On Fri, Feb 21, 2020 at 09:39:38AM -0600, Tom Lendacky wrote: > On 2/21/20 7:12 AM, Halil Pasic wrote: > > On Thu, 20 Feb 2020 15:55:14 -0500 > > "Michael S. Tsirkin" <mst@xxxxxxxxxx> wrote: > > > >> On Thu, Feb 20, 2020 at 05:06:06PM +0100, Halil Pasic wrote: > >>> Currently the advanced guest memory protection technologies (AMD SEV, > >>> powerpc secure guest technology and s390 Protected VMs) abuse the > >>> VIRTIO_F_IOMMU_PLATFORM flag to make virtio core use the DMA API, which > >>> is in turn necessary, to make IO work with guest memory protection. > >>> > >>> But VIRTIO_F_IOMMU_PLATFORM a.k.a. VIRTIO_F_ACCESS_PLATFORM is really a > >>> different beast: with virtio devices whose implementation runs on an SMP > >>> CPU we are still fine with doing all the usual optimizations, it is just > >>> that we need to make sure that the memory protection mechanism does not > >>> get in the way. The VIRTIO_F_ACCESS_PLATFORM mandates more work on the > >>> side of the guest (and possibly he host side as well) than we actually > >>> need. > >>> > >>> An additional benefit of teaching the guest to make the right decision > >>> (and use DMA API) on it's own is: removing the need, to mandate special > >>> VM configuration for guests that may run with protection. This is > >>> especially interesting for s390 as VIRTIO_F_IOMMU_PLATFORM pushes all > >>> the virtio control structures into the first 2G of guest memory: > >>> something we don't necessarily want to do per-default. > >>> > >>> Signed-off-by: Halil Pasic <pasic@xxxxxxxxxxxxx> > >>> Tested-by: Ram Pai <linuxram@xxxxxxxxxx> > >>> Tested-by: Michael Mueller <mimu@xxxxxxxxxxxxx> > >> > >> This might work for you but it's fragile, since without > >> VIRTIO_F_ACCESS_PLATFORM hypervisor assumes it gets > >> GPA's, not DMA addresses. > >> > > > > Thanks for your constructive approach. I do want the hypervisor to > > assume it gets GPA's. My train of thought was that the guys that need > > to use IOVA's that are not GPA's when force_dma_unencrypted() will have > > to to specify VIRTIO_F_ACCESS_PLATFORM (at the device) anyway, because > > otherwise it won't work. But I see your point: in case of a > > mis-configuration and provided the DMA API returns IOVA's one could end > > up trying to touch wrong memory locations. But this should be similar to > > what would happen if DMA ops are not used, and memory is not made accessible. > > > >> > >> > >> IOW this looks like another iteration of: > >> > >> virtio: Support encrypted memory on powerpc secure guests > >> > >> which I was under the impression was abandoned as unnecessary. > > > > Unnecessary for powerpc because they do normal PCI. In the context of > > CCW there are only guest physical addresses (CCW I/O has no concept of > > IOMMU or IOVAs). > > > >> > >> > >> To summarize, the necessary conditions for a hack along these lines > >> (using DMA API without VIRTIO_F_ACCESS_PLATFORM) are that we detect that: > >> > >> - secure guest mode is enabled - so we know that since we don't share > >> most memory regular virtio code won't > >> work, even though the buggy hypervisor didn't set VIRTIO_F_ACCESS_PLATFORM > > > > force_dma_unencrypted(&vdev->dev) is IMHO exactly about this. > > > >> - DMA API is giving us addresses that are actually also physical > >> addresses > > > > In case of s390 this is given. I talked with the power people before > > posting this, and they ensured me they can are willing to deal with > > this. I was hoping to talk abut this with the AMD SEV people here (hence > > the cc). > > Yes, physical addresses are fine for SEV - the key is that the DMA API is > used so that an address for unencrypted, or shared, memory is returned. > E.g. for a dma_alloc_coherent() call this is an allocation that has had > set_memory_decrypted() called or for a dma_map_page() call this is an > address from SWIOTLB, which was mapped shared during boot, where the data > will be bounce-buffered. > > We don't currently support an emulated IOMMU in our SEV guest because that > would require a lot of support in the driver to make IOMMU data available > to the hypervisor (I/O page tables, etc.). We would need hardware support > to really make this work easily in the guest. A tangent here: note that on POWER our IOMMU is paravirtualized (updated with hypercalls), it's also always enabled. For that reason we can and do combine vIOMMU translation with the need for bounce buffering for secure guests. (We generally statically configure the vIOMMU to have a huge window which just maps GPAs 1-to-1, which means we can still use dma-direct, but the vIOMMU is still there from the platform point of view) -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/virtualization