[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration

From: Christian Borntraeger
Subject: Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration
Date: Thu, 14 Jan 2021 12:50:12 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0

On 14.01.21 12:45, Dr. David Alan Gilbert wrote:
> * Cornelia Huck (cohuck@redhat.com) wrote:
>> On Thu, 14 Jan 2021 11:52:11 +0100
>> Christian Borntraeger <borntraeger@de.ibm.com> wrote:
>>> On 14.01.21 11:36, Dr. David Alan Gilbert wrote:
>>>> * Christian Borntraeger (borntraeger@de.ibm.com) wrote:  
>>>>> On 13.01.21 13:42, Dr. David Alan Gilbert wrote:  
>>>>>> * Cornelia Huck (cohuck@redhat.com) wrote:  
>>>>>>> On Tue, 5 Jan 2021 12:41:25 -0800
>>>>>>> Ram Pai <linuxram@us.ibm.com> wrote:
>>>>>>>> On Tue, Jan 05, 2021 at 11:56:14AM +0100, Halil Pasic wrote:  
>>>>>>>>> On Mon, 4 Jan 2021 10:40:26 -0800
>>>>>>>>> Ram Pai <linuxram@us.ibm.com> wrote:  
>>>>>>>>>> The main difference between my proposal and the other proposal is...
>>>>>>>>>>   In my proposal the guest makes the compatibility decision and acts
>>>>>>>>>>   accordingly.  In the other proposal QEMU makes the compatibility
>>>>>>>>>>   decision and acts accordingly. I argue that QEMU cannot make a good
>>>>>>>>>>   compatibility decision, because it wont know in advance, if the 
>>>>>>>>>> guest
>>>>>>>>>>   will or will-not switch-to-secure.
>>>>>>>>> You have a point there when you say that QEMU does not know in 
>>>>>>>>> advance,
>>>>>>>>> if the guest will or will-not switch-to-secure. I made that argument
>>>>>>>>> regarding VIRTIO_F_ACCESS_PLATFORM (iommu_platform) myself. My idea
>>>>>>>>> was to flip that property on demand when the conversion occurs. David
>>>>>>>>> explained to me that this is not possible for ppc, and that having the
>>>>>>>>> "securable-guest-memory" property (or whatever the name will be)
>>>>>>>>> specified is a strong indication, that the VM is intended to be used 
>>>>>>>>> as
>>>>>>>>> a secure VM (thus it is OK to hurt the case where the guest does not
>>>>>>>>> try to transition). That argument applies here as well.    
>>>>>>>> As suggested by Cornelia Huck, what if QEMU disabled the
>>>>>>>> "securable-guest-memory" property if 'must-support-migrate' is enabled?
>>>>>>>> Offcourse; this has to be done with a big fat warning stating
>>>>>>>> "secure-guest-memory" feature is disabled on the machine.
>>>>>>>> Doing so, will continue to support guest that do not try to transition.
>>>>>>>> Guest that try to transition will fail and terminate themselves.  
>>>>>>> Just to recap the s390x situation:
>>>>>>> - We currently offer a cpu feature that indicates secure execution to
>>>>>>>   be available to the guest if the host supports it.
>>>>>>> - When we introduce the secure object, we still need to support
>>>>>>>   previous configurations and continue to offer the cpu feature, even
>>>>>>>   if the secure object is not specified.
>>>>>>> - As migration is currently not supported for secured guests, we add a
>>>>>>>   blocker once the guest actually transitions. That means that
>>>>>>>   transition fails if --only-migratable was specified on the command
>>>>>>>   line. (Guests not transitioning will obviously not notice anything.)
>>>>>>> - With the secure object, we will already fail starting QEMU if
>>>>>>>   --only-migratable was specified.
>>>>>>> My suggestion is now that we don't even offer the cpu feature if
>>>>>>> --only-migratable has been specified. For a guest that does not want to
>>>>>>> transition to secure mode, nothing changes; a guest that wants to
>>>>>>> transition to secure mode will notice that the feature is not available
>>>>>>> and fail appropriately (or ultimately, when the ultravisor call fails).
>>>>>>> We'd still fail starting QEMU for the secure object + --only-migratable
>>>>>>> combination.
>>>>>>> Does that make sense?  
>>>>>> It's a little unusual; I don't think we have any other cases where
>>>>>> --only-migratable changes the behaviour; I think it normally only stops
>>>>>> you doing something that would have made it unmigratable or causes
>>>>>> an operation that would make it unmigratable to fail.  
>>>>> I would like to NOT block this feature with --only-migrateable. A guest
>>>>> can startup unprotected (and then is is migrateable). the migration 
>>>>> blocker
>>>>> is really a dynamic aspect during runtime.   
>>>> But the point of --only-migratable is to turn things that would have
>>>> blocked migration into failures, so that a VM started with
>>>> --only-migratable is *always* migratable.  
>>> Hmmm, fair enough. How do we do this with host-model? The constructed model
>>> would contain unpack, but then it will fail to startup? Or do we silently 
>>> drop unpack in that case? Both variants do not feel completely right. 
>> Failing if you explicitly specified unpacked feels right, but failing
>> if you just used the host model feels odd. Removing unpack also is a
>> bit odd, but I think the better option if we want to do anything about
>> it at all.
> 'host-model' feels a bit special; but breaking the rule that
> only-migratable doesn't change behaviour is weird
> Can you do host,-unpack   to make that work explicitly?

I guess that should work. But it means that we need to add logic in libvirt
to disable unpack for host-passthru and host-model. Next problem is then,
that a future version might implement migration of such guests, which means
that libvirt must then stop fencing unpack.

> But hang on; why is 'unpack' the name of a secure guest facility - is
> it really a feature for secure guest or something else?

unpack is the name of the function that unpacks and decrypts the encrypted 
If if is there, then you can switch into the securable guest mode. 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]