On Tue, Jul 31, 2018 at 03:36:22PM -0500, Benjamin Herrenschmidt wrote:> On Tue, 2018-07-31 at 10:30 -0700, Christoph Hellwig wrote: > > > However the question people raise is that DMA API is already full of > > > arch-specific tricks the likes of which are outlined in your post linked > > > above. How is this one much worse? > > > > None of these warts is visible to the driver, they are all handled in > > the architecture (possibly on a per-bus basis). > > > > So for virtio we really need to decide if it has one set of behavior > > as specified in the virtio spec, or if it behaves exactly as if it > > was on a PCI bus, or in fact probably both as you lined up. But no > > magic arch specific behavior inbetween. > > The only arch specific behaviour is needed in the case where it doesn't > behave like PCI. In this case, the PCI DMA ops are not suitable, but in > our secure VMs, we still need to make it use swiotlb in order to bounce > through non-secure pages. > > It would be nice if "real PCI" was the defaultI think you are mixing "real PCI" which isn't coded up yet and IOMMU bypass which is. IOMMU bypass will maybe with time become unnecessary since it seems that one can just program an IOMMU in a bypass mode instead. It's hard to blame you since right now if you disable IOMMU bypass you get a real PCI mode. But they are distinct and to allow people to enable IOMMU by default we will need to teach someone (virtio or DMA API) about this mode that does follow translation and protection rules in the IOMMU but runs on a CPU and so does not need cache flushes and whatnot. OTOH real PCI mode as opposed to default hypervisor mode does not perform as well when what you actually have is a hypervisor. So we'll likely have a mix of these two modes for a while.> but it's not, VMs are > created in "legacy" mode all the times and we don't know at VM creation > time whether it will become a secure VM or not. The way our secure VMs > work is that they start as a normal VM, load a secure "payload" and > call the Ultravisor to "become" secure. > > So we're in a bit of a bind here. We need that one-liner optional arch > hook to make virtio use swiotlb in that "IOMMU bypass" case. > > Ben.And just to make sure I understand, on your platform DMA APIs do include some of the cache flushing tricks and this is why you don't want to declare iommu support in the hypervisor? -- MST
Benjamin Herrenschmidt
2018-Aug-02 15:33 UTC
[RFC 0/4] Virtio uses DMA API for all devices
On Thu, 2018-08-02 at 00:56 +0300, Michael S. Tsirkin wrote:> > but it's not, VMs are > > created in "legacy" mode all the times and we don't know at VM creation > > time whether it will become a secure VM or not. The way our secure VMs > > work is that they start as a normal VM, load a secure "payload" and > > call the Ultravisor to "become" secure. > > > > So we're in a bit of a bind here. We need that one-liner optional arch > > hook to make virtio use swiotlb in that "IOMMU bypass" case. > > > > Ben. > > And just to make sure I understand, on your platform DMA APIs do include > some of the cache flushing tricks and this is why you don't want to > declare iommu support in the hypervisor?I'm not sure I parse what you mean. We don't need cache flushing tricks. The problem we have with our "secure" VMs is that: - At VM creation time we have no idea it's going to become a secure VM, qemu doesn't know anything about it, and thus qemu (or other management tools, libvirt etc...) are going to create "legacy" (ie iommu bypass) virtio devices. - Once the VM goes secure (early during boot but too late for qemu), it will need to make virtio do bounce-buffering via swiotlb because qemu cannot physically access most VM pages (blocked by HW security features), we need to bounce buffer using some unsecure pages that are accessible to qemu. That said, I wouldn't object for us to more generally switch long run to changing qemu so that virtio on powerpc starts using the IOMMU as a default provided we fix our guest firmware to understand it (it currently doesn't), and provided we verify that the performance impact on things like vhost is negligible. Cheers, Ben.
On Thu, Aug 02, 2018 at 10:33:05AM -0500, Benjamin Herrenschmidt wrote:> On Thu, 2018-08-02 at 00:56 +0300, Michael S. Tsirkin wrote: > > > but it's not, VMs are > > > created in "legacy" mode all the times and we don't know at VM creation > > > time whether it will become a secure VM or not. The way our secure VMs > > > work is that they start as a normal VM, load a secure "payload" and > > > call the Ultravisor to "become" secure. > > > > > > So we're in a bit of a bind here. We need that one-liner optional arch > > > hook to make virtio use swiotlb in that "IOMMU bypass" case. > > > > > > Ben. > > > > And just to make sure I understand, on your platform DMA APIs do include > > some of the cache flushing tricks and this is why you don't want to > > declare iommu support in the hypervisor? > > I'm not sure I parse what you mean. > > We don't need cache flushing tricks.You don't but do real devices on same platform need them?> The problem we have with our > "secure" VMs is that: > > - At VM creation time we have no idea it's going to become a secure > VM, qemu doesn't know anything about it, and thus qemu (or other > management tools, libvirt etc...) are going to create "legacy" (ie > iommu bypass) virtio devices. > > - Once the VM goes secure (early during boot but too late for qemu), > it will need to make virtio do bounce-buffering via swiotlb because > qemu cannot physically access most VM pages (blocked by HW security > features), we need to bounce buffer using some unsecure pages that are > accessible to qemu. > > That said, I wouldn't object for us to more generally switch long run > to changing qemu so that virtio on powerpc starts using the IOMMU as a > default provided we fix our guest firmware to understand it (it > currently doesn't), and provided we verify that the performance impact > on things like vhost is negligible. > > Cheers, > Ben. >