[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH V1 3/6] xen/virtio: Add option to restrict memory access under Xen
- To: Borislav Petkov <bp@xxxxxxxxx>, Oleksandr <olekstysh@xxxxxxxxx>
- From: Juergen Gross <jgross@xxxxxxxx>
- Date: Tue, 26 Apr 2022 07:16:16 +0200
- Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, x86@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-arm-kernel@xxxxxxxxxxxxxxxxxxx, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, "H. Peter Anvin" <hpa@xxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, Tom Lendacky <thomas.lendacky@xxxxxxx>
- Delivery-date: Tue, 26 Apr 2022 05:16:38 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 25.04.22 23:25, Borislav Petkov wrote:
On Mon, Apr 25, 2022 at 11:38:36PM +0300, Oleksandr wrote:
diff --git a/include/linux/cc_platform.h b/include/linux/cc_platform.h
index efd8205..d06bc7a 100644
--- a/include/linux/cc_platform.h
+++ b/include/linux/cc_platform.h
@@ -72,6 +72,19 @@ enum cc_attr {
* Examples include TDX guest & SEV.
*/
CC_ATTR_GUEST_UNROLL_STRING_IO,
+
+ /**
+ * @CC_ATTR_GUEST_MEM_ACCESS_RESTRICTED: Restricted memory access to
+ * Guest memory is active
+ *
+ * The platform/OS is running as a guest/virtual machine and uses
+ * the restricted access to its memory. This attribute is set if
either
+ * Guest memory encryption or restricted memory access using Xen
grant
+ * mappings is active.
+ *
+ * Examples include Xen guest and SEV.
Wait, whaaat?
The cc_platform* stuff is for *confidential computing* guests to check
different platform aspects.
From quickly skimming over this, this looks like a misuse to me.
Christoph suggested (rather firmly) this would be the way to go.
Why can't you query this from the hypervisor just like you do your other
querying about what is supported, etc? Hypercalls, CPUID, whatever...
This is needed on guest side at a rather hypervisor independent place.
So a capability of some sort seems appropriate.
Another suggestion of mine was to have a callback (or flag) in
struct x86_hyper_runtime for that purpose.
Juergen
Attachment:
OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
|
