Re: [PATCH v19 058/130] KVM: x86/mmu: Add a private pointer to struct kvm_mmu_page

From: Huang, Kai
Date: Thu Mar 14 2024 - 17:24:11 EST

Next message: Florian Fainelli: "Re: [PATCH 6.8 0/5] 6.8.1-rc1 review"
Previous message: Jeff Johnson: "[PATCH] wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc"
In reply to: Isaku Yamahata: "Re: [PATCH v19 058/130] KVM: x86/mmu: Add a private pointer to struct kvm_mmu_page"
Next in thread: Edgecombe, Rick P: "Re: [PATCH v19 058/130] KVM: x86/mmu: Add a private pointer to struct kvm_mmu_page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15/03/2024 7:10 am, Isaku Yamahata wrote:

On Wed, Mar 13, 2024 at 08:51:53PM +0000,
"Edgecombe, Rick P" <rick.p.edgecombe@xxxxxxxxx> wrote:

On Mon, 2024-02-26 at 00:26 -0800, isaku.yamahata@xxxxxxxxx wrote:

From: Isaku Yamahata <isaku.yamahata@xxxxxxxxx>

For private GPA, CPU refers a private page table whose contents are
encrypted. The dedicated APIs to operate on it (e.g.
updating/reading its
PTE entry) are used and their cost is expensive.

When KVM resolves KVM page fault, it walks the page tables. To reuse
the
existing KVM MMU code and mitigate the heavy cost to directly walk
private
page table, allocate one more page to copy the dummy page table for
KVM MMU
code to directly walk. Resolve KVM page fault with the existing
code, and
do additional operations necessary for the private page table.

To
distinguish such cases, the existing KVM page table is called a
shared page
table (i.e. not associated with private page table), and the page
table
with private page table is called a private page table.

This makes it sound like the dummy page table for the private alias is
also called a shared page table, but in the drawing below it looks like
only the shared alias is called "shared PT".

How about this,
Call the existing KVM page table associated with shared GPA as shared page table. > Call the KVM page table associate with private GPA as private page table.

For the second one, are you talking about the *true* secure/private EPT page table used by hardware, or the one visible to KVM but not used by hardware?

We have 3 page tables as you mentioned:

PT: page table
- Shared PT is visible to KVM and it is used by CPU.
- Private PT is used by CPU but it is invisible to KVM.
- Dummy PT is visible to KVM but not used by CPU. It is used to
propagate PT change to the actual private PT which is used by CPU.

If I recall correctly, we used to call the last one "mirrored (private) page table".

I lost the tracking when we changed to use "dummy page table", but it seems to me "mirrored" is better than "dummy" because the latter means it is useless but in fact it is used to propagate changes to the real private page table used by hardware.

Btw, one nit, perhaps:

"Shared PT is visible to KVM and it is used by CPU." -> "Shared PT is visible to KVM and it is used by CPU for shared mappings".

To make it more clearer it is used for "shared mappings".

But this may be unnecessary to others, so up to you.

Next message: Florian Fainelli: "Re: [PATCH 6.8 0/5] 6.8.1-rc1 review"
Previous message: Jeff Johnson: "[PATCH] wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc"
In reply to: Isaku Yamahata: "Re: [PATCH v19 058/130] KVM: x86/mmu: Add a private pointer to struct kvm_mmu_page"
Next in thread: Edgecombe, Rick P: "Re: [PATCH v19 058/130] KVM: x86/mmu: Add a private pointer to struct kvm_mmu_page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]