On 02/03/18 16:04, Alex Williamson wrote:
[...]
I still think you're overstretching the IOMMU reserved region interface
by trying to report possible ACS conflicts. Are we going to update the
reserved list on device hotplug? Are we going to update the list when
MMIO is enabled or disabled for each device? What if the BARs are
reprogrammed or bridge apertures changed? IMO, the IOMMU reserved list
should account for specific IOVA exclusions that apply to transactions
that actually reach the IOMMU, not aliasing that might occur in the
downstream topology. Additionally, the IOMMU group composition must be
such that these sorts of aliasing issues can only occur within an IOMMU
group. If a transaction can be affected by the MMIO programming of
another group, then the groups are drawn incorrectly for the isolation
capabilities of the hardware. Thanks,
Agree that this is not a perfect thing to do covering all scenarios. As Robin
pointed out, the current code is playing safe by reserving the full windows.
My suggestion will be to limit this reservation to non-ACS cases only. This
will
make sure that ACS ARM hardware is not broken by this series and nos-ACS
ones has a chance to run once Qemu is updated to take care of the reserved
regions (at least in some user scenarios).
If you all are fine with this, I can include the ACS check I mentioned earlier
in
iommu_dma_get_resv_regions() and sent out the revised series.
Please let me know your thoughts.
IMO, the IOMMU should be concerned with ACS as far as isolation is
concerned and reporting reserved ranges that are imposed at the IOMMU
and leave any aliasing or routing issues in the downstream topology to
other layers, or perhaps to the user. Unfortunately, enforcing the
iova list in vfio is gated by some movement here since we can't break
existing users. Thanks,
FWIW, given the discussion we've had here I wouldn't object to pushing
the PCI window reservation back into the DMA-specific path, such that it
doesn't get exposed via the general IOMMU API interface. We *do* want to
do it there where we are in total control of our own address space and
it just avoids a whole class of problems (even with ACS I'm not sure the
root complex can be guaranteed to send a "bad" IOVA out to the SMMU
instead of just terminating it for looking like a peer-to-peer attempt).
I do agree that it's not scalable for the IOMMU layer to attempt to
detect and describe upstream PCI limitations to userspace by itself -
they are "reserved regions" rather than "may or may not work regions"
after all. If there is a genuine integration issue between an IOMMU and
an upstream PCI RC which restricts usable addresses on a given system,
that probably needs to be explicitly communicated from firmware to the
IOMMU driver anyway, at which point that driver can report the relevant
region(s) directly from its own callback.
I suppose there's an in-between option of keeping generic window
reservations but giving them a new "only reserve this if you're being
super-cautious or don't know better" region type which we hide from
userspace and ignore in VFIO, but maybe that leaves the lines a but too
blurred still.
Robin.
