On Tue, 8 Jun 2021 15:44:26 +0200 Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote: > On 08/06/21 15:15, Jason Gunthorpe wrote: > > On Tue, Jun 08, 2021 at 09:56:09AM +0200, Paolo Bonzini wrote: > > > >>>> Alternatively you can add a KVM_DEV_IOASID_{ADD,DEL} pair of ioctls. But it > >>>> seems useless complication compared to just using what we have now, at least > >>>> while VMs only use IOASIDs via VFIO. > >>> > >>> The simplest is KVM_ENABLE_WBINVD(<fd security proof>) and be done > >>> with it. Even if we were to relax wbinvd access to any device (capable of no-snoop or not) in any IOMMU configuration (blocking no-snoop or not), I think as soon as we say "proof" is required to gain this access then that proof should be ongoing for the life of the access. That alone makes this more than a "I want this feature, here's my proof", one-shot ioctl. Like the groupfd enabling a path for KVM to ask if that group is non-coherent and holding a group reference to prevent the group from being used to authorize multiple KVM instances, the ioasidfd proof would need to minimally validate that devices are present and provide some reference to enforce that model as ongoing, or notifier to indicate an end of that authorization. I don't think we can simplify that out of the equation or we've essentially invalidated that the proof is really required. > >> > >> The simplest one is KVM_DEV_VFIO_GROUP_ADD/DEL, that already exists and also > >> covers hot-unplug. The second simplest one is KVM_DEV_IOASID_ADD/DEL. > > > > This isn't the same thing, this is back to trying to have the kernel > > set policy for userspace. > > If you want a userspace policy then there would be three states: > > * WBINVD enabled because a WBINVD-enabled VFIO device is attached. > > * WBINVD potentially enabled but no WBINVD-enabled VFIO device attached > > * WBINVD forcefully disabled > > KVM_DEV_VFIO_GROUP_ADD/DEL can still be used to distinguish the first > two. Due to backwards compatibility, those two describe the default > behavior; disabling wbinvd can be done easily with a new sub-ioctl of > KVM_ENABLE_CAP and doesn't require any security proof. That seems like a good model, use the kvm-vfio device for the default behavior and extend an existing KVM ioctl if QEMU still needs a way to tell KVM to assume all DMA is coherent, regardless of what the kvm-vfio device reports. If feels like we should be able to support a backwards compatibility mode using the vfio group, but I expect long term we'll want to transition the kvm-vfio device from a groupfd to an ioasidfd. > The meaning of WBINVD-enabled is "won't return -ENXIO for the wbinvd > ioctl", nothing more nothing less. If all VFIO devices are going to be > WBINVD-enabled, then that will reflect on KVM as well, and I won't have > anything to object if there's consensus on the device assignment side of > things that the wbinvd ioctl won't ever fail. If we create the IOMMU vs device coherency matrix: \ Device supports IOMMU blocks \ no-snoop no-snoop \ yes | no | ---------------+-----+-----+ yes | 1 | 2 | ---------------+-----+-----+ no | 3 | 4 | ---------------+-----+-----+ DMA is always coherent in boxes {1,2,4} (wbinvd emulation is not needed). VFIO will currently always configure the IOMMU for {1,2} when the feature is supported. Boxes {3,4} are where we'll currently emulate wbinvd. The best we could do, not knowing the guest or insights into the guest driver would be to only emulate wbinvd for {3}. The majority of devices appear to report no-snoop support {1,3}, but the claim is that it's mostly unused outside of GPUs, effectively {2,4}. I'll speculate that most IOMMUs support enforcing coherency (amd, arm, fsl unconditionally, intel conditionally) {1,2}. I think that means we're currently operating primarily in Box {1}, which does not seem to lean towards unconditional wbinvd access with device ownership. I think we have a desire with IOASID to allow user policy to operate certain devices in {3} and I think the argument there is that a specific software enforced coherence sync is more efficient on the bus than the constant coherence enforcement by the IOMMU. I think that the disable mode Jason proposed is essentially just a way to move a device from {3} to {4}, ie. the IOASID support or configuration does not block no-snoop and the device claims to support no-snoop, but doesn't use it. How we'd determine this to be true for a device without a crystal ball of driver development or hardware errata that no-snoop transactions are not possible regardless of the behavior of the enable bit, I'm not sure. If we're operating a device in {3}, but the device does not generate no-snoop transactions, then presumably the guest driver isn't generating wbinvd instructions for us to emulate, so where are the wbinvd instructions that this feature would prevent being emulated coming from? Thanks, Alex