Re: [PATCH v1 1/4] arm64: ti-pvu: Add support for ti-pvu iommu unit

[Jan Kiszka]

On 06.01.20 13:14, Nikhil Devshatwar wrote:

On 06/01/20 5:35 pm, Jan Kiszka wrote:

On 06.01.20 12:57, Nikhil Devshatwar wrote:

On 06/01/20 4:14 pm, Jan Kiszka wrote:

On 06.01.20 11:10, Nikhil Devshatwar wrote:

On 06/01/20 2:52 pm, Jan Kiszka wrote:

On 06.01.20 09:12, Nikhil Devshatwar wrote:

+{
+    /*
+     * dummy unmap for now
+     * PVU does not support dynamic unmap
+     * Works well for static partitioning

Huh!? But this breaks cell create/destroy cycles, without any user
notice, no? And will root cell devices keep access to inmate memory
that
is carved out during cell creation?

Is that a hardware limitation?

Looks like a blocker...

Yes, this is a hardware limitation. I it designed for static
partitioning.

IOW, we can also not change the configuration by destroying and
recreating non-root cells with different memory layouts?

For now, we have gic-demo, uart-demo and linux-demo
You can interchangeably create/destroy cells in any order.

I was rather referring to

1. create linux-demo with, say, 256 MB DMA-capable RAM
2. destroy linux-demo
3. edit config to use 128 MB only
4. create linux-demo with reduced RAM

This should be fine I guess. cell_exit hook resets the PVU context for
that stream_id (pvu_iommu_flush_context()
subsequent cell_init programs everything as required.

The limitation is on reprogramming while the context is already enabled.
You can disable the context and reprogram a new memory map.

Sorry for causing confusion.

OK, that sounds better.

Although, I made sure to not break memory isolatio with the
following
workaround:

When booting a root cell for Jailhouse, you would typically carveout
memory for the
inmate cell. I have defined the cell configs such that, in the root
cell
config, RAM region for inmate is
NOT marked with MEM_DMA, this way it never gets mapped in PVU.

When creating cell, root cell maps the inmate RAM loadable region,
here
that memory is not
mapped in IO space.
---> Limitation of this is that you cannot DMA copy the images in
the
loadable sections,
    which we are not doing anyways

When destroying the cell, Jailhouse should map the memory back to
the
root cell.
Here, again, the inmate RAM region gets ignored in IO mapping
because of
lacking flag MEM_DMA

cell_create  and cell_destroy work in regression, tested
successfully.

Please add at least a test to the unmap function that warns when a
config is violating the hardware constraints. It's still not clear to
me, though, how well that goes with changing inmate cell configs.

Let me explain via the code

root cell config for j721e-evm:

1        /* RAM - first bank*/ {
             .phys_start = 0x80000000,
             .virt_start = 0x80000000,
             .size = 0x80000000,
             .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE |
                 JAILHOUSE_MEM_EXECUTE | JAILHOUSE_MEM_DMA |
                 JAILHOUSE_MEM_LOADABLE,
         },
2        /* RAM - second bank */ {
             .phys_start = 0x880000000,
             .virt_start = 0x880000000,
             .size = 0x1fa00000,
             .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE |
                 JAILHOUSE_MEM_EXECUTE | JAILHOUSE_MEM_DMA |
                 JAILHOUSE_MEM_LOADABLE,
         },
3        /* RAM - reserved for ivshmem and baremetal apps */ {
             .phys_start = 0x89fe00000,
             .virt_start = 0x89fe00000,
             .size = 0x200000,
             .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE |
                 JAILHOUSE_MEM_EXECUTE | JAILHOUSE_MEM_LOADABLE,
         },
4        /* RAM - reserved for inmate */ {
             .phys_start = 0x8a0000000,
             .virt_start = 0x8a0000000,
             .size = 0x60000000,
             .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE |
                 JAILHOUSE_MEM_EXECUTE | JAILHOUSE_MEM_LOADABLE,
         },

Here, note that all of 1,2,34 gets mapped in CPU MMU, but only 1,2
gets
mapped in PVU

inmate cell config for j721e-evm-linux-demo:

5        /* RAM. */ {
             .phys_start = 0x8a0000000,
             .virt_start = 0x8a0000000,
             .size = 0x60000000,
             .flags = JAILHOUSE_MEM_READ | JAILHOUSE_MEM_WRITE |
                 JAILHOUSE_MEM_EXECUTE | JAILHOUSE_MEM_DMA |
                 JAILHOUSE_MEM_LOADABLE,
         },


* When enabling jailhouse:
     In ideal world, all of the 1,2,3,4(same as 5) should be mapped in
CPU MMU and PVU
     With current config, only 1,2,3 is mapped. root cell kernel
continues without any trouble
         Since the inmate memory is reserved, no driver attempts
DMA to
that region, no faults seen

* When creating inmate cell:
     In ideal world, the IO mapping from PVU should be removed from
root
cell stream ID and to be added in the inmate cell stream ID
     With current config, unmap return 0 because nothing was ever
mapped

* When loading images (SET_LOADABLE):
     In ideal world, loadable regions should be mapped in the PVU map
for root cell streamID
     Since the MEM_DMA is missing, PVU unit skips this chunk and never
maps to root cell
     If you DMA copy the images to the root cell view of inmate
loadable
memory, there will be faults
     We do not do this currently (I believe we CPU copy the images)
Correct me if I am wrong here

* When starting cell
     Again, ideally the mapping should be removed from root cell and
added to inmate cell
     unmap returns 0 becasuse it was never mapped
     pvu_iommu_program_entries called in inmate 2nd time does
nothing if
the pvu_tlb_is_enabled returns true

Nowhere, PVU unit reprograms the memory map to add or remove entires.
Because it doesn't have to do.

I'm asking for a check in pvu_iommu_unmap_memory that the passed memory
region does not have JAILHOUSE_MEM_DMA set. When that is the case,
something went wrong because the request cannot be fulfilled on the
PVU.

However, I'm afraid that test will trigger on non-root cell destruction
when that cell contained DMA-capable memory. That would mean any device
that this cell owned and that is DMA-capable could continue to write
the
cell memory, possibly competing with the root cell loading new content
into it. This gets rather nasty because now you need to prevent such
writes be resetting all devices reliably. But Jailhouse can only do
that
for PCI devices (removing the master bit), not for random platform
devices.

Sure, I will add the check, yes it will print while destroying inmate
cells.
However, as I said, the PVU context can be reset for that stream_id and
It will cause faults for all DMA requests on that context. No corruption
to root cell or broken isolation.

Is the context disabled prior to the unmap calls hitting the pvu? Then
the check could be skipped if !pvu_tlb_is_enabled, right?

I checked that, Unfortunately, all unit exit hooks are called after the
arch_unmap_memory
So the disable check cannot be used.
I will see if there is some way around this warning.

Otherwise, make it depend on cell == root_cell, with the reasoning that
cell_exit will disable the mapping.

Jan

--
You received this message because you are subscribed to the Google Groups 
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jailhouse-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jailhouse-dev/323c6a6d-2481-967b-01f3-8ce24f016aa5%40web.de.