_virt(realm->spare_page)); Will the page be leaked (not usable for host and realms) if the undelegate failed? If yes, better at least put a comment. > + realm->spare_page = PHYS_ADDR_MAX; > + } > > pgd_sz = kvm_pgd_pages(pgt->ia_bits, pgt->start_level); > for (i = 0; i < pgd_sz; i++) {
On 13/02/2023 16:47, Zhi Wang wrote: > On Fri, 27 Jan 2023 11:29:12 +0000 > Steven Price <steven.price@arm.com> wrote: > >> Pages can only be populated/destroyed on the RMM at the 4KB granule, >> this requires creating the full depth of RTTs. However if the pages are >> going to be combined into a 4MB huge page the last RTT is only >> temporarily needed. Similarly when freeing memory the huge page must be >> temporarily split requiring temporary usage of the full depth oF RTTs. >> >> To avoid needing to perform a temporary allocation and delegation of a >> page for this purpose we keep a spare delegated page around. In >> particular this avoids the need for memory allocation while destroying >> the realm guest. >> >> Signed-off-by: Steven Price <steven.price@arm.com> >> --- >> arch/arm64/include/asm/kvm_rme.h | 3 +++ >> arch/arm64/kvm/rme.c | 6 ++++++ >> 2 files changed, 9 insertions(+) >> >> diff --git a/arch/arm64/include/asm/kvm_rme.h b/arch/arm64/include/asm/kvm_rme.h >> index 055a22accc08..a6318af3ed11 100644 >> --- a/arch/arm64/include/asm/kvm_rme.h >> +++ b/arch/arm64/include/asm/kvm_rme.h >> @@ -21,6 +21,9 @@ struct realm { >> void *rd; >> struct realm_params *params; >> >> + /* A spare already delegated page */ >> + phys_addr_t spare_page; >> + >> unsigned long num_aux; >> unsigned int vmid; >> unsigned int ia_bits; >> diff --git a/arch/arm64/kvm/rme.c b/arch/arm64/kvm/rme.c >> index 9f8c5a91b8fc..0c9d70e4d9e6 100644 >> --- a/arch/arm64/kvm/rme.c >> +++ b/arch/arm64/kvm/rme.c >> @@ -148,6 +148,7 @@ static int realm_create_rd(struct kvm *kvm) >> } >> >> realm->rd = rd; >> + realm->spare_page = PHYS_ADDR_MAX; >> realm->ia_bits = VTCR_EL2_IPA(kvm->arch.vtcr); >> >> if (WARN_ON(rmi_rec_aux_count(rd_phys, &realm->num_aux))) { >> @@ -357,6 +358,11 @@ void kvm_destroy_realm(struct kvm *kvm) >> free_page((unsigned long)realm->rd); >> realm->rd = NULL; >> } >> + if (realm->spare_page != PHYS_ADDR_MAX) { >> + if (!WARN_ON(rmi_granule_undelegate(realm->spare_page))) >> + free_page((unsigned long)phys_to_virt(realm->spare_page)); > > Will the page be leaked (not usable for host and realms) if the undelegate > failed? If yes, better at least put a comment. Yes - I'll add a comment. In general being unable to undelegate a page points to a programming error in the host. The only reason the RMM should refuse the request is it the page is in use by a Realm which the host has configured. So the WARN() is correct (there's a kernel bug) and the only sensible course of action is to leak the page and limp on. Thanks, Steve >> + realm->spare_page = PHYS_ADDR_MAX; >> + } >> >> pgd_sz = kvm_pgd_pages(pgt->ia_bits, pgt->start_level); >> for (i = 0; i < pgd_sz; i++) { >
On Wed, 1 Mar 2023 11:55:37 +0000 Steven Price <steven.price@arm.com> wrote: > On 13/02/2023 16:47, Zhi Wang wrote: > > On Fri, 27 Jan 2023 11:29:12 +0000 > > Steven Price <steven.price@arm.com> wrote: > > > >> Pages can only be populated/destroyed on the RMM at the 4KB granule, > >> this requires creating the full depth of RTTs. However if the pages are > >> going to be combined into a 4MB huge page the last RTT is only > >> temporarily needed. Similarly when freeing memory the huge page must be > >> temporarily split requiring temporary usage of the full depth oF RTTs. > >> > >> To avoid needing to perform a temporary allocation and delegation of a > >> page for this purpose we keep a spare delegated page around. In > >> particular this avoids the need for memory allocation while destroying > >> the realm guest. > >> > >> Signed-off-by: Steven Price <steven.price@arm.com> > >> --- > >> arch/arm64/include/asm/kvm_rme.h | 3 +++ > >> arch/arm64/kvm/rme.c | 6 ++++++ > >> 2 files changed, 9 insertions(+) > >> > >> diff --git a/arch/arm64/include/asm/kvm_rme.h b/arch/arm64/include/asm/kvm_rme.h > >> index 055a22accc08..a6318af3ed11 100644 > >> --- a/arch/arm64/include/asm/kvm_rme.h > >> +++ b/arch/arm64/include/asm/kvm_rme.h > >> @@ -21,6 +21,9 @@ struct realm { > >> void *rd; > >> struct realm_params *params; > >> > >> + /* A spare already delegated page */ > >> + phys_addr_t spare_page; > >> + > >> unsigned long num_aux; > >> unsigned int vmid; > >> unsigned int ia_bits; > >> diff --git a/arch/arm64/kvm/rme.c b/arch/arm64/kvm/rme.c > >> index 9f8c5a91b8fc..0c9d70e4d9e6 100644 > >> --- a/arch/arm64/kvm/rme.c > >> +++ b/arch/arm64/kvm/rme.c > >> @@ -148,6 +148,7 @@ static int realm_create_rd(struct kvm *kvm) > >> } > >> > >> realm->rd = rd; > >> + realm->spare_page = PHYS_ADDR_MAX; > >> realm->ia_bits = VTCR_EL2_IPA(kvm->arch.vtcr); > >> > >> if (WARN_ON(rmi_rec_aux_count(rd_phys, &realm->num_aux))) { > >> @@ -357,6 +358,11 @@ void kvm_destroy_realm(struct kvm *kvm) > >> free_page((unsigned long)realm->rd); > >> realm->rd = NULL; > >> } > >> + if (realm->spare_page != PHYS_ADDR_MAX) { > >> + if (!WARN_ON(rmi_granule_undelegate(realm->spare_page))) > >> + free_page((unsigned long)phys_to_virt(realm->spare_page)); > > > > Will the page be leaked (not usable for host and realms) if the undelegate > > failed? If yes, better at least put a comment. > > Yes - I'll add a comment. > > In general being unable to undelegate a page points to a programming > error in the host. The only reason the RMM should refuse the request is > it the page is in use by a Realm which the host has configured. So the > WARN() is correct (there's a kernel bug) and the only sensible course of > action is to leak the page and limp on. > It would be nice to add a summary of above into the patch comments. Having a comment when leaking a page (which mostly means the page cannot be reclaimed by VMM and used on a REALM any more) is nice. TDX/SNP also have the problem of leaking pages due to mystic reasons. Imagine the leaking can turn worse bit by bit in a long running server and KVM will definitely have a generic accounting interface for reporting the numbers to the userspace later. Having a explicit comment at this time really makes it easier later. > Thanks, > > Steve > > >> + realm->spare_page = PHYS_ADDR_MAX; > >> + } > >> > >> pgd_sz = kvm_pgd_pages(pgt->ia_bits, pgt->start_level); > >> for (i = 0; i < pgd_sz; i++) { > > >
diff --git a/arch/arm64/include/asm/kvm_rme.h b/arch/arm64/include/asm/kvm_rme.h index 055a22accc08..a6318af3ed11 100644 --- a/arch/arm64/include/asm/kvm_rme.h +++ b/arch/arm64/include/asm/kvm_rme.h @@ -21,6 +21,9 @@ struct realm { void *rd; struct realm_params *params; + /* A spare already delegated page */ + phys_addr_t spare_page; + unsigned long num_aux; unsigned int vmid; unsigned int ia_bits; diff --git a/arch/arm64/kvm/rme.c b/arch/arm64/kvm/rme.c index 9f8c5a91b8fc..0c9d70e4d9e6 100644 --- a/arch/arm64/kvm/rme.c +++ b/arch/arm64/kvm/rme.c @@ -148,6 +148,7 @@ static int realm_create_rd(struct kvm *kvm) } realm->rd = rd; + realm->spare_page = PHYS_ADDR_MAX; realm->ia_bits = VTCR_EL2_IPA(kvm->arch.vtcr); if (WARN_ON(rmi_rec_aux_count(rd_phys, &realm->num_aux))) { @@ -357,6 +358,11 @@ void kvm_destroy_realm(struct kvm *kvm) free_page((unsigned long)realm->rd); realm->rd = NULL; } + if (realm->spare_page != PHYS_ADDR_MAX) { + if (!WARN_ON(rmi_granule_undelegate(realm->spare_page))) + free_page((unsigned long)phys_to_virt(realm->spare_page)); + realm->spare_page = PHYS_ADDR_MAX; + } pgd_sz = kvm_pgd_pages(pgt->ia_bits, pgt->start_level); for (i = 0; i < pgd_sz; i++) {