On Wed, 10 Jun 2020 14:39:22 +1000 David Gibson <da...@gibson.dropbear.id.au> wrote:
> On Tue, Jun 09, 2020 at 12:16:41PM +0200, Cornelia Huck wrote: > > On Sun, 7 Jun 2020 13:07:35 +1000 > > David Gibson <da...@gibson.dropbear.id.au> wrote: > > > > > On Sat, Jun 06, 2020 at 04:21:31PM -0400, Michael S. Tsirkin wrote: > > > > On Thu, May 21, 2020 at 01:43:04PM +1000, David Gibson wrote: > > > > > The default behaviour for virtio devices is not to use the platforms > > > > > normal > > > > > DMA paths, but instead to use the fact that it's running in a > > > > > hypervisor > > > > > to directly access guest memory. That doesn't work if the guest's > > > > > memory > > > > > is protected from hypervisor access, such as with AMD's SEV or > > > > > POWER's PEF. > > > > > > > > > > So, if a guest memory protection mechanism is enabled, then apply the > > > > > iommu_platform=on option so it will go through normal DMA mechanisms. > > > > > Those will presumably have some way of marking memory as shared with > > > > > the > > > > > hypervisor or hardware so that DMA will work. > > > > > > > > > > Signed-off-by: David Gibson <da...@gibson.dropbear.id.au> > > > > > --- > > > > > hw/core/machine.c | 11 +++++++++++ > > > > > 1 file changed, 11 insertions(+) > > > > > > > > > > diff --git a/hw/core/machine.c b/hw/core/machine.c > > > > > index 88d699bceb..cb6580954e 100644 > > > > > --- a/hw/core/machine.c > > > > > +++ b/hw/core/machine.c > > > > > @@ -28,6 +28,8 @@ > > > > > #include "hw/mem/nvdimm.h" > > > > > #include "migration/vmstate.h" > > > > > #include "exec/guest-memory-protection.h" > > > > > +#include "hw/virtio/virtio.h" > > > > > +#include "hw/virtio/virtio-pci.h" > > > > > > > > > > GlobalProperty hw_compat_5_0[] = {}; > > > > > const size_t hw_compat_5_0_len = G_N_ELEMENTS(hw_compat_5_0); > > > > > @@ -1159,6 +1161,15 @@ void machine_run_board_init(MachineState > > > > > *machine) > > > > > * areas. > > > > > */ > > > > > machine_set_mem_merge(OBJECT(machine), false, &error_abort); > > > > > + > > > > > + /* > > > > > + * Virtio devices can't count on directly accessing guest > > > > > + * memory, so they need iommu_platform=on to use normal DMA > > > > > + * mechanisms. That requires disabling legacy virtio support > > > > > + * for virtio pci devices > > > > > + */ > > > > > + object_register_sugar_prop(TYPE_VIRTIO_PCI, > > > > > "disable-legacy", "on"); > > > > > + object_register_sugar_prop(TYPE_VIRTIO_DEVICE, > > > > > "iommu_platform", "on"); > > > > > } > > > > > > > > > > > > > I think it's a reasonable way to address this overall. > > > > As Cornelia has commented, addressing ccw as well > > > > > > Sure. I was assuming somebody who actually knows ccw could do that as > > > a follow up. > > > > FWIW, I think we could simply enable iommu_platform for protected > > guests for ccw; no prereqs like pci's disable-legacy. > > Right, and the code above should in fact already do so, since it > applies that to TYPE_VIRTIO_DEVICE, which is common. The > disable-legacy part should be harmless for s390, since this is > effectively just setting a default, and we don't expect any > TYPE_VIRTIO_PCI devices to be instantiated on z. Well, virtio-pci is available on s390, so people could try to use it -- however, forcing disable-legacy won't hurt in that case, as it won't make the situation worse (I don't expect virtio-pci to work on s390 protected guests.) > > > > > as cases where user has > > > > specified the property manually could be worth-while. > > > > > > I don't really see what's to be done there. I'm assuming that if the > > > user specifies it, they know what they're doing - particularly with > > > nonstandard guests there are some odd edge cases where those > > > combinations might work, they're just not very likely. > > > > If I understood Halil correctly, devices without iommu_platform > > apparently can crash protected guests on s390. Is that supposed to be a > > "if it breaks, you get to keep the pieces" situation, or do we really > > want to enforce iommu_platform? > > I actually think "if you broke it, keep the pieces" is an acceptable > approach here, but that doesn't preclude some further enforcement to > improve UX. I'm worried about spreading dealing with this over too many code areas, though.
pgpCjQAvhrL4P.pgp
Description: OpenPGP digital signature