Virtualization - Aug 2021 - [PATCH v4 11/15] pci: Add pci_iomap_shared{,_range}

On Tue, Aug 24, 2021 at 01:14:02PM -0700, Andi Kleen
wrote:
> 
> On 8/24/2021 11:55 AM, Bjorn Helgaas wrote:
> > [+cc Rajat; I still don't know what "shared memory with a
hypervisor
> > in a confidential guest" means,
> 
> A confidential guest is a guest which uses memory encryption to isolate
> itself from the host. It doesn't trust the host. But it still needs to
> communicate with the host for IO, so it has some special memory areas that
> are explicitly marked shared. These are used to do IO with the host. All
> their usage needs to be carefully hardened to avoid any security attacks on
> the guest, that's why we want to limit this interaction only to a small
set
> of hardened drivers. For MMIO, the set is currently only virtio and MSI-X.
Good material for the commit log next time around.  Thanks!

Bjorn

On 8/24/2021 1:31 PM, Bjorn Helgaas wrote:
> On Tue, Aug 24, 2021 at 01:14:02PM -0700, Andi Kleen wrote:
>> On 8/24/2021 11:55 AM, Bjorn Helgaas wrote:
>>> [+cc Rajat; I still don't know what "shared memory with a
hypervisor
>>> in a confidential guest" means,
>> A confidential guest is a guest which uses memory encryption to isolate
>> itself from the host. It doesn't trust the host. But it still needs
to
>> communicate with the host for IO, so it has some special memory areas
that
>> are explicitly marked shared. These are used to do IO with the host.
All
>> their usage needs to be carefully hardened to avoid any security
attacks on
>> the guest, that's why we want to limit this interaction only to a
small set
>> of hardened drivers. For MMIO, the set is currently only virtio and
MSI-X.
> Good material for the commit log next time around.  Thanks!
This is all in the patch intro too, which should make it into the merge 
commits.

I don't think we can reexplain the basic concepts for every individual 
patch in a large patch kit.


-Andi