[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [PATCH] virtio-balloon: add an untrusted device feature
On Wed, Aug 03, 2022 at 08:44:41AM +0000, Keir Fraser wrote:
> Add a feature bit to indicate that guest memory is protected from the
> host by the Trusted Compyuting Base (TCB).
Typo.
> This flag indicates to the
> driver that memory ownership must be relinquished via the TCB, by
> platform-specific means, before reporting that memory to the device.
Thanks for the proposal! I feel it needs to be more detailed to be
useful. In particular we need a bit more info about TCB and memory
ownership here I feel, so people can interpret this. Is there a spec
link?
>
> Signed-off-by: Keir Fraser <keirf@google.com>
> ---
> content.tex | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
>
> diff --git a/content.tex b/content.tex
> index e863709..1575ab7 100644
> --- a/content.tex
> +++ b/content.tex
> @@ -5543,6 +5543,9 @@ \subsection{Feature bits}\label{sec:Device Types / Memory Balloon Device / Featu
> Configuration field \field{poison_val} is valid.
> \item[ VIRTIO_BALLOON_F_PAGE_REPORTING(5) ] The device has support for free
> page reporting. A virtqueue for reporting free guest memory is present.
> +\item[ VIRTIO_BALLOON_F_UNTRUSTED_DEVICE(6) ] The driver must
> + relinquish memory ownership via the Trusted Computing Base (TCB) before
> + notifying the device.
The name does not seem to match what it does.
>
> \end{description}
>
> @@ -5558,11 +5561,22 @@ \subsection{Feature bits}\label{sec:Device Types / Memory Balloon Device / Featu
> it MUST NOT accept VIRTIO_BALLOON_F_PAGE_REPORTING unless it also
> negotiates VIRTIO_BALLOON_F_PAGE_POISON.
>
> +The driver SHOULD accept the VIRTIO_BALLOON_F_UNTRUSTED_DEVICE
> +feature if offered by the device, and relinquish memory ownership via
> +the TCB by platform-specific means.
> +
> \devicenormative{\subsubsection}{Feature bits}{Device Types / Memory Balloon Device / Feature bits}
> If the device offers the VIRTIO_BALLOON_F_MUST_TELL_HOST feature
> bit, and if the driver did not accept this feature bit, the
> device MAY signal failure by failing to set FEATURES_OK
> \field{device status} bit when the driver writes it.
> +
> +If guest memory is protected from the host,
This does not make it clear how this is different from VIRTIO_F_ACCESS_PLATFORM
which says:
\item[VIRTIO_F_ACCESS_PLATFORM(33)] This feature indicates that
the device can be used on a platform where device access to data
in memory is limited and/or translated.
> the device must offer the
MUST
> +VIRTIO_BALLOON_F_UNTRUSTED_DEVICE feature bit. If the driver does
> +not accept this feature bit, the device MUST signal failure by failing
> +to set FEATURES_OK \field{device status} bit when the driver writes
> +it.
> +
> \subparagraph{Legacy Interface: Feature bits}\label{sec:Device
> Types / Memory Balloon Device / Feature bits / Legacy Interface:
> Feature bits}
> @@ -5573,6 +5587,9 @@ \subsection{Feature bits}\label{sec:Device Types / Memory Balloon Device / Featu
> allow guest to use memory before notifying host if
> VIRTIO_BALLOON_F_MUST_TELL_HOST is not negotiated.
>
> +The legacy interface cannot support VIRTIO_BALLOON_F_UNTRUSTED_DEVICE
> +since there is no way to gracefully report feature negotiation failure.
> +
> \subsection{Device configuration layout}\label{sec:Device Types / Memory Balloon Device / Device configuration layout}
> \field{num_pages} and \field{actual} are always available.
>
> @@ -5647,6 +5664,10 @@ \subsection{Device Operation}\label{sec:Device Types / Memory Balloon Device / D
> pages. These addresses are divided by 4096\footnote{This is historical, and independent of the guest page size.
> } and the descriptor
> describing the resulting 32-bit array is added to the inflateq.
> + \item If the VIRTIO_BALLOON_F_UNTRUSTED_DEVICE feature has been
> + negotiated, the driver MUST relinquish memory ownership via the TCB
> + before adding it to the inflateq.
> +
> \end{enumerate}
>
> \item To remove memory from the balloon (aka. deflate):
Don't we need to take it back before deflate?
> @@ -6105,6 +6126,9 @@ \subsubsection{Free Page Reporting}\label{sec:Device Types / Memory Balloon Devi
> driver MUST initialize all free pages with \field{poison_val} before
> reporting them.
>
> +If the VIRTIO_BALLOON_F_UNTRUSTED_DEVICE feature has been negotiated, the
> +driver MUST notify free pages to the TCB before reporting them.
> +
> The driver MUST NOT use the reported pages until the device has
> acknowledged the reporting request.
Should this affect hinting too?
Is "notify" same as "relinquish ownership"?
Are these terms defined in some spec?
>
> --
> 2.37.1.455.g008518b4e5-goog
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]