On Mon, Jul 15, 2024 at 03:50:28PM -0700, Dan Williams wrote: > > > The motivation for the security policy is "there is trusted memory to > > > protect". Absent trusted memory, the status quo for the device-driver > > > model applies. > > > > From what I can see on some platforms/configurations if the device is > > trusted capable then it MUST only issue trusted DMA as that is the > > only IO translation that will work. > > Given that PCI defines that devices can fall out of "trusted capable" > mode that implies there needs to be an error recovery path. Sure, but this not the issue, if you stop being trusted you have to immediately stop doing all DMA and the VM has to restore things back to trusted before starting the DMAs again. Basically I'd expect you have to FLR the device and start from scratch as an error recovery. > For at least the platforms I am looking at (SEV, TDX, COVE) a > "convert device to private operation" step is a possibility after > the TVM is already running. That's fine, too The issue is the DMA. When you have a trusted vIOMMU present in the VM things get complex. At least one platform splits the IOMMU in half and PCIE TLP bit T=0 and T=1 target totally different translation. So from a Linux VM perspective we have a PCI device with an IOMMU, except that IOMMU flips into IDENTITY if T=0 is used.