machine/memory encryption: Disable mem merge

[PATCH] machine/memory encryption: Disable mem merge

Posted by Dr. David Alan Gilbert (git) 5 years, 9 months ago

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>

When a host is running with memory encryption, the memory isn't visible
to the host kernel; attempts to merge that memory are futile because
what it's really comparing is encrypted memory, usually encrypted
with different keys.

Automatically turn mem-merge off when memory encryption is specified.

https://bugzilla.redhat.com/show_bug.cgi?id=1796356

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
 hw/core/machine.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/core/machine.c b/hw/core/machine.c
index 3e288bfceb..029e1f85b8 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -419,6 +419,14 @@ static void machine_set_memory_encryption(Object *obj, const char *value,
 
     g_free(ms->memory_encryption);
     ms->memory_encryption = g_strdup(value);
+
+    /*
+     * With memory encryption, the host can't see the real contents of RAM,
+     * so there's no point in it trying to merge areas.
+     */
+    if (value) {
+        machine_set_mem_merge(obj, false, errp);
+    }
 }
 
 static bool machine_get_nvdimm(Object *obj, Error **errp)
-- 
2.24.1

Re: [PATCH] machine/memory encryption: Disable mem merge

Posted by Philippe Mathieu-Daudé 5 years, 9 months ago

On 1/30/20 6:50 PM, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
> 
> When a host is running with memory encryption, the memory isn't visible
> to the host kernel; attempts to merge that memory are futile because
> what it's really comparing is encrypted memory, usually encrypted
> with different keys.
> 
> Automatically turn mem-merge off when memory encryption is specified.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1796356
> 
> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
>   hw/core/machine.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/hw/core/machine.c b/hw/core/machine.c
> index 3e288bfceb..029e1f85b8 100644
> --- a/hw/core/machine.c
> +++ b/hw/core/machine.c
> @@ -419,6 +419,14 @@ static void machine_set_memory_encryption(Object *obj, const char *value,
>   
>       g_free(ms->memory_encryption);
>       ms->memory_encryption = g_strdup(value);
> +
> +    /*
> +     * With memory encryption, the host can't see the real contents of RAM,
> +     * so there's no point in it trying to merge areas.
> +     */
> +    if (value) {
> +        machine_set_mem_merge(obj, false, errp);

Using the helper is cleaner than accessing ms->mem_merge.
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

> +    }
>   }
>   
>   static bool machine_get_nvdimm(Object *obj, Error **errp)
>

Re: [PATCH] machine/memory encryption: Disable mem merge

Posted by Eduardo Habkost 5 years, 8 months ago

On Thu, Jan 30, 2020 at 05:50:46PM +0000, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
> 
> When a host is running with memory encryption, the memory isn't visible
> to the host kernel; attempts to merge that memory are futile because
> what it's really comparing is encrypted memory, usually encrypted
> with different keys.
> 
> Automatically turn mem-merge off when memory encryption is specified.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1796356
> 
> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

Queued, thanks.

-- 
Eduardo