On Wed, 2013-09-04 at 17:04 +0000, Matthew Garrett wrote: > Do we have in-kernel API to guarantee that a given PCI device is > actively isolated by an IOMMU such that it can't modify any host kernel > pages that aren't explicitly intended to be writable by the device? That > seems to be the biggest constraint. We don't, but it's not hard to add one if we have a consensus on exactly what it needs to mean. > How does virt passthrough work in this case? The current situation > appears to be that qemu just passes the BARs through to the guest, and > it's the guest that sets things up. We'd need to be able to ensure that > there's no way the guest driver can cause DMA into the host kernel. We set up the IOMMU page tables so that the virtual bus addresses seen by the PCI device are 1:1 mapped to the guest "physical" address space. That is, what the PCI device sees as a "physical" address is equivalent to what the guest sees as a "physical" address space. It can access memory which belongs to that guest, and nothing else. So that should be fine. (Currently, the guest sees no IOMMU. There's just that permanent 1:1 mapping of all of the guest's memory so that it's visible to the device. We may later implement a virtual IOMMU within qemu, and then we'll have more dynamic mappings. But the principle will remain the same: PCI devices assigned to a KVM guest can only 'see' memory pages which belong to that guest. > > And there are non-DMA considerations too, aren't there? What about just > > writing some fun stuff to a memory BAR and then writing to PCI config to > > map that BAR to an address that we can get executed by kernel code? > > Yes, that's why config space is locked down for now. OK. -- David Woodhouse Open Source Technology Centre David.Woodhouse@xxxxxxxxx Intel Corporation
Attachment:
smime.p7s
Description: S/MIME cryptographic signature