Cloud vendors hope that cloud servers have hot-plug capabilities for CPU, memory, and devices. In confidential virtual machine scenarios, the measurement values will change after hot-plug , and rmi_data_create needs to be called to dynamically update the device tree information. Please consult CCA's plan for the hot-plug capability , and under the security model of confidential virtual machines, should the hot-plug capability of confidential virtual machines be supported?
Hi This is a complex question and we need to set to separate out what needs to be supported from Platform firmware (like TF-A, TF-RMM) and what the RMM spec supports for Realms. I will skip device hot plug support for now as Devices Assignment is not supported in RMMv1.0.
Platform firmware support for CPU and memory hotplug needs to be present and one of several way to implement this support in TF-A and RMM today is to overcommit the MAX_CPU_COUNT and RMM_MAX_GRANULES to cover any additional CPU and memory which may get added in future. We have some plans to add dynamic support for CPU and memory hotplug in TF-RMM additions in future.
For the rest of the answer, I assume that platform firmware does support CPU and memory hotplug.
On the matter of CPUs, the Realms VMs only deal with RECs (equivalent of vCPUs). The REC can be scheduled to run on any CPU including those which are hotplugged later after Realm VM is ACTIVE. The RMM spec today does not allow additional RECs to be added to the Realm VM once the Realm is ACTIVE. On the memory side, RMI_DATA_CREATE_UNKNOWN can be called to add memory to ACTIVE realms. See "Add memory to Active Realm flow" in the RMM spec.
Best Regards Soby Mathew
-----Original Message----- From: wuweinan@huawei.com wuweinan@huawei.com Sent: Wednesday, July 24, 2024 3:20 AM To: tf-rmm@lists.trustedfirmware.org Subject: [tf-rmm] Does the confidential virtual machine support hot-plug for CPU, memory, and devices?
Cloud vendors hope that cloud servers have hot-plug capabilities for CPU, memory, and devices. In confidential virtual machine scenarios, the measurement values will change after hot-plug , and rmi_data_create needs to be called to dynamically update the device tree information. Please consult CCA's plan for the hot-plug capability , and under the security model of confidential virtual machines, should the hot-plug capability of confidential virtual machines be supported? _______________________________________________ tf-rmm mailing list -- tf-rmm@lists.trustedfirmware.org To unsubscribe send an email to tf-rmm-leave@lists.trustedfirmware.org
Hi For device&memory hot plug, Libvirt supports "attach device" command to hot plug virtio devices and memory. It should be necessary to update the device tree information and notify guest OS. RMM copies the qemu device tree to the realm through data_create when the virtual machine is in the NEW state. This means that if hot plug of virtio devices is supported, the device tree needs to be updated to the realm VM after the virtual machine is ACTIVE.
If rmm calls data_create after Realm VM is ACTIVE, the Realm Initial Measurement will change. After realm VM is ACTIVE, is RIM still allowed to change?
Hi,
This means that if hot plug of virtio devices is supported, the device tree needs to be updated to the realm VM after the virtual machine is ACTIVE.
Yes, the realm guest needs to be notified about the device hotplug by the VMM. The notification mechanism and the related update of device info would be application specific. It would be possible to extend the mechanism that exists today for Regular VMs to the Realm VMs but I don’t know the details of existing mechanism.
If rmm calls data_create after Realm VM is ACTIVE, the Realm Initial Measurement will change. After realm VM is ACTIVE, is RIM still allowed to change?
Data_create is not allowed after Realm VM is ACTIVE and RIM is not allowed to changed after ACTIVE. Data_create_unknown is allowed though, and this API will not change RIM. Any Device tree/ other info about hotplug will need to be transferred in an application specific manner.
Best Regards Soby Mathew
-----Original Message----- From: wuweinan@huawei.com wuweinan@huawei.com Sent: Wednesday, July 24, 2024 8:43 AM To: tf-rmm@lists.trustedfirmware.org Subject: [tf-rmm] Re: Does the confidential virtual machine support hot-plug for CPU, memory, and devices?
Hi For device&memory hot plug, Libvirt supports "attach device" command to hot plug virtio devices and memory. It should be necessary to update the device tree information and notify guest OS. RMM copies the qemu device tree to the realm through data_create when the virtual machine is in the NEW state. This means that if hot plug of virtio devices is supported, the device tree needs to be updated to the realm VM after the virtual machine is ACTIVE.
If rmm calls data_create after Realm VM is ACTIVE, the Realm Initial Measurement will change. After realm VM is ACTIVE, is RIM still allowed to change? _______________________________________________ tf-rmm mailing list -- tf-rmm@lists.trustedfirmware.org To unsubscribe send an email to tf-rmm-leave@lists.trustedfirmware.org
How does this work for Linux with DT today on a normal VM? I suppose this only works with ACPI and as long as the ACPI information comes from a shared page (via SystemIO not SystemMemory) this should work.
Thanks for the reply, I will study how to implement device hot plugging in normal VM.
tf-rmm@lists.trustedfirmware.org
-
Soby Mathew -
Suzuki K.P. -
wuweinan@huawei.com