Jason Wang
2021-Jun-03 02:32 UTC
[PATCH v1 1/8] virtio: Force only split mode with protected guest
? 2021/6/3 ??9:48, Andi Kleen ??:> >> So we will see huge performance regression without indirect >> descriptor. We need to consider to address this. > > A regression would be when some existing case would be slower. > > That's not the case because the behavior for the existing cases does > not change. > > Anyways when there are performance problems they can be addressed, but > first is to make it secure.I agree, but I want to know why indirect descriptor needs to be disabled. The table can't be wrote by the device since it's not coherent swiotlb mapping. Thanks> > -Andi > > >> >> Thanks >> >> >>> ????????????? break; >>> ????????? case VIRTIO_RING_F_EVENT_IDX: >>> ????????????? break; >>> @@ -2231,9 +2240,12 @@ void vring_transport_features(struct >>> virtio_device *vdev) >>> ????????? case VIRTIO_F_ACCESS_PLATFORM: >>> ????????????? break; >>> ????????? case VIRTIO_F_RING_PACKED: >>> +??????????? if (protected_guest_has(VM_MEM_ENCRYPT)) >>> +??????????????? goto clear; >>> ????????????? break; >>> ????????? case VIRTIO_F_ORDER_PLATFORM: >>> ????????????? break; >>> +??????? clear: >>> ????????? default: >>> ????????????? /* We don't understand this bit. */ >>> ????????????? __virtio_clear_bit(vdev, i); >> >
Andi Kleen
2021-Jun-03 02:56 UTC
[PATCH v1 1/8] virtio: Force only split mode with protected guest
> > I agree, but I want to know why indirect descriptor needs to be > disabled. The table can't be wrote by the device since it's not > coherent swiotlb mapping.I had all kinds of problems with uninitialized entries in the indirect table. So I gave up on it and concluded it would be too difficult to secure. -Andi