On Mon, Jan 11, 2021 at 11:58:30AM -0800, Ram Pai wrote: > On Mon, Jan 11, 2021 at 05:59:14PM +0100, Cornelia Huck wrote: > > On Tue, 5 Jan 2021 12:41:25 -0800 > > Ram Pai <linux...@us.ibm.com> wrote: > > > > > On Tue, Jan 05, 2021 at 11:56:14AM +0100, Halil Pasic wrote: > > > > On Mon, 4 Jan 2021 10:40:26 -0800 > > > > Ram Pai <linux...@us.ibm.com> wrote: > > > > > > > The main difference between my proposal and the other proposal is... > > > > > > > > > > In my proposal the guest makes the compatibility decision and acts > > > > > accordingly. In the other proposal QEMU makes the compatibility > > > > > decision and acts accordingly. I argue that QEMU cannot make a good > > > > > compatibility decision, because it wont know in advance, if the > > > > > guest > > > > > will or will-not switch-to-secure. > > > > > > > > > > > > > You have a point there when you say that QEMU does not know in advance, > > > > if the guest will or will-not switch-to-secure. I made that argument > > > > regarding VIRTIO_F_ACCESS_PLATFORM (iommu_platform) myself. My idea > > > > was to flip that property on demand when the conversion occurs. David > > > > explained to me that this is not possible for ppc, and that having the > > > > "securable-guest-memory" property (or whatever the name will be) > > > > specified is a strong indication, that the VM is intended to be used as > > > > a secure VM (thus it is OK to hurt the case where the guest does not > > > > try to transition). That argument applies here as well. > > > > > > As suggested by Cornelia Huck, what if QEMU disabled the > > > "securable-guest-memory" property if 'must-support-migrate' is enabled? > > > Offcourse; this has to be done with a big fat warning stating > > > "secure-guest-memory" feature is disabled on the machine. > > > Doing so, will continue to support guest that do not try to transition. > > > Guest that try to transition will fail and terminate themselves. > > > > Just to recap the s390x situation: > > > > - We currently offer a cpu feature that indicates secure execution to > > be available to the guest if the host supports it. > > - When we introduce the secure object, we still need to support > > previous configurations and continue to offer the cpu feature, even > > if the secure object is not specified. > > - As migration is currently not supported for secured guests, we add a > > blocker once the guest actually transitions. That means that > > transition fails if --only-migratable was specified on the command > > line. (Guests not transitioning will obviously not notice anything.) > > - With the secure object, we will already fail starting QEMU if > > --only-migratable was specified. > > > > My suggestion is now that we don't even offer the cpu feature if > > --only-migratable has been specified. For a guest that does not want to > > transition to secure mode, nothing changes; a guest that wants to > > transition to secure mode will notice that the feature is not available > > and fail appropriately (or ultimately, when the ultravisor call fails). > > > On POWER, secure-execution is not **automatically** enabled even when > the host supports it. The feature is enabled only if the secure-object > is configured, and the host supports it. > > However the behavior proposed above will be consistent on POWER and > on s390x, when '--only-migratable' is specified and 'secure-object' > is NOT specified. > > So I am in agreement till now. > > > > We'd still fail starting QEMU for the secure object + --only-migratable > > combination. > > Why fail? > > Instead, print a warning and disable the secure-object; which will > disable your cpu-feature. Guests that do not transition to secure, will > continue to operate, and guests that transition to secure, will fail.
Ignoring a configuration option that was explicitly requested by the user/mgmt app is bad practice. If a request feature combination cannot be honoured, QEMU must treat that as a fatal error and exit, so that the mgmt app knows their config is unsupported. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
