[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration
|
From: |
Cornelia Huck |
|
Subject: |
Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration |
|
Date: |
Tue, 12 Jan 2021 09:19:43 +0100 |
On Mon, 11 Jan 2021 11:58:30 -0800
Ram Pai <linuxram@us.ibm.com> wrote:
> On Mon, Jan 11, 2021 at 05:59:14PM +0100, Cornelia Huck wrote:
> > On Tue, 5 Jan 2021 12:41:25 -0800
> > Ram Pai <linuxram@us.ibm.com> wrote:
> >
> > > On Tue, Jan 05, 2021 at 11:56:14AM +0100, Halil Pasic wrote:
> > > > On Mon, 4 Jan 2021 10:40:26 -0800
> > > > Ram Pai <linuxram@us.ibm.com> wrote:
> >
> > > > > The main difference between my proposal and the other proposal is...
> > > > >
> > > > > In my proposal the guest makes the compatibility decision and acts
> > > > > accordingly. In the other proposal QEMU makes the compatibility
> > > > > decision and acts accordingly. I argue that QEMU cannot make a good
> > > > > compatibility decision, because it wont know in advance, if the
> > > > > guest
> > > > > will or will-not switch-to-secure.
> > > > >
> > > >
> > > > You have a point there when you say that QEMU does not know in advance,
> > > > if the guest will or will-not switch-to-secure. I made that argument
> > > > regarding VIRTIO_F_ACCESS_PLATFORM (iommu_platform) myself. My idea
> > > > was to flip that property on demand when the conversion occurs. David
> > > > explained to me that this is not possible for ppc, and that having the
> > > > "securable-guest-memory" property (or whatever the name will be)
> > > > specified is a strong indication, that the VM is intended to be used as
> > > > a secure VM (thus it is OK to hurt the case where the guest does not
> > > > try to transition). That argument applies here as well.
> > >
> > > As suggested by Cornelia Huck, what if QEMU disabled the
> > > "securable-guest-memory" property if 'must-support-migrate' is enabled?
> > > Offcourse; this has to be done with a big fat warning stating
> > > "secure-guest-memory" feature is disabled on the machine.
> > > Doing so, will continue to support guest that do not try to transition.
> > > Guest that try to transition will fail and terminate themselves.
> >
> > Just to recap the s390x situation:
> >
> > - We currently offer a cpu feature that indicates secure execution to
> > be available to the guest if the host supports it.
> > - When we introduce the secure object, we still need to support
> > previous configurations and continue to offer the cpu feature, even
> > if the secure object is not specified.
> > - As migration is currently not supported for secured guests, we add a
> > blocker once the guest actually transitions. That means that
> > transition fails if --only-migratable was specified on the command
> > line. (Guests not transitioning will obviously not notice anything.)
> > - With the secure object, we will already fail starting QEMU if
> > --only-migratable was specified.
> >
> > My suggestion is now that we don't even offer the cpu feature if
> > --only-migratable has been specified. For a guest that does not want to
> > transition to secure mode, nothing changes; a guest that wants to
> > transition to secure mode will notice that the feature is not available
> > and fail appropriately (or ultimately, when the ultravisor call fails).
>
>
> On POWER, secure-execution is not **automatically** enabled even when
> the host supports it. The feature is enabled only if the secure-object
> is configured, and the host supports it.
Yes, the cpu feature on s390x is simply pre-existing.
>
> However the behavior proposed above will be consistent on POWER and
> on s390x, when '--only-migratable' is specified and 'secure-object'
> is NOT specified.
>
> So I am in agreement till now.
>
>
> > We'd still fail starting QEMU for the secure object + --only-migratable
> > combination.
>
> Why fail?
>
> Instead, print a warning and disable the secure-object; which will
> disable your cpu-feature. Guests that do not transition to secure, will
> continue to operate, and guests that transition to secure, will fail.
But that would be consistent with how other non-migratable objects are
handled, no? It's simply a case of incompatible options on the command
line.
- Re: Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Ram Pai, 2021/01/04
- Re: [EXTERNAL] Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Halil Pasic, 2021/01/04
- RE: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Ram Pai, 2021/01/04
- Re: [EXTERNAL] Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Halil Pasic, 2021/01/05
- RE: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Ram Pai, 2021/01/05
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Cornelia Huck, 2021/01/11
- RE: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Ram Pai, 2021/01/11
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration,
Cornelia Huck <=
- RE: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Ram Pai, 2021/01/12
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Cornelia Huck, 2021/01/13
- Re: Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Ram Pai, 2021/01/15
- Re: Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Cornelia Huck, 2021/01/19
- Re: Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Daniel P . Berrangé, 2021/01/19
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Daniel P . Berrangé, 2021/01/14
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Dr. David Alan Gilbert, 2021/01/13
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Christian Borntraeger, 2021/01/14
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Dr. David Alan Gilbert, 2021/01/14
- Re: [for-6.0 v5 11/13] spapr: PEF: prevent migration, Christian Borntraeger, 2021/01/14