Re: Rename restrictedmem => guardedmem? (was: Re: [PATCH v10 0/9] KVM: mm: fd-based approach for supporting KVM)

[David Hildenbrand]

On 17.04.23 21:16, Sean Christopherson wrote:
> On Mon, Apr 17, 2023, David Hildenbrand wrote:
> > On 17.04.23 18:40, Sean Christopherson wrote:
> > > On Mon, Apr 17, 2023, David Hildenbrand wrote:
> > > > On 17.04.23 17:40, Sean Christopherson wrote:
> > > > > I want to start referring to the code/patches by its syscall/implementation name
> > > > > instead of "UPM", as "UPM" is (a) very KVM centric, (b) refers to the broader effort
> > > > > and not just the non-KVM code, and (c) will likely be confusing for future reviewers
> > > > > since there's nothing in the code that mentions "UPM" in any way.
> > > > >
> > > > > But typing out restrictedmem is quite tedious, and git grep shows that "rmem" is
> > > > > already used to refer to "reserved memory".
> > > > >
> > > > > Renaming the syscall to "guardedmem"...
> > > >
> > > > restrictedmem, guardedmem, ... all fairly "suboptimal" if you'd ask me ...
> > >
> > > I'm definitely open to other suggestions, but I suspect it's going to be difficult
> > > to be more precise than something like "guarded".
> >
> > Guardedmem is just as bad as restrictedmem IMHO, sorry.
> >
> >
> > Restricted: what's restricted? how does the restriction manifest? secretmem
> > also has it's restrictions/limitations (pinning), why does that one not fall
> > under the same category?
> >
> > Make a stranger guess what "restrictedmem" is and I can guarantee that it
> > has nothing to do with the concept we're introducing here.
> >
> >
> > Guarded: what's guarded? From whom? For which purpose? How does the
> > "guarding" manifest?
>
> I completely agree that "guarded" lacks precision, but as above, I've pretty much
> given up hope of being super precise.  I actually like "restricted", I just don't
> like that I can't shorten the name.
>
> Hmm, maybe that won't be a huge problem in practice.  I can't say I've ever heard
> any use "rmem" in verbale or written communication, it's primarily just "rmem" in
> code that we can't use, and I don't mind having to use restrictedmem for the namespace.
> So maybe we can use "rmem", just not in code?
>
> Or, we could pretend we're pirates and call it arrrmem!, which is definitely going
> to be how I refer to it in my internal dialogue if we keep "restricted" :-)

:)

> > Again, make a stranger guess what "guardedmem" is and I can guarantee that
> > it has nothing to do with the concept we're introducing here.
> >
> > If, at all, the guess might be "guarded storage" [1] on s390x, which, of
> > course, has nothing to do with the concept here.
>
> Oof, and guarded storage is even documented in Documentation/virt/kvm/api.rst.
>
> > (storage on s390x is just the dinosaur slang for memory)
> >
> >
> > Often, if we fail to find a good name, the concept is either unclear or not
> > well defined.
> >
> > So what are the characteristics we want to generalize under that new name?
> > We want to have an fd, that
> >
> > (a) cannot be mapped into user space (mmap)
> > (b) cannot be accessed using ordinary system calls (read/write)
> > (c) can still be managed like other fds (fallocate, future NUMA
> >      policies?)
> > (d) can be consumed by some special entities that are allowed to
> >      read/write/map.
> >
> > So the fd content is inaccessible using the ordinary POSIX syscalls. It's
> > only accessible by special entities (e.g., KVM).
> >
> > Most probably I am forgetting something. But maybe that will help to find a
> > more expressive name. Maybe :)
>
> Hidden/Concealed/etc - Too close to secretmem, suffers the "hidden from whom" problem,
> and depending on the use case, the memory may not actually be concealed from the
> user that controls the VMM.
>
> Restricted - "rmem" collides with "reserved memory" in code.
>
> Guarded - Conflicts with s390's "guarded storage", has the "from whom" problem.
>
> Inaccessible - Many of the same problems as "hidden".
>
> Unmappable - Doesn't cover things like read/write, and is wrong in the sense that
> the memory is still mappable, just not via mmap().
>
> Secured - I'm not getting anywhere near this one :-)

The think about "secretmem" that I kind-of like (a little) is that it 
explains what it's used for: storing secrets. We don't call it 
"unmapped" memory because we unmap it from the directmap or "unpinnable" 
memory or "inaccessible" memory ... or even "restricted" because it has 
restrictions ... how the secrets are protected is kind of an 
implementation detail.

So instead of describing *why*/*how* restrictedmem is the weird kid 
(restricted/guarded/hidden/restricted/inaccessible/ ...), maybe rather 
describe what it's used for?

I know, I know, "there are other use cases where it will be used outside 
of VM context". I really don't care. "memfd_vm" / "vm_mem" would be sooo 
(feel free to add some more o's here) much easier to get. It's a special 
fd to be used to back VM memory. Depending on the VM type 
(encrypted/protected/whatever), restrictions might apply (not able to 
mmap, not able to read/write ...). For example, there really is no need 
to disallow mmap/read/write when using that memory to back a simple VM 
where all we want to do is avoid user-space page tables.

--
Thanks,

David / dhildenb