On Thu, 29 Jan 2026, Oleksii Moisieiev wrote:
> From: Grygorii Strashko <[email protected]>
>
> Add chained handling of assigned DT devices to support access-controller
> functionality through SCI framework, so a DT device assign request can be
> passed to firmware for processing and enabling VM access to the requested
> device (for example, device power management through SCMI).
>
> The SCI access-controller DT device processing is called before the IOMMU
> path. It runs for any DT-described device (protected or not, and even when
> the IOMMU is disabled). The IOMMU path remains unchanged for PCI devices;
> only the DT path is relaxed to permit non-IOMMU devices.
>
> This lets xl.cfg:"dtdev" list both IOMMU-protected and non-protected DT
> devices:
>
> dtdev = [
> "/soc/video@e6ef0000", <- IOMMU protected device
> "/soc/i2c@e6508000", <- not IOMMU protected device
> ]
>
> The change is done in two parts:
> 1) call sci_do_domctl() in do_domctl() before IOMMU processing. If
> sci_do_domctl() reports an error other than -ENXIO, treat it as
> authoritative and skip the IOMMU path. A return of -ENXIO indicates
> that SCI did not handle the request and is ignored, allowing the
> existing IOMMU handling to run unchanged;
> 2) update iommu_do_dt_domctl() to check for dt_device_is_protected() and
> not fail if DT device is not protected by IOMMU. iommu_do_pci_domctl
> doesn't need to be updated because iommu_do_domctl first tries
> iommu_do_pci_domctl (when CONFIG_HAS_PCI) and falls back to
> iommu_do_dt_domctl only if PCI returns -ENODEV.
>
> The new dt_device_is_protected() bypass in iommu_do_dt_domctl only
> applies to DT-described devices; SCI parameters are carried via DT
> nodes. PCI devices handled by iommu_do_pci_domctl do not carry DT/SCI
> metadata in this path, so there is no notion of “SCI parameters on a
> non-IOMMU-protected PCI device” for it to interpret or to skip. The PCI
> path should continue to report errors if assignment cannot be performed
> by the IOMMU layer. So we should leave iommu_do_pci_domctl unchanged; the
> SCI/DT-specific relaxations belong only in the DT path. Also SCI handling
> only exists when DT is present.
>
> Signed-off-by: Grygorii Strashko <[email protected]>
> Signed-off-by: Oleksii Moisieiev <[email protected]>
> ---
>
> Changes in v9:
> - treat SCI as a gate for XEN_DOMCTL_*assign_device: abort before
> IOMMU if sci_do_domctl() returns an error other than -ENXIO, instead
> of trying to propagate SCI errors after a successful IOMMU
> operation. This avoids partial success and the need for IOMMU rollback.
> - remove early return from do_domctl() in the assign_device
> path to keep RCU handling intact.
> - change IS_ENABLED(*) to #ifdef in sci_do_domctl quard
>
> Changes in v8:
> - check for CONFIG_ARM_SCI to be ebabled instead of COMFIG_ARM before
> calling sci_do_domctl
> - rework sci_do_domctl call to avoid extra checks, improved error
> handling.
> - do not propagate ret1 if sci_do_domctl returned positive ret
> - updated comment in domctl.c code
>
> Changes in v7:
> - update domctl to build on both Arm and x86 platforms
> - move ret1 declaration to the top of the function as required by code
> style
>
> Changes in v6:
> - change iommu_do_domctl and sci_do_domctl command order and
> call sci_do_domctl first which will produce cleaner code path.
> Also dropped changing return code when iommu was disabled in
> iommu_do_domctl.
>
> Changes in v5:
> - return -EINVAL if mediator without assign_dt_device was provided
> - invert return code check for iommu_do_domctl in
> XEN_DOMCTL_assign_device domctl processing to make cleaner code
> - change -ENOTSUPP error code to -ENXIO in sci_do_domctl
> - handle -ENXIO return comde of iommu_do_domctl
> - leave !dt_device_is_protected check in iommu_do_dt_domctl to make
> code work the same way it's done in "handle_device" call while
> creating hwdom(dom0) and "handle_passthrough_prop" call for dom0less
> creation
> - drop return check from sci_assign_dt_device call as not needed
> - do not return EINVAL when addign_dt_device is not set. That is
> because this callback is optional and not implemented in single-agent driver
>
> xen/arch/arm/firmware/sci.c | 36 +++++++++++++++++++++++++
> xen/arch/arm/include/asm/firmware/sci.h | 14 ++++++++++
> xen/common/domctl.c | 15 +++++++++++
> xen/drivers/passthrough/device_tree.c | 6 +++++
> 4 files changed, 71 insertions(+)
>
> diff --git a/xen/arch/arm/firmware/sci.c b/xen/arch/arm/firmware/sci.c
> index aa93cda7f0..a6c647a09d 100644
> --- a/xen/arch/arm/firmware/sci.c
> +++ b/xen/arch/arm/firmware/sci.c
> @@ -126,6 +126,42 @@ int sci_assign_dt_device(struct domain *d, struct
> dt_device_node *dev)
> return 0;
> }
>
> +int sci_do_domctl(struct xen_domctl *domctl, struct domain *d,
> + XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
> +{
> + struct dt_device_node *dev;
> + int ret = 0;
Should this be -ENXIO?
> +
> + switch ( domctl->cmd )
> + {
> + case XEN_DOMCTL_assign_device:
> + ret = -ENXIO;
> + if ( domctl->u.assign_device.dev != XEN_DOMCTL_DEV_DT )
> + break;
> +
> + if ( !cur_mediator )
> + break;
> +
> + if ( !cur_mediator->assign_dt_device )
> + break;
> +
> + ret = dt_find_node_by_gpath(domctl->u.assign_device.u.dt.path,
> + domctl->u.assign_device.u.dt.size, &dev);
> + if ( ret )
> + return ret;
> +
> + ret = sci_assign_dt_device(d, dev);
> +
> + break;
> +
> + default:
> + /* do not fail here as call is chained with iommu handling */
> + break;
> + }
> +
> + return ret;
> +}
> +
> static int __init sci_init(void)
> {
> struct dt_device_node *np;
> diff --git a/xen/arch/arm/include/asm/firmware/sci.h
> b/xen/arch/arm/include/asm/firmware/sci.h
> index 3500216bc2..a2d314e627 100644
> --- a/xen/arch/arm/include/asm/firmware/sci.h
> +++ b/xen/arch/arm/include/asm/firmware/sci.h
> @@ -146,6 +146,14 @@ int sci_dt_finalize(struct domain *d, void *fdt);
> * control" functionality.
> */
> int sci_assign_dt_device(struct domain *d, struct dt_device_node *dev);
> +
> +/*
> + * SCI domctl handler
> + *
> + * Only XEN_DOMCTL_assign_device is handled for now.
> + */
> +int sci_do_domctl(struct xen_domctl *domctl, struct domain *d,
> + XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl);
> #else
>
> static inline bool sci_domain_is_enabled(struct domain *d)
> @@ -195,6 +203,12 @@ static inline int sci_assign_dt_device(struct domain *d,
> return 0;
> }
>
> +static inline int sci_do_domctl(struct xen_domctl *domctl, struct domain *d,
> + XEN_GUEST_HANDLE_PARAM(xen_domctl_t)
> u_domctl)
> +{
> + return 0;
This should be -ENXIO?
Other than this:
Reviewed-by: Stefano Stabellini <[email protected]>
Those two changes can be done on commit
> +}
> +
> #endif /* CONFIG_ARM_SCI */
>
> #endif /* __ASM_ARM_SCI_H */
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index 29a7726d32..b3d1381182 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -29,6 +29,9 @@
> #include <xen/xvmalloc.h>
>
> #include <asm/current.h>
> +#ifdef CONFIG_ARM
> +#include <asm/firmware/sci.h>
> +#endif
> #include <asm/irq.h>
> #include <asm/page.h>
> #include <asm/p2m.h>
> @@ -833,6 +836,18 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t)
> u_domctl)
> case XEN_DOMCTL_test_assign_device:
> case XEN_DOMCTL_deassign_device:
> case XEN_DOMCTL_get_device_group:
> + /*
> + * Chain SCI DT handling ahead of the IOMMU path so an SCI mediator
> + * can authorise access-controlled DT devices. Unhandled cases report
> + * -ENXIO, which is ignored. Any other SCI error aborts before the
> + * IOMMU path runs.
> + */
> +#ifdef CONFIG_ARM_SCI
> + ret = sci_do_domctl(op, d, u_domctl);
> + if ( ret < 0 && ret != -ENXIO )
> + break;
> +#endif
> +
> ret = iommu_do_domctl(op, d, u_domctl);
> break;
>
> diff --git a/xen/drivers/passthrough/device_tree.c
> b/xen/drivers/passthrough/device_tree.c
> index f5850a2607..29a44dc773 100644
> --- a/xen/drivers/passthrough/device_tree.c
> +++ b/xen/drivers/passthrough/device_tree.c
> @@ -379,6 +379,12 @@ int iommu_do_dt_domctl(struct xen_domctl *domctl, struct
> domain *d,
> break;
> }
>
> + if ( !dt_device_is_protected(dev) )
> + {
> + ret = 0;
> + break;
> + }
> +
> ret = iommu_assign_dt_device(d, dev);
>
> if ( ret )
> --
> 2.34.1
>
