[[do not merge]] PR to check CI of rebase feature/secret-hiding branch #5171
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Creating a script to build and install a modified kernel with patches applied. Signed-off-by: Jack Thomson <[email protected]>
Adding a new integration test to assert that the kernel build script will succeed. Signed-off-by: Jack Thomson <[email protected]>
Adding the secret hiding kernel as a default for the buildkite pipeline, this will mean that PR's made against the branch will now be run with the new secret hiding enabled amis. Some tests have been marked to skip as they are kernel dependent so while we are compiling our kernel in CI these could change again. Signed-off-by: Jack Thomson <[email protected]>
To make it easier to track the upstream kernels which may change as we rebase, let's mark kernels newer than 6.12 as next for now to make dashboarding easier. Signed-off-by: Jack Thomson <[email protected]>
This test is failing for ARM instances in our performance pipeline, skipping this for now until we resolve the issue. Signed-off-by: Jack Thomson <[email protected]>
Addressing a comment to move away from dir stacks in our install scripts. We now store the start directly before we move the build directory and cd back to that explicitly. Signed-off-by: Jack Thomson <[email protected]>
We previously skipped a huge page test which stoppped the test timing out, but now we get stuck on another. Skipping this and the other huge page snapshot tests in the file. Signed-off-by: Jack Thomson <[email protected]>
Run the kernel build as part of our nightly tests so we can monitor it's success. Signed-off-by: Jack Thomson <[email protected]>
Add an updated version of relevant patches from my v4 direct map removal series [1]. Updated here means - Drop all selftests patches, as they are irrelevant for our CI - Address comments from David about squashing commits - Rebase on top of Fuad's v7 [1]: https://lore.kernel.org/kvm/[email protected]/ Signed-off-by: Patrick Roy <[email protected]>
The patches are in the `patches` subdirectory of `hiding_ci`, so if only patches were added, then the check of "any files with parent directory `hiding_ci`" would be false, and the CI step for testing the build of patches wouldn't actually run. Fix this by updating the check to be "any files where any parent directory is `hiding_ci`", which will also catch patches. Reported-by: Jack Thomson <[email protected]> Signed-off-by: Patrick Roy <[email protected]>
Update the build script to allow us to install the secret hidden kernels onto Amazon Linux 2023 instances. We have to as part of this include a script to download and install ena drivers for the instance to allow us to boot. Signed-off-by: Jack Thomson <[email protected]>
The output from the build in x86 is archived so updated the script to support installing either output type from the build Signed-off-by: Jack Thomson <[email protected]>
Add an 'apt update' before `apt install`. Otherwise, we might hold an old view of the package versions and installation might fail. Signed-off-by: Babis Chalios <[email protected]>
This lint forbids using `..Default::default()` in struct initializers after all fields have already been initialized, but this is a useful pattern if you know you want to add more fields to a struct in a future PR without needing to touch a ton of initializers in unittests again (_heavy foreshadowing_). So silence the paperclip. Signed-off-by: Patrick Roy <[email protected]>
There's no need to test this through VmResources when it can be tested in isolation. Also, everytime I touch MachineConfig I get confsued by where the hell the tests are, cuz not only are they in a different module, they're also one directory level away. So move the tests into machine_config.rs, where it makes sense to have them. Signed-off-by: Patrick Roy <[email protected]>
roypat
force-pushed
the
secret-freedom-no-swiotlb
branch
2 times, most recently
from
0a1f922 to
01dfe08
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5171 +/- ##
==========================================
- Coverage 83.01% 82.64% -0.37%
==========================================
Files 250 250
Lines 26897 27296 +399
==========================================
+ Hits 22328 22559 +231
- Misses 4569 4737 +168
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
roypat
force-pushed
the
secret-freedom-no-swiotlb
branch
2 times, most recently
from
2121123 to
eaf63ee
Compare
With secret freedom, direct accesses to guest memory from the context of the host kernel are no longer possible. This particularly means that we cannot pass pointers to guest memory to the host kernel anymore (at least if the host kernel tries to GUP them). For these scenarios, introduce a utility decorator struct `MaybeBounce` that can optionally do indirect read and write syscalls on guest memory by first memcpy-ing to firecracker userspace, and passing a pointer to firecracker heap memory into the kernel instead. Signed-off-by: Patrick Roy <[email protected]>
This is particularly useful for virtio devices, where on-demand allocation of bounce buffers leads to sever performance impacts (~80%) in synthetic throughput tests. Additionally, for virtio devices we can know approximately what the optimal size of a statically allocated bounce buffer is. Allocate bounce buffers on the heap, as trying to even temporarily place a 65k bounce buffer on the stack can lead to stack overflow errors. Signed-off-by: Patrick Roy <[email protected]>
Add support to our virtio devices to allow userspace bounce buffering of virtio buffers. This is an alternative to swiotlb. Don't implement it for vhost-user-blk and for virtio-block with async engine, because I have no idea how that would even work. Signed-off-by: Patrick Roy <[email protected]>
If the CI artifacts dont contain old firecracker releases, still succeed at setting them up after downloading them. Signed-off-by: Patrick Roy <[email protected]>
Add a utility function for creating a guest_memfd and wrapping it into a `File` object. Signed-off-by: Patrick Roy <[email protected]>
There's be a lot more things that are incompatible going forward (mostly related to secret freedom), so instead of adding a ton of error variants for each pair of incompatible features, let's just have a single one where we can insert arbitrary features via a string argument. Signed-off-by: Patrick Roy <[email protected]>
roypat
force-pushed
the
secret-freedom-no-swiotlb
branch
2 times, most recently
from
bdccfff to
40217b8
Compare
This will later indicate to Firecracker that guest memory should be backed by guest_memfd. Mark vhost-user and async block engine as incompatible, as I/O will require userspace bounce buffers. For vhost-user-blk, we would need to communicate the need for bounce buffers to the backend somehow, and for the async block engine we would need to somehow keep the bounce buffers around until io_uring finishes requests (which is not impossible, but complicated and not needed for now). Signed-off-by: Patrick Roy <[email protected]>
If secret freedom is enabled, the guest kernel and potential initrd needs to be loaded via bounce buffer, as we cannot directly do `read` syscalls that target guest memory. Signed-off-by: Patrick Roy <[email protected]>
Needed because we cannot do I/O straight into secret hidden memory - the host kernel cannot access it. Signed-off-by: Patrick Roy <[email protected]>
Fall back to kvm_user_memory_region in case the 2 version of the struct isnt supported. Signed-off-by: Patrick Roy <[email protected]>
vm-memory has faulty validation logic that prevents us from mmap-ing guest_memfds, so just bypass that by calling mmap ourselves for the time being. See also rust-vmm/vm-memory#320 Signed-off-by: Patrick Roy <[email protected]>
Have the `struct Vm` constructor take an argument to indicate whether the VM should be secret free. Use this to determine the correct vm type for guest_memfd support, and store it inside the VM so that we don't have to pass bools to various functions. Signed-off-by: Patrick Roy <[email protected]>
If the `secret_free` field of the memory_config is set to true in the /machine-config endpoint, back all memory regions using guest_memfd. For our setup, this means both setting the guest_memfd[_offset] fields in kvm_user_memory_region2, as well as mmaping the guest memory and reflecting this VMA back into the memslot's userspace_addr (which is how kvm internal accesses to guest memory will work for these guest_memfd regions, such as mmio emulation on x86). Signed-off-by: Patrick Roy <[email protected]>
To take snapshots of secret hidden VMs, we need to bounce guest memory through a userspace buffer. Reuse the `Bounce` wrapper type that is already in use for loading the guest kernel / initrd. Signed-off-by: Patrick Roy <[email protected]>
The current version of the mmap-support patches require that on x86, memory attributes have to be set to private even if the guest_memfd VMA is short-circuited back into the memslot (on ARM, memory attributes are not even supported in this scenario). Signed-off-by: Patrick Roy <[email protected]>
kvm-clock is incompatible with direct map removal for now. This is because kvm-clock tries to access guest memory through the direct map. Additionally, it does not handle failures during guest-attempted activations of kvm-clock gracefully (e.g. it cannot/does not communicate these back to the guest). This means a guest will unconditionally assume that if it wrote to the kvm-clock MSR to activate kvm-clock, it will work. But if KVM internally fails to activate kvm-clock, KVM will never write the information the guest expects into guest memory, resulting in the guest reading garbage data (generally, zeros), resulting in division by zero panics in the guest. Hence, explicitly tells guests that they shouldn't even try to enable kvm-clock, if they value their lives. Signed-off-by: Patrick Roy <[email protected]>
Previously this would fail on x86 as we set -e. By setting the || true this means the script will continue. The grubby step next will fail if it failed to find the image. Signed-off-by: Jack Thomson <[email protected]>
This is to allow to keep the licence and readme files in the patches directory. Signed-off-by: Nikita Kalyazin <[email protected]>
Explicitly mention that Linux patches are distributed under the GPL-2.0 licence. Signed-off-by: Nikita Kalyazin <[email protected]>
Include the following patch series rebased on top of the v7 of "KVM: Mapping guest_memfd backed memory at the host for software protected VMs" (https://<lor>/kvm/[email protected]/, replace "<lor>" with "lore.kernel.org" in this and the following links): - v4 "Direct Map Removal for guest_memfd" (https://<lor>/kvm/[email protected]/), with fixups - v2 "KVM: Introduce KVM Userfault" (https://<lor>/kvm/[email protected]/) - v3 "KVM: guest_memfd: use write for population" (https://<lor>/kvm/[email protected]/) - v3 "KVM: guest_memfd: support for uffd minor" (https://<lor>/kvm/[email protected]/), with fixups After this change all patches are represented as plain text files, meaning no patches are required to be fetched via a lore link. Signed-off-by: Nikita Kalyazin <[email protected]>
This is to keep Linux patches separate in case we need to store some other patches at some point. Signed-off-by: Nikita Kalyazin <[email protected]>
Also strip doc and test patches committed by mistake last time. Signed-off-by: Nikita Kalyazin <[email protected]>
roypat
force-pushed
the
secret-freedom-no-swiotlb
branch
from
40217b8 to
6798bcc
Compare
Aadditionally parametrize some of our throughput performance tests (network, block and vsock) by memory config, so that they run with secret freedom (and hence bounce buffering) enabled. Also add it to the boottime test, because bouncing can impact the time taken to read the rootfs. Skip them on m6g.metal because secret freedom does not work here for architectural reasons (and our patches do not take this into account, so trying to use secret freedom here would result in host kernel panics). Signed-off-by: Patrick Roy <[email protected]>
Add a test that we can boot VMs and initrds with secret freedom enabled. Signed-off-by: Patrick Roy <[email protected]>
roypat
force-pushed
the
secret-freedom-no-swiotlb
branch
from
6798bcc to
92a2b78
Compare
Since we load the kernel using bounce buffers now, it will give us false-positives. Signed-off-by: Patrick Roy <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.