On 11/16/20 5:20 PM, Jason Gunthorpe wrote: > On Mon, Nov 16, 2020 at 03:43:53PM -0600, Tom Lendacky wrote: >> On 11/16/20 9:53 AM, Jason Gunthorpe wrote: >>> On Thu, Nov 05, 2020 at 06:39:49PM -0500, Peter Xu wrote: >>>> On Thu, Nov 05, 2020 at 12:34:58PM -0400, Jason Gunthorpe wrote: >>>>> Tom says VFIO device assignment works OK with KVM, so I expect only things >>>>> like DPDK to be broken. >>>> >>>> Is there more information on why the difference? Thanks, >>> >>> I have nothing, maybe Tom can explain how it works? >> >> IIUC, the main differences would be along the lines of what is performing >> the mappings or who is performing the MMIO. >> >> For device passthrough using VFIO, the guest kernel is the one that ends >> up performing the MMIO in kernel space with the proper encryption mask >> (unencrypted). > > The question here is why does VF assignment work if the MMIO mapping > in the hypervisor is being marked encrypted. > > It sounds like this means the page table in the hypervisor is ignored, > and it works because the VM's kernel marks the guest's page table as > non-encrypted? If I understand the VFIO code correctly, the MMIO area gets registered as a RAM memory region and added to the guest. This MMIO region is accessed in the guest through ioremap(), which creates an un-encrypted mapping, allowing the guest to read it properly. So I believe the mmap() call only provides the information used to register the memory region for guest access and is not directly accessed by Qemu (I don't believe the guest VMEXITs for the MMIO access, but I could be wrong). > >> I'm not familiar with how DPDK really works other than it is userspace >> based and uses polling drivers, etc. So it all depends on how everything >> gets mapped and by whom. For example, using mmap() to get a mapping to >> something that should be mapped unencrypted will be an issue since the >> userspace mappings are created encrypted. > > It is the same as the rdma stuff, DPDK calls mmap against VFIO which > calls remap_pfn and creates encrypted mappings > >> Extending mmap() to be able to specify a new flag, maybe >> MAP_UNENCRYPTED, might be something to consider. > > Not sure how this makes sense here, the kernel knows the should not be > encrypted.. Yeah, not in this case. Was just a general comment on whether to allow userspace to do something like that on any mmap(). Thanks, Tom > > Jason >
