vmm/linux: Make guest_memfd optional

tylerfanelli · tylerfanelli · commit 6be8e0228019 · 2025-04-16T13:31:42.000-04:00
guest_memfd is required by SEV-SNP guests, and will also be used for
other TEE architectures such as TDX and CCA. Probe if guest_memfd will
be used on the system (non-TEE workloads do not require guest_memfd),
and create/map them if so.

Signed-off-by: Tyler Fanelli &lt;tfanelli@redhat.com&gt;
diff --git a/src/vmm/src/linux/vstate.rs b/src/vmm/src/linux/vstate.rs
@@ -45,15 +45,17 @@ use kvm_bindings::{
 };
 #[cfg(feature = "tee")]
 use kvm_bindings::{
-    kvm_create_guest_memfd, kvm_memory_attributes, kvm_userspace_memory_region2, KVM_API_VERSION,
-    KVM_MEMORY_ATTRIBUTE_PRIVATE, KVM_MEM_GUEST_MEMFD,
+    kvm_create_guest_memfd, kvm_memory_attributes, kvm_userspace_memory_region,
+    kvm_userspace_memory_region2, KVM_API_VERSION, KVM_MEMORY_ATTRIBUTE_PRIVATE,
+    KVM_MEM_GUEST_MEMFD,
 };
-use kvm_ioctls::*;
+use kvm_ioctls::{Cap::*, *};
 use utils::eventfd::EventFd;
 use utils::signal::{register_signal_handler, sigrtmin, Killable};
 use utils::sm::StateMachine;
 use vm_memory::{
     Address, GuestAddress, GuestMemory, GuestMemoryError, GuestMemoryMmap, GuestMemoryRegion,
+    GuestRegionMmap,
 };
 
 #[cfg(feature = "amd-sev")]
@@ -68,6 +70,8 @@ pub enum Error {
     #[cfg(target_arch = "x86_64")]
     /// A call to cpuid instruction failed.
     CpuId(cpuid::Error),
+    /// Unable to create a KVM guest_memfd.
+    CreateGuestMemfd(kvm_ioctls::Error),
     #[cfg(target_arch = "x86_64")]
     /// Error configuring the floating point related registers
     FPUConfiguration(arch::x86_64::regs::Error),
@@ -104,16 +108,12 @@ pub enum Error {
     #[cfg(target_arch = "x86_64")]
     /// Error configuring the general purpose registers
     REGSConfiguration(arch::x86_64::regs::Error),
+    /// Cannot set memory region attributes.
+    SetMemoryAttributes(kvm_ioctls::Error),
     /// Cannot set the memory regions.
     SetUserMemoryRegion(kvm_ioctls::Error),
     /// Error creating memory map for SHM region.
     ShmMmap(io::Error),
-    #[cfg(feature = "tee")]
-    /// Cannot set the memory regions.
-    SetUserMemoryRegion2(kvm_ioctls::Error),
-    #[cfg(feature = "tee")]
-    /// Cannot create guest memfd.
-    CreateGuestMemfd(kvm_ioctls::Error),
     #[cfg(feature = "amd-sev")]
     /// Error initializing the Secure Virtualization Backend (SNP).
     SnpSecVirtInit(SnpError),
@@ -239,6 +239,7 @@ impl Display for Error {
         match self {
             #[cfg(target_arch = "x86_64")]
             CpuId(e) => write!(f, "Cpuid error: {e:?}"),
+            CreateGuestMemfd(e) => write!(f, "Unable to create KVM guest_memfd: {e:?}"),
             GuestMemoryMmap(e) => write!(f, "Guest memory error: {e:?}"),
             #[cfg(target_arch = "x86_64")]
             GuestMSRs(e) => write!(f, "Retrieving supported guest MSRs fails: {e:?}"),
@@ -263,13 +264,10 @@ impl Display for Error {
                 f,
                 "Cannot set the local interruption due to bad configuration: {e:?}"
             ),
+            SetMemoryAttributes(e) => write!(f, "Cannot set memory region attributes: {e}"),
             SetUserMemoryRegion(e) => write!(f, "Cannot set the memory regions: {e}"),
             ShmMmap(e) => write!(f, "Error creating memory map for SHM region: {e}"),
             #[cfg(feature = "tee")]
-            SetUserMemoryRegion2(e) => write!(f, "Cannot set the memory regions: {e}"),
-            #[cfg(feature = "tee")]
-            CreateGuestMemfd(e) => write!(f, "Cannot create guest memfd: {e}"),
-            #[cfg(feature = "tee")]
             SnpSecVirtInit(e) => write!(
                 f,
                 "Error initializing the Secure Virtualization Backend (SEV): {e:?}"
@@ -393,7 +391,6 @@ pub struct KvmContext {
 
 impl KvmContext {
     pub fn new() -> Result<Self> {
-        use kvm_ioctls::Cap::*;
         let kvm = Kvm::new().expect("Error creating the Kvm object");
 
         // Check that KVM has the correct version.
@@ -520,80 +517,14 @@ impl Vm {
     pub fn memory_init(
         &mut self,
         guest_mem: &GuestMemoryMmap,
-        #[cfg(feature = "tee")] guest_memfd: &mut Vec<RawFd>,
         kvm_max_memslots: usize,
     ) -> Result<()> {
         if guest_mem.num_regions() > kvm_max_memslots {
             return Err(Error::NotEnoughMemorySlots);
         }
-        for region in guest_mem.iter() {
-            // It's safe to unwrap because the guest address is valid.
-            let host_addr = guest_mem.get_host_address(region.start_addr()).unwrap();
-            info!("Guest memory starts at {:x?}", host_addr);
 
-            #[cfg(feature = "tee")]
-            {
-                let gmem = kvm_create_guest_memfd {
-                    size: region.len(),
-                    flags: 0,
-                    reserved: [0; 6],
-                };
-
-                let id: RawFd = self
-                    .fd
-                    .create_guest_memfd(gmem)
-                    .map_err(Error::CreateGuestMemfd)?;
-
-                guest_memfd.push(id);
-
-                let memory_region = kvm_userspace_memory_region2 {
-                    slot: self.next_mem_slot as u32,
-                    flags: KVM_MEM_GUEST_MEMFD,
-                    guest_phys_addr: region.start_addr().raw_value(),
-                    memory_size: region.len(),
-                    userspace_addr: host_addr as u64,
-                    guest_memfd_offset: 0,
-                    guest_memfd: id as u32,
-                    pad1: 0,
-                    pad2: [0; 14],
-                };
-
-                // Safe because we mapped the memory region, we made sure that the regions
-                // are not overlapping.
-                unsafe {
-                    self.fd
-                        .set_user_memory_region2(memory_region)
-                        .map_err(Error::SetUserMemoryRegion2)?;
-                };
-
-                // set private by default when using guestmemfd
-                // this imitates QEMU behavior
-                let attr = kvm_memory_attributes {
-                    address: region.start_addr().raw_value(),
-                    size: region.len(),
-                    attributes: KVM_MEMORY_ATTRIBUTE_PRIVATE as u64,
-                    flags: 0,
-                };
-                self.fd.set_memory_attributes(attr).unwrap();
-            }
-            #[cfg(not(feature = "tee"))]
-            {
-                let memory_region = kvm_userspace_memory_region {
-                    slot: self.next_mem_slot as u32,
-                    guest_phys_addr: region.start_addr().raw_value(),
-                    memory_size: region.len(),
-                    userspace_addr: host_addr as u64,
-                    flags: 0,
-                };
-                // Safe because we mapped the memory region, we made sure that the regions
-                // are not overlapping.
-                unsafe {
-                    self.fd
-                        .set_user_memory_region(memory_region)
-                        .map_err(Error::SetUserMemoryRegion)?;
-                };
-            };
-            self.next_mem_slot += 1;
+        for region in guest_mem.iter() {
+            self.memory_region_set(guest_mem, region)?;
         }
 
         #[cfg(target_arch = "x86_64")]
@@ -604,6 +535,76 @@ impl Vm {
         Ok(())
     }
 
+    fn memory_region_set(
+        &mut self,
+        guest_mem: &GuestMemoryMmap,
+        region: &GuestRegionMmap,
+    ) -> Result<()> {
+        let host_addr = guest_mem.get_host_address(region.start_addr()).unwrap();
+        if !self.fd.check_extension(GuestMemfd) {
+            let memory_region = kvm_userspace_memory_region {
+                slot: self.next_mem_slot,
+                guest_phys_addr: region.start_addr().raw_value(),
+                memory_size: region.len(),
+                userspace_addr: host_addr as u64,
+                flags: 0,
+            };
+
+            // Safe because we mapped the memory region, we made sure that the regions
+            // are not overlapping.
+            unsafe {
+                self.fd
+                    .set_user_memory_region(memory_region)
+                    .map_err(Error::SetUserMemoryRegion)?;
+            };
+        } else {
+            // Create a guest_memfd and set the region.
+            let guest_memfd = self
+                .fd
+                .create_guest_memfd(kvm_create_guest_memfd {
+                    size: region.size() as u64,
+                    flags: 0,
+                    reserved: [0; 6],
+                })
+                .map_err(Error::CreateGuestMemfd)?;
+
+            let memory_region = kvm_userspace_memory_region2 {
+                slot: self.next_mem_slot,
+                flags: KVM_MEM_GUEST_MEMFD,
+                guest_phys_addr: region.start_addr().raw_value(),
+                memory_size: region.len(),
+                userspace_addr: host_addr as u64,
+                guest_memfd_offset: 0,
+                guest_memfd: guest_memfd as u32,
+                pad1: 0,
+                pad2: [0; 14],
+            };
+
+            // Safe because we mapped the memory region, we made sure that the regions
+            // are not overlapping.
+            unsafe {
+                self.fd
+                    .set_user_memory_region2(memory_region)
+                    .map_err(Error::SetUserMemoryRegion)?;
+            };
+
+            let attr = kvm_memory_attributes {
+                address: region.start_addr().raw_value(),
+                size: region.len(),
+                attributes: KVM_MEMORY_ATTRIBUTE_PRIVATE as u64,
+                flags: 0,
+            };
+
+            self.fd
+                .set_memory_attributes(attr)
+                .map_err(Error::SetMemoryAttributes)?;
+        }
+
+        self.next_mem_slot += 1;
+
+        Ok(())
+    }
+
     #[cfg(feature = "amd-sev")]
     pub fn snp_secure_virt_prepare(
         &self,
