On Tue, 1 Feb 2022 09:30:35 +0000 Stefan Hajnoczi <stefa...@redhat.com> wrote:
> On Mon, Jan 31, 2022 at 09:16:23AM -0700, Alex Williamson wrote: > > On Fri, 28 Jan 2022 09:18:08 +0000 > > Stefan Hajnoczi <stefa...@redhat.com> wrote: > > > > > On Thu, Jan 27, 2022 at 02:22:53PM -0700, Alex Williamson wrote: > > > > If the goal here is to restrict DMA between devices, ie. peer-to-peer > > > > (p2p), why are we trying to re-invent what an IOMMU already does? > > > > > > The issue Dave raised is that vfio-user servers run in separate > > > processses from QEMU with shared memory access to RAM but no direct > > > access to non-RAM MemoryRegions. The virtiofs DAX Window BAR is one > > > example of a non-RAM MemoryRegion that can be the source/target of DMA > > > requests. > > > > > > I don't think IOMMUs solve this problem but luckily the vfio-user > > > protocol already has messages that vfio-user servers can use as a > > > fallback when DMA cannot be completed through the shared memory RAM > > > accesses. > > > > > > > In > > > > fact, it seems like an IOMMU does this better in providing an IOVA > > > > address space per BDF. Is the dynamic mapping overhead too much? What > > > > physical hardware properties or specifications could we leverage to > > > > restrict p2p mappings to a device? Should it be governed by machine > > > > type to provide consistency between devices? Should each "isolated" > > > > bus be in a separate root complex? Thanks, > > > > > > There is a separate issue in this patch series regarding isolating the > > > address space where BAR accesses are made (i.e. the global > > > address_space_memory/io). When one process hosts multiple vfio-user > > > server instances (e.g. a software-defined network switch with multiple > > > ethernet devices) then each instance needs isolated memory and io address > > > spaces so that vfio-user clients don't cause collisions when they map > > > BARs to the same address. > > > > > > I think the the separate root complex idea is a good solution. This > > > patch series takes a different approach by adding the concept of > > > isolated address spaces into hw/pci/. > > > > This all still seems pretty sketchy, BARs cannot overlap within the > > same vCPU address space, perhaps with the exception of when they're > > being sized, but DMA should be disabled during sizing. > > > > Devices within the same VM context with identical BARs would need to > > operate in different address spaces. For example a translation offset > > in the vCPU address space would allow unique addressing to the devices, > > perhaps using the translation offset bits to address a root complex and > > masking those bits for downstream transactions. > > > > In general, the device simply operates in an address space, ie. an > > IOVA. When a mapping is made within that address space, we perform a > > translation as necessary to generate a guest physical address. The > > IOVA itself is only meaningful within the context of the address space, > > there is no requirement or expectation for it to be globally unique. > > > > If the vfio-user server is making some sort of requirement that IOVAs > > are unique across all devices, that seems very, very wrong. Thanks, > > Yes, BARs and IOVAs don't need to be unique across all devices. > > The issue is that there can be as many guest physical address spaces as > there are vfio-user clients connected, so per-client isolated address > spaces are required. This patch series has a solution to that problem > with the new pci_isol_as_mem/io() API. Sorry, this still doesn't follow for me. A server that hosts multiple devices across many VMs (I'm not sure if you're referring to the device or the VM as a client) needs to deal with different address spaces per device. The server needs to be able to uniquely identify every DMA, which must be part of the interface protocol. But I don't see how that imposes a requirement of an isolated address space. If we want the device isolated because we don't trust the server, that's where an IOMMU provides per device isolation. What is the restriction of the per-client isolated address space and why do we need it? The server needing to support multiple clients is not a sufficient answer to impose new PCI bus types with an implicit restriction on the VM. > What I find strange about this approach is that exported PCI devices are > on PCI root ports that are connected to the machine's main PCI bus. The > PCI devices don't interact with the main bus's IOVA space, guest > physical memory space, or interrupts. It seems hacky to graft isolated > devices onto a parent bus that provides nothing to its children. I > wonder if it would be cleaner for every vfio-user server to have its own > PCIHost. Then it may be possible to drop the new pci_isol_as_mem/io() > API. This is getting a bit ridiculous, if vfio-user devices require this degree of manipulation of the VM topology into things that don't exist on bare metal, we've done something very wrong. Thanks, Alex
