On Fri, Mar 21, 2025 at 03:38:10PM +0000, David Woodhouse wrote: > On Tue, 2021-02-09 at 14:21 +0800, Claire Chang wrote: > > This series implements mitigations for lack of DMA access control on > > systems without an IOMMU, which could result in the DMA accessing the > > system memory at unexpected times and/or unexpected addresses, possibly > > leading to data leakage or corruption. > > Replying to an ancient (2021) thread which has already been merged... > > I'd like to be able to use this facility for virtio devices. > > Virtio already has a complicated relationship with the DMA API, because > there were a bunch of early VMM bugs where the virtio devices where > magically exempted from IOMMU protection, but the VMM lied to the guest > and claimed they weren't. > > With the advent of confidential computing, and the VMM (or whatever's > emulating the virtio device) not being *allowed* to arbitrarily access > all of the guest's memory, the DMA API becomes necessary again. > > Either a virtual IOMMU needs to determine which guest memory the VMM > may access, or the DMA API is wrappers around operations which > share/unshare (or unencrypt/encrypt) the memory in question. > > All of which is complicated and slow, if we're looking at a minimal > privileged hypervisor stub like pKVM which enforces the lack of guest > memory access from VMM. > > I'm thinking of defining a new type of virtio-pci device which cannot > do DMA to arbitrary system memory. Instead it has an additional memory > BAR which is used as a SWIOTLB for bounce buffering. > > The driver for it would look much like the existing virtio-pci device > except that it would register the restricted-dma region first (and thus > the swiotlb dma_ops), and then just go through the rest of the setup > like any other virtio device. > > That seems like it ought to be fairly simple, and seems like a > reasonable way to allow an untrusted VMM to provide virtio devices with > restricted DMA access. > > While I start actually doing the typing... does anyone want to start > yelling at me now? Christoph? mst? :) I don't mind as such (though I don't understand completely), but since this is changing the device anyway, I am a bit confused why you can't just set the VIRTIO_F_ACCESS_PLATFORM feature bit? This forces DMA API which will DTRT for you, will it not? -- MST
