Re: [PATCH] vfio-pci: Use io_remap_pfn_range() for PCI IO memory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/17/20 9:57 AM, Peter Xu wrote:
> On Tue, Nov 17, 2020 at 09:33:17AM -0600, Tom Lendacky wrote:
>> On 11/16/20 5:20 PM, Jason Gunthorpe wrote:
>>> On Mon, Nov 16, 2020 at 03:43:53PM -0600, Tom Lendacky wrote:
>>>> On 11/16/20 9:53 AM, Jason Gunthorpe wrote:
>>>>> On Thu, Nov 05, 2020 at 06:39:49PM -0500, Peter Xu wrote:
>>>>>> On Thu, Nov 05, 2020 at 12:34:58PM -0400, Jason Gunthorpe wrote:
>>>>>>> Tom says VFIO device assignment works OK with KVM, so I expect only things
>>>>>>> like DPDK to be broken.
>>>>>>
>>>>>> Is there more information on why the difference?  Thanks,
>>>>>
>>>>> I have nothing, maybe Tom can explain how it works?
>>>>
>>>> IIUC, the main differences would be along the lines of what is performing
>>>> the mappings or who is performing the MMIO.
>>>>
>>>> For device passthrough using VFIO, the guest kernel is the one that ends
>>>> up performing the MMIO in kernel space with the proper encryption mask
>>>> (unencrypted).
>>>
>>> The question here is why does VF assignment work if the MMIO mapping
>>> in the hypervisor is being marked encrypted.
>>>
>>> It sounds like this means the page table in the hypervisor is ignored,
>>> and it works because the VM's kernel marks the guest's page table as
>>> non-encrypted?
>>
>> If I understand the VFIO code correctly, the MMIO area gets registered as
>> a RAM memory region and added to the guest. This MMIO region is accessed
>> in the guest through ioremap(), which creates an un-encrypted mapping,
>> allowing the guest to read it properly. So I believe the mmap() call only
>> provides the information used to register the memory region for guest
>> access and is not directly accessed by Qemu (I don't believe the guest
>> VMEXITs for the MMIO access, but I could be wrong).
> 
> Thanks for the explanations.
> 
> It seems fine if two dimentional page table is used in kvm, as long as the 1st
> level guest page table is handled the same way as in the host.
> 
> I'm thinking what if shadow page table is used - IIUC here the vfio mmio region
> will be the same as normal guest RAM from kvm memslot pov, however if the mmio
> region is not encrypted, does it also mean that the whole guest RAM is not
> encrypted too?  It's a pure question because I feel like these are two layers
> of security (host as the 1st, guest as the 2nd), maybe here we're only talking
> about host security rather than the guests, then it looks fine too.

SEV is only supported with NPT (TDP).

Thanks,
Tom

> 



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux