| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jun 2022 16:47:16 -0700
From: Nicolin Chen <nicolinc@...dia.com>
To: Alex Williamson <alex.williamson@...hat.com>
CC: <joro@...tes.org>, <will@...nel.org>, <marcan@...can.st>,
<sven@...npeter.dev>, <robin.murphy@....com>,
<robdclark@...il.com>, <baolu.lu@...ux.intel.com>,
<matthias.bgg@...il.com>, <orsonzhai@...il.com>,
<baolin.wang7@...il.com>, <zhang.lyra@...il.com>,
<jean-philippe@...aro.org>, <jgg@...dia.com>,
<kevin.tian@...el.com>, <suravee.suthikulpanit@....com>,
<alyssa@...enzweig.io>, <dwmw2@...radead.org>,
<yong.wu@...iatek.com>, <mjrosato@...ux.ibm.com>,
<gerald.schaefer@...ux.ibm.com>, <thierry.reding@...il.com>,
<vdumpa@...dia.com>, <jonathanh@...dia.com>, <cohuck@...hat.com>,
<thunder.leizhen@...wei.com>, <tglx@...utronix.de>,
<christophe.jaillet@...adoo.fr>, <john.garry@...wei.com>,
<chenxiang66@...ilicon.com>, <saiprakash.ranjan@...eaurora.org>,
<isaacm@...eaurora.org>, <yangyingliang@...wei.com>,
<jordan@...micpenguin.net>, <iommu@...ts.linux-foundation.org>,
<linux-kernel@...r.kernel.org>,
<linux-arm-kernel@...ts.infradead.org>,
<linux-arm-msm@...r.kernel.org>,
<linux-mediatek@...ts.infradead.org>, <linux-s390@...r.kernel.org>,
<linux-tegra@...r.kernel.org>,
<virtualization@...ts.linux-foundation.org>, <kvm@...r.kernel.org>
Subject: Re: [PATCH v2 2/5] vfio/iommu_type1: Prefer to reuse domains vs
match enforced cache coherency
On Tue, Jun 21, 2022 at 04:46:02PM -0600, Alex Williamson wrote:
> External email: Use caution opening links or attachments
>
>
> On Wed, 15 Jun 2022 17:03:01 -0700
> Nicolin Chen <nicolinc@...dia.com> wrote:
>
> > From: Jason Gunthorpe <jgg@...dia.com>
> >
> > The KVM mechanism for controlling wbinvd is based on OR of the coherency
> > property of all devices attached to a guest, no matter those devices are
> > attached to a single domain or multiple domains.
> >
> > So, there is no value in trying to push a device that could do enforced
> > cache coherency to a dedicated domain vs re-using an existing domain
> > which is non-coherent since KVM won't be able to take advantage of it.
> > This just wastes domain memory.
> >
> > Simplify this code and eliminate the test. This removes the only logic
> > that needed to have a dummy domain attached prior to searching for a
> > matching domain and simplifies the next patches.
> >
> > It's unclear whether we want to further optimize the Intel driver to
> > update the domain coherency after a device is detached from it, at
> > least not before KVM can be verified to handle such dynamics in related
> > emulation paths (wbinvd, vcpu load, write_cr0, ept, etc.). In reality
> > we don't see an usage requiring such optimization as the only device
> > which imposes such non-coherency is Intel GPU which even doesn't
> > support hotplug/hot remove.
>
> The 2nd paragraph above is quite misleading in this respect. I think
> it would be more accurate to explain that the benefit to using separate
> domains was that devices attached to domains supporting enforced cache
> coherency always mapped with the attributes necessary to provide that
> feature, therefore if a non-enforced domain was dropped, the associated
> group removal would re-trigger an evaluation by KVM. We can then go on
> to discuss that in practice the only known cases of such mixed domains
> included an Intel IGD device behind an IOMMU lacking snoop control,
> where such devices do not support hotplug, therefore this scenario lacks
> testing and is not considered sufficiently relevant to support. Thanks,
Thanks for the input. I integrated that into the commit log:
vfio/iommu_type1: Prefer to reuse domains vs match enforced cache coherency
The KVM mechanism for controlling wbinvd is based on OR of the coherency
property of all devices attached to a guest, no matter whether those
devices are attached to a single domain or multiple domains.
On the other hand, the benefit to using separate domains was that those
devices attached to domains supporting enforced cache coherency always
mapped with the attributes necessary to provide that feature, therefore
if a non-enforced domain was dropped, the associated group removal would
re-trigger an evaluation by KVM.
In practice however, the only known cases of such mixed domains included
an Intel IGD device behind an IOMMU lacking snoop control, where such
devices do not support hotplug, therefore this scenario lacks testing and
is not considered sufficiently relevant to support.
After all, KVM won't take advantage of trying to push a device that could
do enforced cache coherency to a dedicated domain vs re-using an existing
domain, which is non-coherent.
Simplify this code and eliminate the test. This removes the only logic
that needed to have a dummy domain attached prior to searching for a
matching domain and simplifies the next patches.
It's unclear whether we want to further optimize the Intel driver to
update the domain coherency after a device is detached from it, at
least not before KVM can be verified to handle such dynamics in related
emulation paths (wbinvd, vcpu load, write_cr0, ept, etc.). In reality
we don't see an usage requiring such optimization as the only device
which imposes such non-coherency is Intel GPU which even doesn't
support hotplug/hot remove.
Powered by blists - more mailing lists