On Mon, Nov 09, 2020 at 01:30:34PM -0400, Jason Gunthorpe wrote: > > > Again, trap emulate does not work for IMS when the IMS store is software > > managed guest memory and not part of the device. And that's the whole > > reason why we are discussing this. > > With PASID tagged interrupts and a IOMMU interrupt remapping > capability that can trigger on PASID, then the platform can provide > the same level of security as SRIOV - the above is no problem. You mean even if its stored in memory, as long as the MemWr comes with PASID, and the hypercall has provisioned the IRTE properly? that seems like a possiblity. > > The device ensures that all DMAs and all interrupts program by the > guest are PASID tagged and the platform provides security by checking > the PASID when delivering the interrupt. Intel IOMMU doesn't work this > way today, but it makes alot of design sense. > > Otherwise the interrupt is effectively delivered to the hypervisor. A > secure device can *never* allow a guest to specify an addr/data pair > for a non-PASID tagged TLP, so the device cannot offer IMS to the > guest. Right, it seems like that's a limitation today.