[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <22b61209-61b6-207d-9d70-1db6ae630fc1@arm.com>
Date: Fri, 2 Mar 2018 17:16:35 +0000
From: Robin Murphy <robin.murphy@....com>
To: Alex Williamson <alex.williamson@...hat.com>,
Shameerali Kolothum Thodi
<shameerali.kolothum.thodi@...wei.com>
Cc: Auger Eric <eric.auger@...hat.com>,
"pmorel@...ux.vnet.ibm.com" <pmorel@...ux.vnet.ibm.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Linuxarm <linuxarm@...wei.com>,
John Garry <john.garry@...wei.com>,
"xuwei (O)" <xuwei5@...wei.com>
Subject: Re: [PATCH v4 4/6] vfio/type1: check dma map request is within a
valid iova range
On 02/03/18 16:04, Alex Williamson wrote:
[...]
>>> I still think you're overstretching the IOMMU reserved region interface
>>> by trying to report possible ACS conflicts. Are we going to update the
>>> reserved list on device hotplug? Are we going to update the list when
>>> MMIO is enabled or disabled for each device? What if the BARs are
>>> reprogrammed or bridge apertures changed? IMO, the IOMMU reserved list
>>> should account for specific IOVA exclusions that apply to transactions
>>> that actually reach the IOMMU, not aliasing that might occur in the
>>> downstream topology. Additionally, the IOMMU group composition must be
>>> such that these sorts of aliasing issues can only occur within an IOMMU
>>> group. If a transaction can be affected by the MMIO programming of
>>> another group, then the groups are drawn incorrectly for the isolation
>>> capabilities of the hardware. Thanks,
>>
>> Agree that this is not a perfect thing to do covering all scenarios. As Robin
>> pointed out, the current code is playing safe by reserving the full windows.
>>
>> My suggestion will be to limit this reservation to non-ACS cases only. This will
>> make sure that ACS ARM hardware is not broken by this series and nos-ACS
>> ones has a chance to run once Qemu is updated to take care of the reserved
>> regions (at least in some user scenarios).
>>
>> If you all are fine with this, I can include the ACS check I mentioned earlier in
>> iommu_dma_get_resv_regions() and sent out the revised series.
>>
>> Please let me know your thoughts.
>
> IMO, the IOMMU should be concerned with ACS as far as isolation is
> concerned and reporting reserved ranges that are imposed at the IOMMU
> and leave any aliasing or routing issues in the downstream topology to
> other layers, or perhaps to the user. Unfortunately, enforcing the
> iova list in vfio is gated by some movement here since we can't break
> existing users. Thanks,
FWIW, given the discussion we've had here I wouldn't object to pushing
the PCI window reservation back into the DMA-specific path, such that it
doesn't get exposed via the general IOMMU API interface. We *do* want to
do it there where we are in total control of our own address space and
it just avoids a whole class of problems (even with ACS I'm not sure the
root complex can be guaranteed to send a "bad" IOVA out to the SMMU
instead of just terminating it for looking like a peer-to-peer attempt).
I do agree that it's not scalable for the IOMMU layer to attempt to
detect and describe upstream PCI limitations to userspace by itself -
they are "reserved regions" rather than "may or may not work regions"
after all. If there is a genuine integration issue between an IOMMU and
an upstream PCI RC which restricts usable addresses on a given system,
that probably needs to be explicitly communicated from firmware to the
IOMMU driver anyway, at which point that driver can report the relevant
region(s) directly from its own callback.
I suppose there's an in-between option of keeping generic window
reservations but giving them a new "only reserve this if you're being
super-cautious or don't know better" region type which we hide from
userspace and ignore in VFIO, but maybe that leaves the lines a but too
blurred still.
Robin.
Powered by blists - more mailing lists