qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH 00/26] Confidential guest live migration

From: Paolo Bonzini
Subject: Re: [RFC PATCH 00/26] Confidential guest live migration
Date: Thu, 4 Mar 2021 10:10:43 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 
On 02/03/21 21:47, Dov Murik wrote:

In order to allow OVMF to run the migration helper in parallel to the
guest OS, we introduce the notion of auxiliary vcpus, which are usable
for OVMF but are hidden from the guest OS.  These might have other
future uses for in-guest operations/agents.


Hi Dov,
I think the helper approach to migration in general is great, but I'm not sure I agree with the concept of auxiliary vCPUs. I would rather have a completely separate VM file descriptor that does not even go through the regular KVM run loop. Patches were posted recently to the KVM mailing list to create secondary VMs sharing the encryption context (ASID) with a primary VM.
When starting the VM, the firmware would proceed with attestation as usual, detect it was running as a migration helper VM during the SEC phase, and divert execution to the migration helper instead of continuing with PEI.
The main advantage would be that the migration VM would not have to share the address space with the primary VM. This would allow migrating encrypted RAM areas that are not visible to the primary VM, for example PCI BARs (those areas would be a problem for the kernel migration bitmap though; I'll remark on that separately on Ashish's KVM series).
The VM would not even have an interrupt controller, so that HLT exits to the host when it's done processing the mailbox. This would make it much simpler to audit both the QEMU and the firmware sides. 

Paolo


In the target VM we need the migration handler running to receive
incoming RAM pages; to achieve that, we boot the VM into OVMF with a
special fw_cfg value that causes OVMF to not boot the guest OS; we then
allow QEMU to receive an incoming migration by issuing a new
start-migrate-incoming QMP command.

The confidential RAM migration requires checking whether a given guest
RAM page is encrypted or not.  This is currently achieved using AMD's
patches which track the encryption status of guest pages in KVM, using
hypercalls from OVMF and guest Linux to report changes of such status.
The QEMU side of these patches is included as the first two patches in
this series.  The concrete implementation of this page encryption tracking
is currently in flux in the KVM mailing list, but the underlying
implementation doesn't affect our confidential RAM migration as long as
it can check whether a given guest address is encrypted.

List of patches in this series:

1-2: reposting AMD encrypted page bitmap support.
3-11: introduce the notion of auxiliary vcpus.
12-21: introduce the migration specifics.
22-23: fix devices issues when loading state into a live VM
24: introduce the start-migrate-incoming QMP command to switch the
target into accepting the incoming migration.
25: remove SEV migration blocker
26: add documentation


Brijesh Singh (1):
   kvm: add support to sync the page encryption state bitmap

Dov Murik (21):
   linux-headers: Add definitions of KVM page encryption bitmap ioctls
   machine: Add auxcpus=N suboption to -smp
   hw/boards: Add aux flag to CPUArchId
   hw/i386: Mark auxiliary vcpus in possible_cpus
   cpu: Add boolean aux field to CPUState
   hw/i386: Set CPUState.aux=true for auxiliary vcpus
   softmmu: Don't sync aux vcpus in pre_loadvm
   softmmu: Add cpu_synchronize_without_aux_post_init
   migration: Add helpers to save confidential RAM
   migration: Add helpers to load confidential RAM
   migration: Introduce gpa_inside_migration_helper_shared_area
   migration: Save confidential guest RAM using migration helper
   migration: Load confidential guest RAM using migration helper
   migration: Stop VM after loading confidential RAM
   migration: Don't sync vcpus when migrating confidential guests
   migration: When starting target, don't sync auxiliary vcpus
   hw/isa/lpc_ich9: Allow updating an already-running VM
   target/i386: Re-sync kvm-clock after confidential guest migration
   migration: Add start-migrate-incoming QMP command
   target/i386: SEV: Allow migration unless there are no aux vcpus
   docs: Add confidential guest live migration documentation

Tobin Feldman-Fitzthum (4):
   hw/acpi: Don't include auxiliary vcpus in ACPI tables
   softmmu: Add pause_all_vcpus_except_aux
   migration: Stop non-aux vcpus before copying the last pages
   migration: Call migration handler cleanup routines

  docs/confidential-guest-live-migration.rst | 142 ++++++++++++
  docs/confidential-guest-support.txt        |   5 +
  docs/index.rst                             |   1 +
  qapi/migration.json                        |  26 +++
  include/exec/ram_addr.h                    | 197 ++++++++++++++++
  include/exec/ramblock.h                    |   3 +
  include/exec/ramlist.h                     |   3 +-
  include/hw/boards.h                        |   3 +
  include/hw/core/cpu.h                      |   2 +
  include/hw/i386/x86.h                      |   2 +-
  include/sysemu/cpus.h                      |   2 +
  linux-headers/linux/kvm.h                  |  13 ++
  migration/confidential-ram.h               |  23 ++
  accel/kvm/kvm-all.c                        |  43 ++++
  hw/acpi/cpu.c                              |  10 +
  hw/core/cpu.c                              |   1 +
  hw/core/machine.c                          |   7 +
  hw/i386/acpi-build.c                       |   5 +
  hw/i386/acpi-common.c                      |   5 +
  hw/i386/pc.c                               |   7 +
  hw/i386/x86.c                              |  10 +-
  hw/isa/lpc_ich9.c                          |   3 +-
  migration/confidential-ram.c               | 258 +++++++++++++++++++++
  migration/migration.c                      |  18 +-
  migration/ram.c                            | 135 ++++++++++-
  migration/savevm.c                         |  13 +-
  softmmu/cpus.c                             |  68 +++++-
  softmmu/runstate.c                         |   1 +
  softmmu/vl.c                               |   3 +
  target/i386/machine.c                      |   9 +
  target/i386/sev.c                          |  25 +-
  migration/meson.build                      |   6 +-
  migration/trace-events                     |   4 +
  33 files changed, 1027 insertions(+), 26 deletions(-)
  create mode 100644 docs/confidential-guest-live-migration.rst
  create mode 100644 migration/confidential-ram.h
  create mode 100644 migration/confidential-ram.c


base-commit: 00d8ba9e0d62ea1c7459c25aeabf9c8bb7659462
reply via email to
[Prev in Thread] Current Thread [Next in Thread]