On Fri, 16 Jul 2021 09:45:55 +0800
Baoquan He <bhe(a)redhat.com> wrote:
On 07/14/21 at 01:19pm, Philipp Rudo wrote:
> Hi Baoquan,
>
> On Wed, 14 Jul 2021 09:18:31 +0800
> Baoquan He <bhe(a)redhat.com> wrote:
>
> > Hi Philipp,
> >
> > On 07/13/21 at 11:59am, Philipp Rudo wrote:
> > > "prot_virt" enables host protected virtual machines on s390.
This
> >
> > This is a great patch, thanks.
>
> thanks
>
> > Since you have investigated and got some knowledge, could you help
> > explain what is host protected virtual machines on s390? What is the
> > difference between normal kvm guest on x86_64/arm64 and this on s390?
>
> The "host protected virtual machines" come from Secure Execution on
> s390 [1] which is similar to AMD SEV. With this the firmware manages
> access to the guest memory such that a KVM host cannot access it (more
> precisely, that the pages get encrypted before the host can access
> them). In addition the guest image gets encrypted with a customer
> specific key that is stored in hardware so the host cannot manipulate
> the guest before executing it. Goal is to prevent malicious host
> attacks.
>
> Shall I update the commit message?
Yeah, if these can be added as background knowledge in the patch log, it
will be much better.
sure, will do.
By the way, do you know why the host protected VM on s390 need a
minimum
of ~2.5GB memory?
I don't know all the details but the memory is provided by the host to
FW and is used to track which page belongs to which guest. IIRC the
memory needed is 1/8 of total memory + some static over head. As this is
quite a lot on typical hosts the memory gets allocated >2GB (on s390
the region <2GB is special as some HW interfaces only work with
memory in this region, thus it's better to prevent unnecessary clutter
in this region). All in all this adds up to a minimum of ~2.5GB.
Thanks
Philipp
>
> Thanks
> Philipp
>
> [1]
https://www.ibm.com/docs/en/linux-on-systems?topic=linux-introduction
>
> >
> > Thanks
> > Baoquan
> >
> > > requires a minimum of ~2.5GB memory and thus exceeds what is typically
> > > reserved for the crashkernel. Thus remove "prot_virt" from the
command
> > > line for the 2nd kernel to prevent it to run out-of-memory.
> > >
> > > Signed-off-by: Philipp Rudo <prudo(a)redhat.com>
> > > ---
> > > kdump.sysconfig.s390x | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/kdump.sysconfig.s390x b/kdump.sysconfig.s390x
> > > index 439e462..234cfe9 100644
> > > --- a/kdump.sysconfig.s390x
> > > +++ b/kdump.sysconfig.s390x
> > > @@ -17,7 +17,7 @@ KDUMP_COMMANDLINE=""
> > > # This variable lets us remove arguments from the current kdump
commandline
> > > # as taken from either KDUMP_COMMANDLINE above, or from /proc/cmdline
> > > # NOTE: some arguments such as crashkernel will always be removed
> > > -KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet
log_buf_len swiotlb vmcp_cma cma hugetlb_cma"
> > > +KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug quiet
log_buf_len swiotlb vmcp_cma cma hugetlb_cma prot_virt"
> > >
> > > # This variable lets us append arguments to the current kdump
commandline
> > > # after processed by KDUMP_COMMANDLINE_REMOVE
> > > --
> > > 2.31.1
> > > _______________________________________________
> > > kexec mailing list -- kexec(a)lists.fedoraproject.org
> > > To unsubscribe send an email to kexec-leave(a)lists.fedoraproject.org
> > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.org
> > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> >
>