On 2020-06-16 11:52, Halil Pasic wrote:
On Mon, 15 Jun 2020 14:39:24 +0200
Pierre Morel <pmorel@xxxxxxxxxxxxx> wrote:
I find the subject (commit short) sub optimal. The 'arch' is already
accepting devices 'without IOMMU feature'. What you are introducing is
the ability to reject.
An architecture protecting the guest memory against unauthorized host
access may want to enforce VIRTIO I/O device protection through the
use of VIRTIO_F_IOMMU_PLATFORM.
Let's give a chance to the architecture to accept or not devices
without VIRTIO_F_IOMMU_PLATFORM.
I don't particularly like the commit message. In general, I believe
using access_platform instead of iommu_platform would really benefit us.
IOMMU_PLATFORM is used overall in Linux, and I did not find any
occurrence for ACCESS_PLATFORM.
Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxx>
---
arch/s390/mm/init.c | 6 ++++++
drivers/virtio/virtio.c | 9 +++++++++
include/linux/virtio.h | 2 ++
3 files changed, 17 insertions(+)
diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c
index 87b2d024e75a..3f04ad09650f 100644
--- a/arch/s390/mm/init.c
+++ b/arch/s390/mm/init.c
@@ -46,6 +46,7 @@
#include <asm/kasan.h>
#include <asm/dma-mapping.h>
#include <asm/uv.h>
+#include <linux/virtio.h>
arch/s390/mm/init.c including virtio.h looks a bit strange to me, but
if Heiko and Vasily don't mind, neither do I.
Do we have a better place to install the hook?
I though that since it is related to memory management and that, since
force_dma_unencrypted already is there, it would be a good place.
However, kvm-s390 is another candidate.
pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir);
@@ -162,6 +163,11 @@ bool force_dma_unencrypted(struct device *dev)
return is_prot_virt_guest();
}
+int arch_needs_iommu_platform(struct virtio_device *dev)
Maybe prefixing the name with virtio_ would help provide the
proper context.
The virtio_dev makes it obvious and from the virtio side it should be
obvious that the arch is responsible for this.
However if nobody has something against I change it.
+{
+ return is_prot_virt_guest();
+}
+
/* protected virtualization */
static void pv_init(void)
{
diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c
index a977e32a88f2..30091089bee8 100644
--- a/drivers/virtio/virtio.c
+++ b/drivers/virtio/virtio.c
@@ -167,6 +167,11 @@ void virtio_add_status(struct virtio_device *dev, unsigned int status)
}
EXPORT_SYMBOL_GPL(virtio_add_status);
+int __weak arch_needs_iommu_platform(struct virtio_device *dev)
+{
+ return 0;
+}
+
Adding some people that could be interested in overriding this as well
to the cc list.
Thanks,
int virtio_finalize_features(struct virtio_device *dev)
{
int ret = dev->config->finalize_features(dev);
@@ -179,6 +184,10 @@ int virtio_finalize_features(struct virtio_device *dev)
if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1))
return 0;
+ if (arch_needs_iommu_platform(dev) &&
+ !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM))
+ return -EIO;
+
Why EIO?
Because I/O can not occur correctly?
I am open to suggestions.
Overall, I think it is a good idea to have something that is going to
protect us from this scenario.
It would clearly be a good thing that trusted hypervizors like QEMU
forbid this scenario however should we let the door open?
Thanks,
Pierre
--
Pierre Morel
IBM Lab Boeblingen