lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <dec21a7dd4ba0f095009f9bf4657c5e8c0a4d9da.camel@infradead.org>
Date: Mon, 07 Apr 2025 15:59:03 +0100
From: David Woodhouse <dwmw2@...radead.org>
To: Christoph Hellwig <hch@...radead.org>
Cc: "Michael S. Tsirkin" <mst@...hat.com>, virtio-comment@...ts.linux.dev, 
 Claire Chang <tientzu@...omium.org>, linux-devicetree
 <devicetree@...r.kernel.org>, Rob Herring <robh+dt@...nel.org>,
 Jörg Roedel <joro@...tes.org>, 
 iommu@...ts.linux-foundation.org, linux-kernel@...r.kernel.org,
 graf@...zon.de
Subject: Re: [RFC PATCH 1/3] content: Add VIRTIO_F_SWIOTLB to negotiate use
 of SWIOTLB bounce buffers

On Mon, 2025-04-07 at 07:06 -0700, Christoph Hellwig wrote:
> On Mon, Apr 07, 2025 at 11:09:54AM +0100, David Woodhouse wrote:
> > > should be usable for all devices bar actual addressing limits that are
> > > handled in the dma layer already.  The only things you need is:
> > > 
> > >  a) a way to declare one or more pools
> > >  b) a way to destinguish between devices behind a two stage IOMMU vs not
> > >     to figure out if they need to use a pool
> > 
> > I'm not averse to that, but it's different to the `restricted-dma-pool`
> > model that's defined today which has explicit matching. So I'd like to
> > reconcile them — and preferably literally use PRP0001 to expose
> > `restricted-dma-pool` even under ACPI.
> 
> A per-device flag is probably fine and easier for some things like
> pool sizing.  It also would be worse for other things like eventually
> implementing percpu pools.

What exactly are you thinking of when you say a 'per-device' flag?

> > Maybe it's as simple as a flag/property on the `restricted-dma-pool`
> > node which declares that it's a 'catch-all', and that *all* devices
> > which aren't explicitly bound to an IOMMU or other DMA operations (e.g.
> > explicitly bound to a different restricted-dma-pool) should use it?
> 
> Yeah.  Similar what we do with the generic shared-dma-pool.

Yeah, I was trying to work that one out, and it looks like I'm almost
describing the 'linux,dma-default' property. Except that seems to be
only for coherent allocations on the `shared-dma-pool`.

Maybe it makes sense for 'linux,dma-default' on a restricted-dma-pool
to mean that it should be used as a swiotlb for *all* DMA?

I don't much like the "linux," prefix but can live with that if that's
the precedent.

> > Either way, we'd still ideally want a virtio feature bit to say "don't
> > touch me if you don't understand my DMA restrictions", to prevent older
> > drivers (on older operating systems) from failing.
> 
> As said before they really need system level awareness of a coco host.
> That's not something to be hacked into virtio drivers.

Nah. As long as they use the IOMMU they're offered, guests don't need
any awareness at all that they're running in an environment where the
VMM can't access all their memory. There is precisely *zero* enablement
required in the guest for that.

The only problem is virtual devices which are provided by that VMM.

If the guests *do* have system level awareness of the particular
variant of CoCo host they're running on, then sure, they can explicitly
manage sharing/encryption/whatever with a system-specific set of DMA
operations and the problem goes away. But that's a long way off.

How does this sound as a plan...

 1. Define 'linux,dma-default' on a 'restricted-dma-pool' object to
    mean that it should be used as a fallback SWIOTLB for *all* devices
    (basically, as if each device explicitly referenced it as they do
    today).

 2. Provide a way to represent `restricted-dma-pool` in ACPI (which
    ought to work naturally as PRP0001 and it's mostly a matter of
    untangling it from OF-specific code on the guest side).

 3. Add a VIRTIO_F_RESTRICTED_DMA feature to virtio, so that devices
    which *know* they have such a limitation can gracefully decline
    to operate with a driver which doesn't support it.

 4. Add a way for a virtio-pci device to explicitly reference a given
    `restricted-dma-pool` like virtio-mmio devices can today. And it
    probably makes sense for a virtio-pci device which requires the
    VIRTIO_F_RESTRICTED_DMA feature to explicitly reference such a
    pool even if that pool has the `linux,dma-default' property?

With #1 and #2 we provide this facility even for passthrough PCI
devices. And with #3 and #4 we make it work *better* for virtio, which
is the more important use case (since those two-stage IOMMUs *do* exist
in the cases of CoCo-supporting hardware; it's just that they don't
enable *virtual* devices).


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5069 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ