Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sun, Nov 22, 2015 at 10:21:34PM -, David Woodhouse wrote: > > > > There's that, and there's an "I care about security, but > > do not want to burn up cycles on fake protections that > > do not work" case. > > It would seem to make most sense for this use case simply *not* to expose >

Re: [PATCH v3 0/3] virtio DMA API core stuff

> There's that, and there's an "I care about security, but > do not want to burn up cycles on fake protections that > do not work" case. It would seem to make most sense for this use case simply *not* to expose virtio devices to guests as being behind an IOMMU at all. Sure, there are esoteric

Re: [PATCH v3 0/3] virtio DMA API core stuff

> There's that, and there's an "I care about security, but > do not want to burn up cycles on fake protections that > do not work" case. It would seem to make most sense for this use case simply *not* to expose virtio devices to guests as being behind an IOMMU at all. Sure, there are esoteric

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sun, 2015-11-22 at 15:06 +0200, Marcel Apfelbaum wrote: > > > I tried to generate a DMAR table that excludes some devices from > IOMMU translation, however it does not help. > > The reason is, as far as I understand, that Linux kernel does > not allow any device being outside an IOMMU scope

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Fri, 2015-11-20 at 10:21 +0200, Michael S. Tsirkin wrote: > > David, there are two things a hypervisor needs to tell the guest. > 1. The actual device is behind an IOMMU. This is what you >    are suggesting we use DMAR for. > 2. Using IOMMU from kernel (as opposed to from userspace with VFIO)

Re: [PATCH v3 0/3] virtio DMA API core stuff

On 11/08/2015 01:49 PM, Joerg Roedel wrote: On Sun, Nov 08, 2015 at 12:37:47PM +0200, Michael S. Tsirkin wrote: I have no problem with that. For example, can we teach the DMA API on intel x86 to use PT for virtio by default? That would allow merging Andy's patches with full compatibility with

Re: [PATCH v3 0/3] virtio DMA API core stuff

On 11/22/2015 05:54 PM, David Woodhouse wrote: On Sun, 2015-11-22 at 15:06 +0200, Marcel Apfelbaum wrote: I tried to generate a DMAR table that excludes some devices from IOMMU translation, however it does not help. The reason is, as far as I understand, that Linux kernel does not allow any

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sun, Nov 22, 2015 at 03:58:28PM +, David Woodhouse wrote: > On Fri, 2015-11-20 at 10:21 +0200, Michael S. Tsirkin wrote: > > > > David, there are two things a hypervisor needs to tell the guest. > > 1. The actual device is behind an IOMMU. This is what you > >    are suggesting we use DMAR

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sun, Nov 22, 2015 at 03:54:21PM +, David Woodhouse wrote: > On Sun, 2015-11-22 at 15:06 +0200, Marcel Apfelbaum wrote: > > > > > > I tried to generate a DMAR table that excludes some devices from > > IOMMU translation, however it does not help. > > > > The reason is, as far as I

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, Nov 19, 2015 at 11:38:06PM +, David Woodhouse wrote: > On Thu, 2015-11-19 at 13:59 -0800, Andy Lutomirski wrote: > > > > > > > > So thinking hard about it, I don't see any real drawbacks to making this > > > conditional on a new feature bit, that Xen can then set.. > > > > Can you

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Fri, Nov 20, 2015 at 01:56:39PM +1100, Benjamin Herrenschmidt wrote: > On Thu, 2015-11-19 at 23:38 +, David Woodhouse wrote: > > > > I understand that POWER and other platforms don't currently have a > > clean way to indicate that certain device don't have translation. And I > > understand

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, 2015-11-19 at 13:59 -0800, Andy Lutomirski wrote: > > > > > So thinking hard about it, I don't see any real drawbacks to making this > > conditional on a new feature bit, that Xen can then set.. > > Can you elaborate?  If I run QEMU, hosting Xen, hosting Linux, and the > virtio device is

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Nov 19, 2015 5:45 AM, "Michael S. Tsirkin" wrote: > > On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: > > This switches virtio to use the DMA API unconditionally. I'm sure > > it breaks things, but it seems to work on x86 using virtio-pci, with > > and

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, 2015-11-19 at 23:38 +, David Woodhouse wrote: > > I understand that POWER and other platforms don't currently have a > clean way to indicate that certain device don't have translation. And I > understand that we may end up with a *quirk* which ensures that the DMA > API does the right

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Fri, Nov 20, 2015 at 08:56:46AM +0200, Michael S. Tsirkin wrote: > On Thu, Nov 19, 2015 at 01:59:05PM -0800, Andy Lutomirski wrote: > > On Nov 19, 2015 5:45 AM, "Michael S. Tsirkin" wrote: > > > > > > On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: > > > >

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, Nov 19, 2015 at 01:59:05PM -0800, Andy Lutomirski wrote: > On Nov 19, 2015 5:45 AM, "Michael S. Tsirkin" wrote: > > > > On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: > > > This switches virtio to use the DMA API unconditionally. I'm sure > > > it

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: > This switches virtio to use the DMA API unconditionally. I'm sure > it breaks things, but it seems to work on x86 using virtio-pci, with > and without Xen, and using both the modern 1.0 variant and the > legacy variant. So

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Nov 11, 2015 at 11:30:27PM +0100, David Woodhouse wrote: > On Wed, 2015-11-11 at 07:56 -0800, Andy Lutomirski wrote: > > > > Can you flesh out this trick? > > > > On x86 IIUC the IOMMU more-or-less defaults to passthrough. If the > > kernel wants, it can switch it to a non-passthrough

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, 2015-11-12 at 13:09 +0200, Michael S. Tsirkin wrote: > On Wed, Nov 11, 2015 at 11:30:27PM +0100, David Woodhouse wrote: > > > > If the IOMMU is exposed, and enabled, and telling the guest kernel that > > it *does* cover the virtio devices, then those virtio devices will > > *not* be in

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sat, Oct 31, 2015 at 12:16:12AM +0900, Joerg Roedel wrote: > On Thu, Oct 29, 2015 at 11:01:41AM +0200, Michael S. Tsirkin wrote: > > Example: you have a mix of assigned devices and virtio devices. You > > don't trust your assigned device vendor not to corrupt your memory so > > you want to

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Tue, Nov 10, 2015 at 10:54:21AM -0800, Andy Lutomirski wrote: > On Nov 10, 2015 7:02 AM, "Michael S. Tsirkin" wrote: > > > > On Sun, Nov 08, 2015 at 12:49:46PM +0100, Joerg Roedel wrote: > > > On Sun, Nov 08, 2015 at 12:37:47PM +0200, Michael S. Tsirkin wrote: > > > > I have

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Nov 11, 2015 at 2:05 AM, Michael S. Tsirkin wrote: > On Tue, Nov 10, 2015 at 10:54:21AM -0800, Andy Lutomirski wrote: >> On Nov 10, 2015 7:02 AM, "Michael S. Tsirkin" wrote: >> > >> > On Sun, Nov 08, 2015 at 12:49:46PM +0100, Joerg Roedel wrote: >> > >

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, 2015-11-11 at 07:56 -0800, Andy Lutomirski wrote: > > Can you flesh out this trick? > > On x86 IIUC the IOMMU more-or-less defaults to passthrough. If the > kernel wants, it can switch it to a non-passthrough mode. My patches > cause the virtio driver to do exactly this, except that

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sun, Nov 08, 2015 at 12:49:46PM +0100, Joerg Roedel wrote: > On Sun, Nov 08, 2015 at 12:37:47PM +0200, Michael S. Tsirkin wrote: > > I have no problem with that. For example, can we teach > > the DMA API on intel x86 to use PT for virtio by default? > > That would allow merging Andy's patches

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Nov 10, 2015 7:02 AM, "Michael S. Tsirkin" wrote: > > On Sun, Nov 08, 2015 at 12:49:46PM +0100, Joerg Roedel wrote: > > On Sun, Nov 08, 2015 at 12:37:47PM +0200, Michael S. Tsirkin wrote: > > > I have no problem with that. For example, can we teach > > > the DMA API on intel

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, Oct 29, 2015 at 05:18:56PM +0100, David Woodhouse wrote: > On Thu, 2015-10-29 at 11:01 +0200, Michael S. Tsirkin wrote: > > > > Example: you have a mix of assigned devices and virtio devices. You > > don't trust your assigned device vendor not to corrupt your memory so > > you want to

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sun, Nov 08, 2015 at 12:37:47PM +0200, Michael S. Tsirkin wrote: > I have no problem with that. For example, can we teach > the DMA API on intel x86 to use PT for virtio by default? > That would allow merging Andy's patches with > full compatibility with old guests and hosts. Well, the only

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Sun, 2015-11-08 at 12:37 +0200, Michael S. Tsirkin wrote: > On Thu, Oct 29, 2015 at 05:18:56PM +0100, David Woodhouse wrote: > > On Thu, 2015-10-29 at 11:01 +0200, Michael S. Tsirkin wrote: > > > > > > But you trust your hypervisor (you have no choice anyway), > > > and you don't want the

Re: [PATCH v3 0/3] virtio DMA API core stuff

On 29/10/2015 10:01, Michael S. Tsirkin wrote: > > Everyone seems to agree that x86's emulated Q35 thing > > is just buggy right now and should be taught to use the existing ACPI > > mechanism for enumerating passthrough devices. > > I'm not sure what ACPI has to do with it. > It's about a way

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, Oct 29, 2015 at 11:01:41AM +0200, Michael S. Tsirkin wrote: > Example: you have a mix of assigned devices and virtio devices. You > don't trust your assigned device vendor not to corrupt your memory so > you want to limit the damage your assigned device can do to your guest, > so you use

Re: [PATCH v3 0/3] virtio DMA API core stuff

(Sorry, missed part of this before). On Thu, 2015-10-29 at 11:01 +0200, Michael S. Tsirkin wrote: > Isn't this specified by the hypervisor? I don't think this is a good > way to do this: guest security should be up to guest. And it is. When the guest sees an IOMMU, it can choose to use it, or

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Thu, 2015-10-29 at 11:01 +0200, Michael S. Tsirkin wrote: > > Example: you have a mix of assigned devices and virtio devices. You > don't trust your assigned device vendor not to corrupt your memory so > you want to limit the damage your assigned device can do to your > guest, > so you use an

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 03:51:58PM -0700, Andy Lutomirski wrote: > On Wed, Oct 28, 2015 at 9:12 AM, Michael S. Tsirkin wrote: > > On Wed, Oct 28, 2015 at 11:32:34PM +0900, David Woodhouse wrote: > >> > I don't have a problem with extending DMA API to address > >> > more usecases.

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 05:36:53PM +0900, Benjamin Herrenschmidt wrote: > On Wed, 2015-10-28 at 16:40 +0900, Christian Borntraeger wrote: > > We have discussed that at kernel summit. I will try to implement a dummy > > dma_ops for > > s390 that does 1:1 mapping and Ben will look into doing some

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 05:09:47PM +0900, David Woodhouse wrote: > On Wed, 2015-10-28 at 16:40 +0900, Christian Borntraeger wrote: > > Am 28.10.2015 um 16:17 schrieb Michael S. Tsirkin: > > > On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: > > > > This switches virtio to use the

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, 2015-10-28 at 13:35 +0200, Michael S. Tsirkin wrote: > E.g. on intel x86, there's an option iommu=pt which does the 1:1 > thing for devices when used by kernel, but enables > the iommu if used by userspace/VMs. That's none of your business. You call the DMA API when you do DMA. That's

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, 2015-10-28 at 13:23 +0200, Michael S. Tsirkin wrote: > On Wed, Oct 28, 2015 at 05:36:53PM +0900, Benjamin Herrenschmidt > wrote: > > On Wed, 2015-10-28 at 16:40 +0900, Christian Borntraeger wrote: > > > We have discussed that at kernel summit. I will try to implement > > > a dummy dma_ops

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 10:37:56PM +0900, David Woodhouse wrote: > On Wed, 2015-10-28 at 13:23 +0200, Michael S. Tsirkin wrote: > > On Wed, Oct 28, 2015 at 05:36:53PM +0900, Benjamin Herrenschmidt > > wrote: > > > On Wed, 2015-10-28 at 16:40 +0900, Christian Borntraeger wrote: > > > > We have

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 11:13:29PM +0900, David Woodhouse wrote: > On Wed, 2015-10-28 at 16:05 +0200, Michael S. Tsirkin wrote: > > > > Short answer - platforms need a way to discover, and express different > > security requirements of different devices. > > Sure. PLATFORMS need that. Do not let

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 10:35:27PM +0900, David Woodhouse wrote: > On Wed, 2015-10-28 at 13:35 +0200, Michael S. Tsirkin wrote: > > E.g. on intel x86, there's an option iommu=pt which does the 1:1 > > thing for devices when used by kernel, but enables > > the iommu if used by userspace/VMs. > >

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, 2015-10-28 at 16:05 +0200, Michael S. Tsirkin wrote: > > Short answer - platforms need a way to discover, and express different > security requirements of different devices. Sure. PLATFORMS need that. Do not let it go anywhere near your device drivers. Including the virtio drivers. > If

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, 2015-10-28 at 16:22 +0200, Michael S. Tsirkin wrote: > On Wed, Oct 28, 2015 at 11:13:29PM +0900, David Woodhouse wrote: > > On Wed, 2015-10-28 at 16:05 +0200, Michael S. Tsirkin wrote: > > > > > > Short answer - platforms need a way to discover, and express > > > different > > > security

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Tue, 2015-10-27 at 23:38 -0700, Andy Lutomirski wrote: > > Changes from v2: > - Fix really embarrassing bug. This version actually works. So embarrassing you didn't want to tell us what it was? ... --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -292,7 +292,7 @@

Re: [PATCH v3 0/3] virtio DMA API core stuff

Am 28.10.2015 um 16:17 schrieb Michael S. Tsirkin: > On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: >> This switches virtio to use the DMA API unconditionally. I'm sure >> it breaks things, but it seems to work on x86 using virtio-pci, with >> and without Xen, and using both the

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Tue, Oct 27, 2015 at 11:53 PM, David Woodhouse wrote: > On Tue, 2015-10-27 at 23:38 -0700, Andy Lutomirski wrote: >> >> Changes from v2: >> - Fix really embarrassing bug. This version actually works. > > So embarrassing you didn't want to tell us what it was? ... Shhh,

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: > This switches virtio to use the DMA API unconditionally. I'm sure > it breaks things, but it seems to work on x86 using virtio-pci, with > and without Xen, and using both the modern 1.0 variant and the > legacy variant. I'm very

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, 2015-10-28 at 16:40 +0900, Christian Borntraeger wrote: > Am 28.10.2015 um 16:17 schrieb Michael S. Tsirkin: > > On Tue, Oct 27, 2015 at 11:38:57PM -0700, Andy Lutomirski wrote: > > > This switches virtio to use the DMA API unconditionally. I'm sure > > > it breaks things, but it seems to

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, 2015-10-28 at 16:40 +0900, Christian Borntraeger wrote: > We have discussed that at kernel summit. I will try to implement a dummy > dma_ops for > s390 that does 1:1 mapping and Ben will look into doing some quirk to handle > "old" > code in addition to also make it possible to mark

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 11:32:34PM +0900, David Woodhouse wrote: > > I don't have a problem with extending DMA API to address > > more usecases. > > No, this isn't an extension. This is fixing a bug, on certain platforms > where the DMA API has currently done the wrong thing. > > We have

Re: [PATCH v3 0/3] virtio DMA API core stuff

On Wed, Oct 28, 2015 at 9:12 AM, Michael S. Tsirkin wrote: > On Wed, Oct 28, 2015 at 11:32:34PM +0900, David Woodhouse wrote: >> > I don't have a problem with extending DMA API to address >> > more usecases. >> >> No, this isn't an extension. This is fixing a bug, on certain