Re: [Xen-devel] DomD: passthroughing an arbitrary device
On 10/05/2017 06:29 PM, Julien Grall wrote: Hi, On 04/10/17 19:10, Oleksandr Andrushchenko wrote: sorry, pressed send too fast On 10/04/2017 09:02 PM, Oleksandr Andrushchenko wrote: On 10/04/2017 08:22 PM, Julien Grall wrote: On 04/10/17 17:32, Oleksandr Andrushchenko wrote: Hi, all! Hello, We have a use-case where we want to passthrough and arbitrary device to driver domain, e.g. GPIO controller or the like (doesn't do any DMA). I will assume you are speaking about Xen Arm and not Xen x86. Please correct if my assumption is wrong. you are right, sorry for not being precise enough I know that for device to be pass throughed it must be tied to an IOMMU, but in my case the controller doesn’t have any. The problem is that it not only has MMIO range, but also has its own interrupt controller, so I have to passthrough IRQs as well. Here comes the limitation I face: as the controller doesn’t have any IOMMU I can’t passthrough its IRQ. I guess you are saying that when you use "dtdev" it will deny guest creation. at least I used/experimented with dtdev as of now and didn't think it is possible not to fill in dtdev's, but still request IRQs At the moment, the only purpose of "dtdev" is to setup the SMMU correctly. If your device is not protected by an SMMU, then it is not necessary. You only need to specific "irqs" and "mmios". ah, good to know, could you please confirm that my understanding is correct: if I put "xen,passthrough" property in guest's device tree node which has IRQ(s) and/or MMIO range(s) it is enough to get that "passive" device passed through? yes, device will not be hidden from Dom0 and free to be used by any other domains. this does work, thank you However, you have to ensure it will not be shared between multiple domains (this check was done by "dtdev" you don't use here). yes, for embedded use-cases this shouldn't be a problem should be If "xen,passthrough" property in a Dom0 device tree node *together* with IRQ(s) and MMIO range(s) in a *guest config* file is enough to get "passive" device passed through If you wonder why the documentation does not advertise it. It is because I consider that any device not protected by an SMMU should not be pass-through unless the user really knows what he is doing. as they say "the best documentation is the source code itself", I should have looked more careful Possible solutions I see could be: 1. Make it possible that Xen allows passing through devices without IOMMU assigned: the problem here is that one can hack Xen then by saying that her device is not MMU protected and writing/reading arbitrary memory then. 2. Make driver domain be marked somehow as a privileged one, so Xen can trust it and allow passing devices without IOMMU. Q: What if we need to pass this device to DomU? 3. Workaround by introducing a dummy IOMMU for such devices, but it still doesn’t solve the problem with memory protection. I'm hoping to hear any possible solutions/suggestions which will not break security and allow passing devices at the same time. Cheers, Thank you, Oleksandr Cheers, ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] DomD: passthroughing an arbitrary device
Hi, On 04/10/17 19:10, Oleksandr Andrushchenko wrote: sorry, pressed send too fast On 10/04/2017 09:02 PM, Oleksandr Andrushchenko wrote: On 10/04/2017 08:22 PM, Julien Grall wrote: On 04/10/17 17:32, Oleksandr Andrushchenko wrote: Hi, all! Hello, We have a use-case where we want to passthrough and arbitrary device to driver domain, e.g. GPIO controller or the like (doesn't do any DMA). I will assume you are speaking about Xen Arm and not Xen x86. Please correct if my assumption is wrong. you are right, sorry for not being precise enough I know that for device to be pass throughed it must be tied to an IOMMU, but in my case the controller doesn’t have any. The problem is that it not only has MMIO range, but also has its own interrupt controller, so I have to passthrough IRQs as well. Here comes the limitation I face: as the controller doesn’t have any IOMMU I can’t passthrough its IRQ. I guess you are saying that when you use "dtdev" it will deny guest creation. at least I used/experimented with dtdev as of now and didn't think it is possible not to fill in dtdev's, but still request IRQs At the moment, the only purpose of "dtdev" is to setup the SMMU correctly. If your device is not protected by an SMMU, then it is not necessary. You only need to specific "irqs" and "mmios". ah, good to know, could you please confirm that my understanding is correct: if I put "xen,passthrough" property in guest's device tree node which has IRQ(s) and/or MMIO range(s) it is enough to get that "passive" device passed through? yes, device will not be hidden from Dom0 and free to be used by any other domains. However, you have to ensure it will not be shared between multiple domains (this check was done by "dtdev" you don't use here). should be If "xen,passthrough" property in a Dom0 device tree node *together* with IRQ(s) and MMIO range(s) in a *guest config* file is enough to get "passive" device passed through If you wonder why the documentation does not advertise it. It is because I consider that any device not protected by an SMMU should not be pass-through unless the user really knows what he is doing. as they say "the best documentation is the source code itself", I should have looked more careful Possible solutions I see could be: 1. Make it possible that Xen allows passing through devices without IOMMU assigned: the problem here is that one can hack Xen then by saying that her device is not MMU protected and writing/reading arbitrary memory then. 2. Make driver domain be marked somehow as a privileged one, so Xen can trust it and allow passing devices without IOMMU. Q: What if we need to pass this device to DomU? 3. Workaround by introducing a dummy IOMMU for such devices, but it still doesn’t solve the problem with memory protection. I'm hoping to hear any possible solutions/suggestions which will not break security and allow passing devices at the same time. Cheers, Thank you, Oleksandr Cheers, -- Julien Grall ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] DomD: passthroughing an arbitrary device
sorry, pressed send too fast On 10/04/2017 09:02 PM, Oleksandr Andrushchenko wrote: On 10/04/2017 08:22 PM, Julien Grall wrote: On 04/10/17 17:32, Oleksandr Andrushchenko wrote: Hi, all! Hello, We have a use-case where we want to passthrough and arbitrary device to driver domain, e.g. GPIO controller or the like (doesn't do any DMA). I will assume you are speaking about Xen Arm and not Xen x86. Please correct if my assumption is wrong. you are right, sorry for not being precise enough I know that for device to be pass throughed it must be tied to an IOMMU, but in my case the controller doesn’t have any. The problem is that it not only has MMIO range, but also has its own interrupt controller, so I have to passthrough IRQs as well. Here comes the limitation I face: as the controller doesn’t have any IOMMU I can’t passthrough its IRQ. I guess you are saying that when you use "dtdev" it will deny guest creation. at least I used/experimented with dtdev as of now and didn't think it is possible not to fill in dtdev's, but still request IRQs At the moment, the only purpose of "dtdev" is to setup the SMMU correctly. If your device is not protected by an SMMU, then it is not necessary. You only need to specific "irqs" and "mmios". ah, good to know, could you please confirm that my understanding is correct: if I put "xen,passthrough" property in guest's device tree node which has IRQ(s) and/or MMIO range(s) it is enough to get that "passive" device passed through? should be If "xen,passthrough" property in a Dom0 device tree node *together* with IRQ(s) and MMIO range(s) in a *guest config* file is enough to get "passive" device passed through If you wonder why the documentation does not advertise it. It is because I consider that any device not protected by an SMMU should not be pass-through unless the user really knows what he is doing. as they say "the best documentation is the source code itself", I should have looked more careful Possible solutions I see could be: 1. Make it possible that Xen allows passing through devices without IOMMU assigned: the problem here is that one can hack Xen then by saying that her device is not MMU protected and writing/reading arbitrary memory then. 2. Make driver domain be marked somehow as a privileged one, so Xen can trust it and allow passing devices without IOMMU. Q: What if we need to pass this device to DomU? 3. Workaround by introducing a dummy IOMMU for such devices, but it still doesn’t solve the problem with memory protection. I'm hoping to hear any possible solutions/suggestions which will not break security and allow passing devices at the same time. Cheers, Thank you, Oleksandr ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] DomD: passthroughing an arbitrary device
On 10/04/2017 08:22 PM, Julien Grall wrote: On 04/10/17 17:32, Oleksandr Andrushchenko wrote: Hi, all! Hello, We have a use-case where we want to passthrough and arbitrary device to driver domain, e.g. GPIO controller or the like (doesn't do any DMA). I will assume you are speaking about Xen Arm and not Xen x86. Please correct if my assumption is wrong. you are right, sorry for not being precise enough I know that for device to be pass throughed it must be tied to an IOMMU, but in my case the controller doesn’t have any. The problem is that it not only has MMIO range, but also has its own interrupt controller, so I have to passthrough IRQs as well. Here comes the limitation I face: as the controller doesn’t have any IOMMU I can’t passthrough its IRQ. I guess you are saying that when you use "dtdev" it will deny guest creation. at least I used/experimented with dtdev as of now and didn't think it is possible not to fill in dtdev's, but still request IRQs At the moment, the only purpose of "dtdev" is to setup the SMMU correctly. If your device is not protected by an SMMU, then it is not necessary. You only need to specific "irqs" and "mmios". ah, good to know, could you please confirm that my understanding is correct: if I put "xen,passthrough" property in guest's device tree node which has IRQ(s) and/or MMIO range(s) it is enough to get that "passive" device passed through? If you wonder why the documentation does not advertise it. It is because I consider that any device not protected by an SMMU should not be pass-through unless the user really knows what he is doing. as they say "the best documentation is the source code itself", I should have looked more careful Possible solutions I see could be: 1. Make it possible that Xen allows passing through devices without IOMMU assigned: the problem here is that one can hack Xen then by saying that her device is not MMU protected and writing/reading arbitrary memory then. 2. Make driver domain be marked somehow as a privileged one, so Xen can trust it and allow passing devices without IOMMU. Q: What if we need to pass this device to DomU? 3. Workaround by introducing a dummy IOMMU for such devices, but it still doesn’t solve the problem with memory protection. I'm hoping to hear any possible solutions/suggestions which will not break security and allow passing devices at the same time. Cheers, Thank you, Oleksandr ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] DomD: passthroughing an arbitrary device
On 04/10/17 17:32, Oleksandr Andrushchenko wrote: Hi, all! Hello, We have a use-case where we want to passthrough and arbitrary device to driver domain, e.g. GPIO controller or the like (doesn't do any DMA). I will assume you are speaking about Xen Arm and not Xen x86. Please correct if my assumption is wrong. I know that for device to be pass throughed it must be tied to an IOMMU, but in my case the controller doesn’t have any. The problem is that it not only has MMIO range, but also has its own interrupt controller, so I have to passthrough IRQs as well. Here comes the limitation I face: as the controller doesn’t have any IOMMU I can’t passthrough its IRQ. I guess you are saying that when you use "dtdev" it will deny guest creation. At the moment, the only purpose of "dtdev" is to setup the SMMU correctly. If your device is not protected by an SMMU, then it is not necessary. You only need to specific "irqs" and "mmios". If you wonder why the documentation does not advertise it. It is because I consider that any device not protected by an SMMU should not be pass-through unless the user really knows what he is doing. Possible solutions I see could be: 1. Make it possible that Xen allows passing through devices without IOMMU assigned: the problem here is that one can hack Xen then by saying that her device is not MMU protected and writing/reading arbitrary memory then. 2. Make driver domain be marked somehow as a privileged one, so Xen can trust it and allow passing devices without IOMMU. Q: What if we need to pass this device to DomU? 3. Workaround by introducing a dummy IOMMU for such devices, but it still doesn’t solve the problem with memory protection. I'm hoping to hear any possible solutions/suggestions which will not break security and allow passing devices at the same time. Cheers, -- Julien Grall ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
[Xen-devel] DomD: passthroughing an arbitrary device
Hi, all! We have a use-case where we want to passthrough and arbitrary device to driver domain, e.g. GPIO controller or the like (doesn't do any DMA). I know that for device to be pass throughed it must be tied to an IOMMU, but in my case the controller doesn’t have any. The problem is that it not only has MMIO range, but also has its own interrupt controller, so I have to passthrough IRQs as well. Here comes the limitation I face: as the controller doesn’t have any IOMMU I can’t passthrough its IRQ. Possible solutions I see could be: 1. Make it possible that Xen allows passing through devices without IOMMU assigned: the problem here is that one can hack Xen then by saying that her device is not MMU protected and writing/reading arbitrary memory then. 2. Make driver domain be marked somehow as a privileged one, so Xen can trust it and allow passing devices without IOMMU. Q: What if we need to pass this device to DomU? 3. Workaround by introducing a dummy IOMMU for such devices, but it still doesn’t solve the problem with memory protection. I'm hoping to hear any possible solutions/suggestions which will not break security and allow passing devices at the same time. Thank you for your time, Oleksandr ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
