Halil Pasic
2020-Jun-16 09:52 UTC
[PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
On Mon, 15 Jun 2020 14:39:24 +0200 Pierre Morel <pmorel at linux.ibm.com> wrote: I find the subject (commit short) sub optimal. The 'arch' is already accepting devices 'without IOMMU feature'. What you are introducing is the ability to reject.> An architecture protecting the guest memory against unauthorized host > access may want to enforce VIRTIO I/O device protection through the > use of VIRTIO_F_IOMMU_PLATFORM. > > Let's give a chance to the architecture to accept or not devices > without VIRTIO_F_IOMMU_PLATFORM. >I don't particularly like the commit message. In general, I believe using access_platform instead of iommu_platform would really benefit us.> Signed-off-by: Pierre Morel <pmorel at linux.ibm.com> > --- > arch/s390/mm/init.c | 6 ++++++ > drivers/virtio/virtio.c | 9 +++++++++ > include/linux/virtio.h | 2 ++ > 3 files changed, 17 insertions(+) > > diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c > index 87b2d024e75a..3f04ad09650f 100644 > --- a/arch/s390/mm/init.c > +++ b/arch/s390/mm/init.c > @@ -46,6 +46,7 @@ > #include <asm/kasan.h> > #include <asm/dma-mapping.h> > #include <asm/uv.h> > +#include <linux/virtio.h>arch/s390/mm/init.c including virtio.h looks a bit strange to me, but if Heiko and Vasily don't mind, neither do I.> > pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); > > @@ -162,6 +163,11 @@ bool force_dma_unencrypted(struct device *dev) > return is_prot_virt_guest(); > } > > +int arch_needs_iommu_platform(struct virtio_device *dev)Maybe prefixing the name with virtio_ would help provide the proper context.> +{ > + return is_prot_virt_guest(); > +} > + > /* protected virtualization */ > static void pv_init(void) > { > diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c > index a977e32a88f2..30091089bee8 100644 > --- a/drivers/virtio/virtio.c > +++ b/drivers/virtio/virtio.c > @@ -167,6 +167,11 @@ void virtio_add_status(struct virtio_device *dev, unsigned int status) > } > EXPORT_SYMBOL_GPL(virtio_add_status); > > +int __weak arch_needs_iommu_platform(struct virtio_device *dev) > +{ > + return 0; > +} > +Adding some people that could be interested in overriding this as well to the cc list.> int virtio_finalize_features(struct virtio_device *dev) > { > int ret = dev->config->finalize_features(dev); > @@ -179,6 +184,10 @@ int virtio_finalize_features(struct virtio_device *dev) > if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) > return 0; > > + if (arch_needs_iommu_platform(dev) && > + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) > + return -EIO; > +Why EIO? Overall, I think it is a good idea to have something that is going to protect us from this scenario. Regards, Halil> virtio_add_status(dev, VIRTIO_CONFIG_S_FEATURES_OK); > status = dev->config->get_status(dev); > if (!(status & VIRTIO_CONFIG_S_FEATURES_OK)) { > diff --git a/include/linux/virtio.h b/include/linux/virtio.h > index a493eac08393..2c46b310c38c 100644 > --- a/include/linux/virtio.h > +++ b/include/linux/virtio.h > @@ -195,4 +195,6 @@ void unregister_virtio_driver(struct virtio_driver *drv); > #define module_virtio_driver(__virtio_driver) \ > module_driver(__virtio_driver, register_virtio_driver, \ > unregister_virtio_driver) > + > +int arch_needs_iommu_platform(struct virtio_device *dev); > #endif /* _LINUX_VIRTIO_H */
Pierre Morel
2020-Jun-16 10:52 UTC
[PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
On 2020-06-16 11:52, Halil Pasic wrote:> On Mon, 15 Jun 2020 14:39:24 +0200 > Pierre Morel <pmorel at linux.ibm.com> wrote: > > I find the subject (commit short) sub optimal. The 'arch' is already > accepting devices 'without IOMMU feature'. What you are introducing is > the ability to reject. > >> An architecture protecting the guest memory against unauthorized host >> access may want to enforce VIRTIO I/O device protection through the >> use of VIRTIO_F_IOMMU_PLATFORM. >> >> Let's give a chance to the architecture to accept or not devices >> without VIRTIO_F_IOMMU_PLATFORM. >> > > I don't particularly like the commit message. In general, I believe > using access_platform instead of iommu_platform would really benefit us.IOMMU_PLATFORM is used overall in Linux, and I did not find any occurrence for ACCESS_PLATFORM.> >> Signed-off-by: Pierre Morel <pmorel at linux.ibm.com> >> --- >> arch/s390/mm/init.c | 6 ++++++ >> drivers/virtio/virtio.c | 9 +++++++++ >> include/linux/virtio.h | 2 ++ >> 3 files changed, 17 insertions(+) >> >> diff --git a/arch/s390/mm/init.c b/arch/s390/mm/init.c >> index 87b2d024e75a..3f04ad09650f 100644 >> --- a/arch/s390/mm/init.c >> +++ b/arch/s390/mm/init.c >> @@ -46,6 +46,7 @@ >> #include <asm/kasan.h> >> #include <asm/dma-mapping.h> >> #include <asm/uv.h> >> +#include <linux/virtio.h> > > arch/s390/mm/init.c including virtio.h looks a bit strange to me, but > if Heiko and Vasily don't mind, neither do I.Do we have a better place to install the hook? I though that since it is related to memory management and that, since force_dma_unencrypted already is there, it would be a good place. However, kvm-s390 is another candidate.> >> >> pgd_t swapper_pg_dir[PTRS_PER_PGD] __section(.bss..swapper_pg_dir); >> >> @@ -162,6 +163,11 @@ bool force_dma_unencrypted(struct device *dev) >> return is_prot_virt_guest(); >> } >> >> +int arch_needs_iommu_platform(struct virtio_device *dev) > > Maybe prefixing the name with virtio_ would help provide the > proper context.The virtio_dev makes it obvious and from the virtio side it should be obvious that the arch is responsible for this. However if nobody has something against I change it.> >> +{ >> + return is_prot_virt_guest(); >> +} >> + >> /* protected virtualization */ >> static void pv_init(void) >> { >> diff --git a/drivers/virtio/virtio.c b/drivers/virtio/virtio.c >> index a977e32a88f2..30091089bee8 100644 >> --- a/drivers/virtio/virtio.c >> +++ b/drivers/virtio/virtio.c >> @@ -167,6 +167,11 @@ void virtio_add_status(struct virtio_device *dev, unsigned int status) >> } >> EXPORT_SYMBOL_GPL(virtio_add_status); >> >> +int __weak arch_needs_iommu_platform(struct virtio_device *dev) >> +{ >> + return 0; >> +} >> + > > Adding some people that could be interested in overriding this as well > to the cc list.Thanks,> >> int virtio_finalize_features(struct virtio_device *dev) >> { >> int ret = dev->config->finalize_features(dev); >> @@ -179,6 +184,10 @@ int virtio_finalize_features(struct virtio_device *dev) >> if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) >> return 0; >> >> + if (arch_needs_iommu_platform(dev) && >> + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) >> + return -EIO; >> + > > Why EIO?Because I/O can not occur correctly? I am open to suggestions.> > Overall, I think it is a good idea to have something that is going to > protect us from this scenario. >It would clearly be a good thing that trusted hypervizors like QEMU forbid this scenario however should we let the door open? Thanks, Pierre -- Pierre Morel IBM Lab Boeblingen
Halil Pasic
2020-Jun-16 11:57 UTC
[PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
On Tue, 16 Jun 2020 12:52:50 +0200 Pierre Morel <pmorel at linux.ibm.com> wrote:> >> int virtio_finalize_features(struct virtio_device *dev) > >> { > >> int ret = dev->config->finalize_features(dev); > >> @@ -179,6 +184,10 @@ int virtio_finalize_features(struct virtio_device *dev) > >> if (!virtio_has_feature(dev, VIRTIO_F_VERSION_1)) > >> return 0; > >> > >> + if (arch_needs_iommu_platform(dev) && > >> + !virtio_has_feature(dev, VIRTIO_F_IOMMU_PLATFORM)) > >> + return -EIO; > >> + > > > > Why EIO? > > Because I/O can not occur correctly? > I am open to suggestions.We use -ENODEV if feature when the device rejects the features we tried to negotiate (see virtio_finalize_features()) and -EINVAL when the F_VERSION_1 and the virtio-ccw revision ain't coherent (in virtio_ccw_finalize_features()). Any of those seems more fitting that EIO to me. BTW does the error code itself matter in any way, or is it just OK vs some error? Regards, Halil
Cornelia Huck
2020-Jun-16 12:20 UTC
[PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
On Tue, 16 Jun 2020 12:52:50 +0200 Pierre Morel <pmorel at linux.ibm.com> wrote:> On 2020-06-16 11:52, Halil Pasic wrote: > > On Mon, 15 Jun 2020 14:39:24 +0200 > > Pierre Morel <pmorel at linux.ibm.com> wrote:> >> @@ -162,6 +163,11 @@ bool force_dma_unencrypted(struct device *dev) > >> return is_prot_virt_guest(); > >> } > >> > >> +int arch_needs_iommu_platform(struct virtio_device *dev) > > > > Maybe prefixing the name with virtio_ would help provide the > > proper context. > > The virtio_dev makes it obvious and from the virtio side it should be > obvious that the arch is responsible for this. > > However if nobody has something against I change it.arch_needs_virtio_iommu_platform()?> > > > >> +{ > >> + return is_prot_virt_guest(); > >> +} > >> + > >> /* protected virtualization */ > >> static void pv_init(void) > >> {
Possibly Parallel Threads
- [PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
- [PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
- [PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
- [PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature
- [PATCH v2 1/1] s390: virtio: let arch accept devices without IOMMU feature